From 277bc5016f5a5160a463fec5806796114c9a306b Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Mon, 13 Jun 2022 08:08:25 +0200
Subject: [PATCH 1/3] tests: flowbit prefilter tests

---
 .../flowbit-prefilter.rules                   | 10 ++++++
 tests/flowbits-prefilter-01/test.yaml         | 19 +++++++++++
 .../flowbit-prefilter-tx.rules                | 10 ++++++
 tests/flowbits-prefilter-02-auto/test.yaml    | 32 +++++++++++++++++++
 .../flowbit-prefilter.rules                   |  2 ++
 tests/flowbits-prefilter-03/test.yaml         | 19 +++++++++++
 .../flowbit-prefilter.rules                   | 10 ++++++
 .../flowbits-prefilter-04-pkt-auto/test.yaml  | 20 ++++++++++++
 .../flowbit-prefilter.rules                   |  2 ++
 tests/flowbits-prefilter-05-onedir/test.yaml  | 19 +++++++++++
 .../flowbit-prefilter.rules                   |  4 +++
 tests/flowbits-prefilter-06-opdir/test.yaml   | 19 +++++++++++
 .../flowbit-prefilter-tx.rules                | 10 ++++++
 .../flowbits-prefilter-07-tx-onedir/test.yaml | 31 ++++++++++++++++++
 .../flowbit-prefilter-tx.rules                | 10 ++++++
 .../flowbits-prefilter-08-tx-opdir/test.yaml  | 29 +++++++++++++++++
 .../flowbit-prefilter.rules                   |  2 ++
 .../test.yaml                                 | 19 +++++++++++
 .../flowbit-prefilter.rules                   |  2 ++
 .../test.yaml                                 | 19 +++++++++++
 .../flowbit-prefilter.rules                   | 10 ++++++
 .../flowbits-prefilter-11-pkt-auto/test.yaml  | 20 ++++++++++++
 22 files changed, 318 insertions(+)
 create mode 100644 tests/flowbits-prefilter-01/flowbit-prefilter.rules
 create mode 100644 tests/flowbits-prefilter-01/test.yaml
 create mode 100644 tests/flowbits-prefilter-02-auto/flowbit-prefilter-tx.rules
 create mode 100644 tests/flowbits-prefilter-02-auto/test.yaml
 create mode 100644 tests/flowbits-prefilter-03/flowbit-prefilter.rules
 create mode 100644 tests/flowbits-prefilter-03/test.yaml
 create mode 100644 tests/flowbits-prefilter-04-pkt-auto/flowbit-prefilter.rules
 create mode 100644 tests/flowbits-prefilter-04-pkt-auto/test.yaml
 create mode 100644 tests/flowbits-prefilter-05-onedir/flowbit-prefilter.rules
 create mode 100644 tests/flowbits-prefilter-05-onedir/test.yaml
 create mode 100644 tests/flowbits-prefilter-06-opdir/flowbit-prefilter.rules
 create mode 100644 tests/flowbits-prefilter-06-opdir/test.yaml
 create mode 100644 tests/flowbits-prefilter-07-tx-onedir/flowbit-prefilter-tx.rules
 create mode 100644 tests/flowbits-prefilter-07-tx-onedir/test.yaml
 create mode 100644 tests/flowbits-prefilter-08-tx-opdir/flowbit-prefilter-tx.rules
 create mode 100644 tests/flowbits-prefilter-08-tx-opdir/test.yaml
 create mode 100644 tests/flowbits-prefilter-09-iponly-onedir/flowbit-prefilter.rules
 create mode 100644 tests/flowbits-prefilter-09-iponly-onedir/test.yaml
 create mode 100644 tests/flowbits-prefilter-10-iponly-opdir/flowbit-prefilter.rules
 create mode 100644 tests/flowbits-prefilter-10-iponly-opdir/test.yaml
 create mode 100644 tests/flowbits-prefilter-11-pkt-auto/flowbit-prefilter.rules
 create mode 100644 tests/flowbits-prefilter-11-pkt-auto/test.yaml

