tests: add rule type check for flowbits #1438
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| alert ip any any -> any any (msg:"isset rule need an option"; flowbits:isset; sid:1;) | ||
| alert ip any any -> any any (msg:"isnotset rule need an option"; flowbits:isnotset; sid:2) | ||
|
There was a problem hiding this comment. In addition to the lack of a name for the flowbits variable, this rule would also result in a parse error because it lacks the |
||
| alert ip any any -> any any (msg:"set rule need an option"; flowbits:set; sid:3;) | ||
| alert ip any any -> any any (msg:"unset rule need an option"; flowbits:unset; sid:4;) | ||
| alert ip any any -> any any (msg:"toggle rule need an option"; flowbits:toggle; sid:5;) | ||
|
There was a problem hiding this comment. Let's also have a rule for the There was a problem hiding this comment. And rules that take into account the ored flowbits https://github.com/OISF/suricata-verify/blob/master/tests/detect-flowbits/test.rules#L3 ;) |
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| requires: | ||
| min-version: 7.0.0 | ||
| pcap: false | ||
|
|
||
| args: | ||
| - --engine-analysis | ||
|
|
||
| checks: | ||
| - filter: | ||
| filename: rules.json | ||
| count: 1 | ||
| match: | ||
| id: 1 | ||
| lists.packet.matches[0].name: "flowbits" | ||
| lists.packet.matches[0].flowbits.option: "isset" | ||
|
There was a problem hiding this comment. The checks use |
||
| - filter: | ||
| filename: rules.json | ||
| count: 1 | ||
| match: | ||
| id: 2 | ||
| lists.packet.matches[0].name: "flowbits" | ||
| lists.packet.matches[0].flowbits.option: "isnotset" | ||
| - filter: | ||
| filename: rules.json | ||
| count: 1 | ||
| match: | ||
| id: 3 | ||
| lists.packet.matches[0].name: "flowbits" | ||
| lists.packet.matches[0].flowbits.option: "set" | ||
| - filter: | ||
| filename: rules.json | ||
| count: 1 | ||
| match: | ||
| id: 4 | ||
| lists.packet.matches[0].name: "flowbits" | ||
| lists.packet.matches[0].flowbits.option: "unset" | ||
| - filter: | ||
| filename: rules.json | ||
| count: 1 | ||
| match: | ||
| id: 5 | ||
| lists.packet.matches[0].name: "flowbits" | ||
| lists.packet.matches[0].flowbits.option: "toggle" | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As seen in the flowbits documentation, this keyword needs two values, so all the rules written here will result in a parse error due to the lack of the second field.
(cf https://docs.suricata.io/en/latest/rules/flow-keywords.html#flowbits)
Tip: when an SV test fails with
FAILED: got exit code 1, expected 0this indicates that Suricata finished with an error state, so to debug such cases you should check theoutputdirectory in the test folder and see what's instderr.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure what to pass as the second value? I have changed the code for DETECT-FLOWBITS case so that the name is being stored in
ored_variablesarray, should I pass this array as the second value?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The second value is a variable name, and as such it's not predefined. Just like a code variable, it is user-defined. Does this clear up?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah, okay, that makes sense. Thanks!