diff --git a/tests/flowbits-prefilter-01/flowbit-prefilter.rules b/tests/flowbits-prefilter-01/flowbit-prefilter.rules
new file mode 100644
index 000000000..84b4bcb73
--- /dev/null
+++ b/tests/flowbits-prefilter-01/flowbit-prefilter.rules
@@ -0,0 +1,10 @@
+alert tcp any any -> any any (flow:to_client; content:"HTTP"; flowbits:set,rare; flowbits:set,common; sid:11;)
+alert tcp any any -> any any (dsize:10; flowbits:set,never; flowbits:set,common; sid:12;)
+alert tcp any any -> any any (flowbits:isset,never; sid:21;)
+alert tcp any any -> any any (flowbits:isset,common; prefilter; dsize:259; sid:22;)
+alert tcp any any -> any any (flowbits:isset,never; prefilter; dsize:10; sid:23;)
+alert tcp any any -> any any (flowbits:isset,rare; prefilter; dsize:11; sid:24;)
+alert tcp any any -> any any (flowbits:isset,rare; prefilter; ack:3308437468; sid:25;)
+alert tcp any any -> any any (priority:10; dsize:11; sid:31;)
+alert tcp any any -> any any (priority:10; dsize:10; sid:32;)
+alert tcp any any -> any any (priority:10; ack:3308437468; sid:33;)
diff --git a/tests/flowbits-prefilter-01/test.yaml b/tests/flowbits-prefilter-01/test.yaml
new file mode 100644
index 000000000..3ae4dc06d
--- /dev/null
+++ b/tests/flowbits-prefilter-01/test.yaml
@@ -0,0 +1,19 @@
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 11
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 22
diff --git a/tests/flowbits-prefilter-02-auto/flowbit-prefilter-tx.rules b/tests/flowbits-prefilter-02-auto/flowbit-prefilter-tx.rules
new file mode 100644
index 000000000..453ac9be9
--- /dev/null
+++ b/tests/flowbits-prefilter-02-auto/flowbit-prefilter-tx.rules
@@ -0,0 +1,10 @@
+alert tcp any any -> any any (flow:to_client; http.response_line; content:"HTTP"; flowbits:set,rare; flowbits:set,common; sid:11;)
+alert tcp any any -> any any (http.request_line; content:"ABC"; flowbits:set,never; flowbits:set,common; sid:12;)
+alert tcp any any -> any any (flowbits:isset,never; sid:21;)
+alert tcp any any -> any any (flowbits:isset,common; http.stat_code; content:"200"; sid:22;)
+alert tcp any any -> any any (flowbits:isset,never; http.stat_code; content:"200";  sid:23;)
+alert tcp any any -> any any (flowbits:isset,rare; http.stat_code; content:"201"; sid:24;)
+alert tcp any any -> any any (flowbits:isset,rare; http.stat_code; content:"200"; sid:25;)
+alert tcp any any -> any any (priority:10; http.stat_code; content:"202";  sid:31;)
+alert tcp any any -> any any (priority:10; http.stat_code; content:"201";  sid:32;)
+alert tcp any any -> any any (priority:10; http.stat_code; content:"200";  sid:33;)
diff --git a/tests/flowbits-prefilter-02-auto/test.yaml b/tests/flowbits-prefilter-02-auto/test.yaml
new file mode 100644
index 000000000..c8d7a2f11
--- /dev/null
+++ b/tests/flowbits-prefilter-02-auto/test.yaml
@@ -0,0 +1,32 @@
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+  - --set detect.prefilter.default=auto
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 11
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 22
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 25
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 33
diff --git a/tests/flowbits-prefilter-03/flowbit-prefilter.rules b/tests/flowbits-prefilter-03/flowbit-prefilter.rules
new file mode 100644
index 000000000..241295bd3
--- /dev/null
+++ b/tests/flowbits-prefilter-03/flowbit-prefilter.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (flow:to_server; content:"GET"; flowbits:set,abc; sid:1;)
+alert tcp any any -> any any (flow:to_client; content:"HTTP"; flowbits:isset,abc; prefilter; sid:2;)
diff --git a/tests/flowbits-prefilter-03/test.yaml b/tests/flowbits-prefilter-03/test.yaml
new file mode 100644
index 000000000..e1e325a42
--- /dev/null
+++ b/tests/flowbits-prefilter-03/test.yaml
@@ -0,0 +1,19 @@
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 4
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 2
diff --git a/tests/flowbits-prefilter-04-pkt-auto/flowbit-prefilter.rules b/tests/flowbits-prefilter-04-pkt-auto/flowbit-prefilter.rules
new file mode 100644
index 000000000..288d27264
--- /dev/null
+++ b/tests/flowbits-prefilter-04-pkt-auto/flowbit-prefilter.rules
@@ -0,0 +1,10 @@
+alert tcp any any -> any any (flow:to_client; content:"HTTP"; flowbits:set,rare; flowbits:set,common; sid:11;)
+alert tcp any any -> any any (dsize:81; flowbits:set,common; sid:12;)
+alert tcp any any -> any any (flowbits:isset,never; sid:21;)
+alert tcp any any -> any any (flowbits:isset,common; dsize:259; sid:22;)
+alert tcp any any -> any any (flowbits:isset,never; dsize:10; sid:23;)
+alert tcp any any -> any any (flowbits:isset,rare; dsize:11; sid:24;)
+alert tcp any any -> any any (flowbits:isset,rare; ack:3308437468; sid:25;)
+alert tcp any any -> any any (priority:10; dsize:11; sid:31;)
+alert tcp any any -> any any (priority:10; dsize:10; sid:32;)
+alert tcp any any -> any any (priority:10; ack:3308437468; sid:33;)
diff --git a/tests/flowbits-prefilter-04-pkt-auto/test.yaml b/tests/flowbits-prefilter-04-pkt-auto/test.yaml
new file mode 100644
index 000000000..dcbf678bb
--- /dev/null
+++ b/tests/flowbits-prefilter-04-pkt-auto/test.yaml
@@ -0,0 +1,20 @@
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+  - --set detect.prefilter.default=auto
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 11
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 22
diff --git a/tests/flowbits-prefilter-05-onedir/flowbit-prefilter.rules b/tests/flowbits-prefilter-05-onedir/flowbit-prefilter.rules
new file mode 100644
index 000000000..baaef1daa
--- /dev/null
+++ b/tests/flowbits-prefilter-05-onedir/flowbit-prefilter.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (flow:to_client; dsize:259; flowbits:set,size; sid:1;)
+alert tcp any any -> any any (flowbits:isset,size; prefilter; sid:2;)
diff --git a/tests/flowbits-prefilter-05-onedir/test.yaml b/tests/flowbits-prefilter-05-onedir/test.yaml
new file mode 100644
index 000000000..511f6a2fe
--- /dev/null
+++ b/tests/flowbits-prefilter-05-onedir/test.yaml
@@ -0,0 +1,19 @@
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 2
diff --git a/tests/flowbits-prefilter-06-opdir/flowbit-prefilter.rules b/tests/flowbits-prefilter-06-opdir/flowbit-prefilter.rules
new file mode 100644
index 000000000..38e0fde89
--- /dev/null
+++ b/tests/flowbits-prefilter-06-opdir/flowbit-prefilter.rules
@@ -0,0 +1,4 @@
+# packet 6 to client
+alert tcp any any -> any any (flow:to_client; dsize:259; flowbits:set,size; sid:1;)
+# packet 7 to server
+alert tcp any any -> any any (flow:to_server; tcp.flags:A; tcp.ack:2548486954; flowbits:isset,size; prefilter; sid:2;)
diff --git a/tests/flowbits-prefilter-06-opdir/test.yaml b/tests/flowbits-prefilter-06-opdir/test.yaml
new file mode 100644
index 000000000..ad22ed860
--- /dev/null
+++ b/tests/flowbits-prefilter-06-opdir/test.yaml
@@ -0,0 +1,19 @@
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 7
+      alert.signature_id: 2
diff --git a/tests/flowbits-prefilter-07-tx-onedir/flowbit-prefilter-tx.rules b/tests/flowbits-prefilter-07-tx-onedir/flowbit-prefilter-tx.rules
new file mode 100644
index 000000000..2580f754e
--- /dev/null
+++ b/tests/flowbits-prefilter-07-tx-onedir/flowbit-prefilter-tx.rules
@@ -0,0 +1,10 @@
+alert tcp any any -> any any (flow:to_client; http.response_line; content:"HTTP"; flowbits:set,rare; flowbits:set,common; sid:11;)
+alert tcp any any -> any any (http.request_line; content:"ABC"; flowbits:set,never; flowbits:set,common; sid:12;)
+alert tcp any any -> any any (flowbits:isset,never; sid:21;)
+alert tcp any any -> any any (flowbits:isset,common; prefilter; http.stat_code; content:"200"; sid:22;)
+alert tcp any any -> any any (flowbits:isset,never; prefilter; http.stat_code; content:"200";  sid:23;)
+alert tcp any any -> any any (flowbits:isset,rare; prefilter; http.stat_code; content:"201"; sid:24;)
+alert tcp any any -> any any (flowbits:isset,rare; prefilter; http.stat_code; content:"200"; sid:25;)
+alert tcp any any -> any any (priority:10; http.stat_code; content:"202";  sid:31;)
+alert tcp any any -> any any (priority:10; http.stat_code; content:"201";  sid:32;)
+alert tcp any any -> any any (priority:10; http.stat_code; content:"200";  sid:33;)
diff --git a/tests/flowbits-prefilter-07-tx-onedir/test.yaml b/tests/flowbits-prefilter-07-tx-onedir/test.yaml
new file mode 100644
index 000000000..4adc0e24e
--- /dev/null
+++ b/tests/flowbits-prefilter-07-tx-onedir/test.yaml
@@ -0,0 +1,31 @@
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 11
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 22
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 25
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 33
diff --git a/tests/flowbits-prefilter-08-tx-opdir/flowbit-prefilter-tx.rules b/tests/flowbits-prefilter-08-tx-opdir/flowbit-prefilter-tx.rules
new file mode 100644
index 000000000..322f3627c
--- /dev/null
+++ b/tests/flowbits-prefilter-08-tx-opdir/flowbit-prefilter-tx.rules
@@ -0,0 +1,10 @@
+alert tcp any any -> any any (http.request_line; content:"HTTP"; flowbits:set,common; sid:11;)
+alert tcp any any -> any any (http.request_line; content:"ABC"; flowbits:set,rare; flowbits:set,common; sid:12;)
+alert tcp any any -> any any (flowbits:isset,never; sid:21;)
+alert tcp any any -> any any (flowbits:isset,common; prefilter; http.stat_code; content:"200"; sid:22;)
+alert tcp any any -> any any (flowbits:isset,never; prefilter; http.stat_code; content:"200";  sid:23;)
+alert tcp any any -> any any (flowbits:isset,rare; prefilter; http.stat_code; content:"201"; sid:24;)
+alert tcp any any -> any any (flowbits:isset,rare; prefilter; http.stat_code; content:"200"; sid:25;)
+alert tcp any any -> any any (priority:10; http.stat_code; content:"202";  sid:31;)
+alert tcp any any -> any any (priority:10; http.stat_code; content:"201";  sid:32;)
+alert tcp any any -> any any (priority:10; http.stat_code; content:"200";  sid:33;)
diff --git a/tests/flowbits-prefilter-08-tx-opdir/test.yaml b/tests/flowbits-prefilter-08-tx-opdir/test.yaml
new file mode 100644
index 000000000..5bd39217d
--- /dev/null
+++ b/tests/flowbits-prefilter-08-tx-opdir/test.yaml
@@ -0,0 +1,29 @@
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 4
+      alert.signature_id: 11
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 22
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 23
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 25
diff --git a/tests/flowbits-prefilter-09-iponly-onedir/flowbit-prefilter.rules b/tests/flowbits-prefilter-09-iponly-onedir/flowbit-prefilter.rules
new file mode 100644
index 000000000..ff690dd26
--- /dev/null
+++ b/tests/flowbits-prefilter-09-iponly-onedir/flowbit-prefilter.rules
@@ -0,0 +1,2 @@
+alert tcp 82.165.177.154 any -> any any (flowbits:set,set_by_iponly; sid:1;)
+alert tcp any any -> any any (flow:to_client; dsize:259; flowbits:isset,set_by_iponly; prefilter; sid:2;)
diff --git a/tests/flowbits-prefilter-09-iponly-onedir/test.yaml b/tests/flowbits-prefilter-09-iponly-onedir/test.yaml
new file mode 100644
index 000000000..9c55438d0
--- /dev/null
+++ b/tests/flowbits-prefilter-09-iponly-onedir/test.yaml
@@ -0,0 +1,19 @@
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 2
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 2
diff --git a/tests/flowbits-prefilter-10-iponly-opdir/flowbit-prefilter.rules b/tests/flowbits-prefilter-10-iponly-opdir/flowbit-prefilter.rules
new file mode 100644
index 000000000..f48f021f5
--- /dev/null
+++ b/tests/flowbits-prefilter-10-iponly-opdir/flowbit-prefilter.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> 82.165.177.154 any (flowbits:set,set_by_iponly; sid:1;)
+alert tcp any any -> any any (flow:to_client; dsize:259; flowbits:isset,set_by_iponly; prefilter; sid:2;)
diff --git a/tests/flowbits-prefilter-10-iponly-opdir/test.yaml b/tests/flowbits-prefilter-10-iponly-opdir/test.yaml
new file mode 100644
index 000000000..ea349689b
--- /dev/null
+++ b/tests/flowbits-prefilter-10-iponly-opdir/test.yaml
@@ -0,0 +1,19 @@
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 1
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 2
diff --git a/tests/flowbits-prefilter-11-pkt-auto/flowbit-prefilter.rules b/tests/flowbits-prefilter-11-pkt-auto/flowbit-prefilter.rules
new file mode 100644
index 000000000..652560ebd
--- /dev/null
+++ b/tests/flowbits-prefilter-11-pkt-auto/flowbit-prefilter.rules
@@ -0,0 +1,10 @@
+alert tcp any any -> any any (flow:to_client; content:"HTTP"; flowbits:set,rare; flowbits:set,common; sid:11;)
+alert tcp any any -> any any (dsize:10; flowbits:set,never; flowbits:set,common; sid:12;)
+alert tcp any any -> any any (flowbits:isset,never; sid:21;)
+alert tcp any any -> any any (flowbits:isset,common; dsize:259; sid:22;)
+alert tcp any any -> any any (flowbits:isset,never; dsize:10; sid:23;)
+alert tcp any any -> any any (flowbits:isset,rare; dsize:11; sid:24;)
+alert tcp any any -> any any (flowbits:isset,rare; ack:3308437468; sid:25;)
+alert tcp any any -> any any (priority:10; dsize:11; sid:31;)
+alert tcp any any -> any any (priority:10; dsize:10; sid:32;)
+alert tcp any any -> any any (priority:10; ack:3308437468; sid:33;)
diff --git a/tests/flowbits-prefilter-11-pkt-auto/test.yaml b/tests/flowbits-prefilter-11-pkt-auto/test.yaml
new file mode 100644
index 000000000..dcbf678bb
--- /dev/null
+++ b/tests/flowbits-prefilter-11-pkt-auto/test.yaml
@@ -0,0 +1,20 @@
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+  - --set detect.prefilter.default=auto
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 11
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 22

From 40b504b3782e2fcba81694f0115c5332bf096323 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Thu, 21 Nov 2024 13:24:05 +0100
Subject: [PATCH 2/3] SQUASH flowbit toggle

---
 .../flowbit-prefilter.rules                   | 10 ++++++
 tests/flowbits-prefilter-12-toggle/test.yaml  | 19 ++++++++++++
 .../flowbit-prefilter-tx.rules                | 10 ++++++
 .../test.yaml                                 | 31 +++++++++++++++++++
 4 files changed, 70 insertions(+)
 create mode 100644 tests/flowbits-prefilter-12-toggle/flowbit-prefilter.rules
 create mode 100644 tests/flowbits-prefilter-12-toggle/test.yaml
 create mode 100644 tests/flowbits-prefilter-13-tx-onedir-toggle/flowbit-prefilter-tx.rules
 create mode 100644 tests/flowbits-prefilter-13-tx-onedir-toggle/test.yaml

diff --git a/tests/flowbits-prefilter-12-toggle/flowbit-prefilter.rules b/tests/flowbits-prefilter-12-toggle/flowbit-prefilter.rules
new file mode 100644
index 000000000..72692c0c1
--- /dev/null
+++ b/tests/flowbits-prefilter-12-toggle/flowbit-prefilter.rules
@@ -0,0 +1,10 @@
+alert tcp any any -> any any (flow:to_client; content:"HTTP"; flowbits:toggle,rare; flowbits:toggle,common; sid:11;)
+alert tcp any any -> any any (dsize:10; flowbits:set,never; flowbits:toggle,common; sid:12;)
+alert tcp any any -> any any (flowbits:isset,never; sid:21;)
+alert tcp any any -> any any (flowbits:isset,common; prefilter; dsize:259; sid:22;)
+alert tcp any any -> any any (flowbits:isset,never; prefilter; dsize:10; sid:23;)
+alert tcp any any -> any any (flowbits:isset,rare; prefilter; dsize:11; sid:24;)
+alert tcp any any -> any any (flowbits:isset,rare; prefilter; ack:3308437468; sid:25;)
+alert tcp any any -> any any (priority:10; dsize:11; sid:31;)
+alert tcp any any -> any any (priority:10; dsize:10; sid:32;)
+alert tcp any any -> any any (priority:10; ack:3308437468; sid:33;)
diff --git a/tests/flowbits-prefilter-12-toggle/test.yaml b/tests/flowbits-prefilter-12-toggle/test.yaml
new file mode 100644
index 000000000..3ae4dc06d
--- /dev/null
+++ b/tests/flowbits-prefilter-12-toggle/test.yaml
@@ -0,0 +1,19 @@
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 11
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 22
diff --git a/tests/flowbits-prefilter-13-tx-onedir-toggle/flowbit-prefilter-tx.rules b/tests/flowbits-prefilter-13-tx-onedir-toggle/flowbit-prefilter-tx.rules
new file mode 100644
index 000000000..8308e548e
--- /dev/null
+++ b/tests/flowbits-prefilter-13-tx-onedir-toggle/flowbit-prefilter-tx.rules
@@ -0,0 +1,10 @@
+alert tcp any any -> any any (flow:to_client; http.response_line; content:"HTTP"; flowbits:toggle,rare; flowbits:toggle,common; sid:11;)
+alert tcp any any -> any any (http.request_line; content:"ABC"; flowbits:toggle,never; flowbits:toggle,common; sid:12;)
+alert tcp any any -> any any (flowbits:isset,never; sid:21;)
+alert tcp any any -> any any (flowbits:isset,common; prefilter; http.stat_code; content:"200"; sid:22;)
+alert tcp any any -> any any (flowbits:isset,never; prefilter; http.stat_code; content:"200";  sid:23;)
+alert tcp any any -> any any (flowbits:isset,rare; prefilter; http.stat_code; content:"201"; sid:24;)
+alert tcp any any -> any any (flowbits:isset,rare; prefilter; http.stat_code; content:"200"; sid:25;)
+alert tcp any any -> any any (priority:10; http.stat_code; content:"202";  sid:31;)
+alert tcp any any -> any any (priority:10; http.stat_code; content:"201";  sid:32;)
+alert tcp any any -> any any (priority:10; http.stat_code; content:"200";  sid:33;)
diff --git a/tests/flowbits-prefilter-13-tx-onedir-toggle/test.yaml b/tests/flowbits-prefilter-13-tx-onedir-toggle/test.yaml
new file mode 100644
index 000000000..4adc0e24e
--- /dev/null
+++ b/tests/flowbits-prefilter-13-tx-onedir-toggle/test.yaml
@@ -0,0 +1,31 @@
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 11
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 22
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 25
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 33

From 4c25b0b7629eccf4075536392a28a12b3bd81e9e Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Thu, 21 Nov 2024 13:53:34 +0100
Subject: [PATCH 3/3] SQUASH flowbits prefilter min version

---
 tests/flowbits-prefilter-01/test.yaml                  | 3 +++
 tests/flowbits-prefilter-02-auto/test.yaml             | 3 +++
 tests/flowbits-prefilter-03/test.yaml                  | 3 +++
 tests/flowbits-prefilter-04-pkt-auto/test.yaml         | 3 +++
 tests/flowbits-prefilter-05-onedir/test.yaml           | 3 +++
 tests/flowbits-prefilter-06-opdir/test.yaml            | 3 +++
 tests/flowbits-prefilter-07-tx-onedir/test.yaml        | 3 +++
 tests/flowbits-prefilter-08-tx-opdir/test.yaml         | 3 +++
 tests/flowbits-prefilter-09-iponly-onedir/test.yaml    | 3 +++
 tests/flowbits-prefilter-10-iponly-opdir/test.yaml     | 3 +++
 tests/flowbits-prefilter-11-pkt-auto/test.yaml         | 3 +++
 tests/flowbits-prefilter-12-toggle/test.yaml           | 3 +++
 tests/flowbits-prefilter-13-tx-onedir-toggle/test.yaml | 3 +++
 13 files changed, 39 insertions(+)

diff --git a/tests/flowbits-prefilter-01/test.yaml b/tests/flowbits-prefilter-01/test.yaml
index 3ae4dc06d..5e035b078 100644
--- a/tests/flowbits-prefilter-01/test.yaml
+++ b/tests/flowbits-prefilter-01/test.yaml
@@ -1,3 +1,6 @@
+requires:
+  min-version: 8
+
 pcap: ../flowbit-oring/input.pcap
 
 args:
diff --git a/tests/flowbits-prefilter-02-auto/test.yaml b/tests/flowbits-prefilter-02-auto/test.yaml
index c8d7a2f11..d85993366 100644
--- a/tests/flowbits-prefilter-02-auto/test.yaml
+++ b/tests/flowbits-prefilter-02-auto/test.yaml
@@ -1,3 +1,6 @@
+requires:
+  min-version: 8
+
 pcap: ../flowbit-oring/input.pcap
 
 args:
diff --git a/tests/flowbits-prefilter-03/test.yaml b/tests/flowbits-prefilter-03/test.yaml
index e1e325a42..eff05ff86 100644
--- a/tests/flowbits-prefilter-03/test.yaml
+++ b/tests/flowbits-prefilter-03/test.yaml
@@ -1,3 +1,6 @@
+requires:
+  min-version: 8
+
 pcap: ../flowbit-oring/input.pcap
 
 args:
diff --git a/tests/flowbits-prefilter-04-pkt-auto/test.yaml b/tests/flowbits-prefilter-04-pkt-auto/test.yaml
index dcbf678bb..f7cbee51a 100644
--- a/tests/flowbits-prefilter-04-pkt-auto/test.yaml
+++ b/tests/flowbits-prefilter-04-pkt-auto/test.yaml
@@ -1,3 +1,6 @@
+requires:
+  min-version: 8
+
 pcap: ../flowbit-oring/input.pcap
 
 args:
diff --git a/tests/flowbits-prefilter-05-onedir/test.yaml b/tests/flowbits-prefilter-05-onedir/test.yaml
index 511f6a2fe..21f1557e3 100644
--- a/tests/flowbits-prefilter-05-onedir/test.yaml
+++ b/tests/flowbits-prefilter-05-onedir/test.yaml
@@ -1,3 +1,6 @@
+requires:
+  min-version: 8
+
 pcap: ../flowbit-oring/input.pcap
 
 args:
diff --git a/tests/flowbits-prefilter-06-opdir/test.yaml b/tests/flowbits-prefilter-06-opdir/test.yaml
index ad22ed860..1109bdf79 100644
--- a/tests/flowbits-prefilter-06-opdir/test.yaml
+++ b/tests/flowbits-prefilter-06-opdir/test.yaml
@@ -1,3 +1,6 @@
+requires:
+  min-version: 8
+
 pcap: ../flowbit-oring/input.pcap
 
 args:
diff --git a/tests/flowbits-prefilter-07-tx-onedir/test.yaml b/tests/flowbits-prefilter-07-tx-onedir/test.yaml
index 4adc0e24e..c9ee3b5c3 100644
--- a/tests/flowbits-prefilter-07-tx-onedir/test.yaml
+++ b/tests/flowbits-prefilter-07-tx-onedir/test.yaml
@@ -1,3 +1,6 @@
+requires:
+  min-version: 8
+
 pcap: ../flowbit-oring/input.pcap
 
 args:
diff --git a/tests/flowbits-prefilter-08-tx-opdir/test.yaml b/tests/flowbits-prefilter-08-tx-opdir/test.yaml
index 5bd39217d..ef603c8d2 100644
--- a/tests/flowbits-prefilter-08-tx-opdir/test.yaml
+++ b/tests/flowbits-prefilter-08-tx-opdir/test.yaml
@@ -1,3 +1,6 @@
+requires:
+  min-version: 8
+
 pcap: ../flowbit-oring/input.pcap
 
 args:
diff --git a/tests/flowbits-prefilter-09-iponly-onedir/test.yaml b/tests/flowbits-prefilter-09-iponly-onedir/test.yaml
index 9c55438d0..424e9ff36 100644
--- a/tests/flowbits-prefilter-09-iponly-onedir/test.yaml
+++ b/tests/flowbits-prefilter-09-iponly-onedir/test.yaml
@@ -1,3 +1,6 @@
+requires:
+  min-version: 8
+
 pcap: ../flowbit-oring/input.pcap
 
 args:
diff --git a/tests/flowbits-prefilter-10-iponly-opdir/test.yaml b/tests/flowbits-prefilter-10-iponly-opdir/test.yaml
index ea349689b..a48b42a5a 100644
--- a/tests/flowbits-prefilter-10-iponly-opdir/test.yaml
+++ b/tests/flowbits-prefilter-10-iponly-opdir/test.yaml
@@ -1,3 +1,6 @@
+requires:
+  min-version: 8
+
 pcap: ../flowbit-oring/input.pcap
 
 args:
diff --git a/tests/flowbits-prefilter-11-pkt-auto/test.yaml b/tests/flowbits-prefilter-11-pkt-auto/test.yaml
index dcbf678bb..f7cbee51a 100644
--- a/tests/flowbits-prefilter-11-pkt-auto/test.yaml
+++ b/tests/flowbits-prefilter-11-pkt-auto/test.yaml
@@ -1,3 +1,6 @@
+requires:
+  min-version: 8
+
 pcap: ../flowbit-oring/input.pcap
 
 args:
diff --git a/tests/flowbits-prefilter-12-toggle/test.yaml b/tests/flowbits-prefilter-12-toggle/test.yaml
index 3ae4dc06d..5e035b078 100644
--- a/tests/flowbits-prefilter-12-toggle/test.yaml
+++ b/tests/flowbits-prefilter-12-toggle/test.yaml
@@ -1,3 +1,6 @@
+requires:
+  min-version: 8
+
 pcap: ../flowbit-oring/input.pcap
 
 args:
diff --git a/tests/flowbits-prefilter-13-tx-onedir-toggle/test.yaml b/tests/flowbits-prefilter-13-tx-onedir-toggle/test.yaml
index 4adc0e24e..c9ee3b5c3 100644
--- a/tests/flowbits-prefilter-13-tx-onedir-toggle/test.yaml
+++ b/tests/flowbits-prefilter-13-tx-onedir-toggle/test.yaml
@@ -1,3 +1,6 @@
+requires:
+  min-version: 8
+
 pcap: ../flowbit-oring/input.pcap
 
 args: