Skip to content

tests: add rule types check #1219

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
victorjulien wants to merge 1 commit into from
Closed

tests: add rule types check #1219

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions tests/rule-types/rule-types.rules
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
alert tcp-stream any any -> any any (msg:"tcp-stream, no content"; sid:101;)
alert tcp-stream any any -> any any (msg:"tcp-stream, simple content"; content:"abc"; sid:102;)
alert tcp-stream any any -> any any (msg:"tcp-stream, anchored content"; content:"abc"; startswith; sid:103;)

alert tcp-pkt any any -> any any (msg:"tcp-pkt, no content"; sid:201;)
alert tcp-pkt any any -> any any (msg:"tcp-pkt, simple content"; content:"abc"; sid:202;)
alert tcp-pkt any any -> any any (msg:"tcp-pkt, anchored content"; content:"abc"; startswith; sid:203;)

alert tcp any any -> any any (msg:"tcp, no content"; sid:301;)
alert tcp any any -> any any (msg:"tcp, simple content"; content:"abc"; sid:302;)
alert tcp any any -> any any (msg:"tcp, anchored content"; content:"abc"; startswith; sid:303;)

alert tcp any any -> any any (msg:"tcp, pd negated"; app-layer-protocol:!http; sid:401;)
alert tcp any any -> any any (msg:"tcp, pd positive"; app-layer-protocol:http; sid:402;)

alert tcp any any -> any any (msg:"http, pos event"; app-layer-event:http.file_name_too_long; sid:501;)
#alert tcp any any -> any any (msg:"http, neg event"; app-layer-event:!http.file_name_too_long; sid:502;)
# TODO fix
#alert tcp any any -> any any (msg:"http, unknown event"; app-layer-event:http.non_existing_event; sid:503;)

alert http any any -> any any (msg:"http, no content"; sid:601;)
alert http any any -> any any (msg:"http, simple content"; content:"abc"; sid:602;)
alert http any any -> any any (msg:"http, anchored content"; content:"abc"; startswith; sid:603;)

alert tcp any any -> any any (msg:"ttl"; ttl:123; sid:701;)
alert tcp any any -> any any (msg:"ttl"; ttl:123; flow:established; sid:702;)
alert tcp any any -> any any (msg:"ttl"; ttl:123; flow:not_established; sid:703;)
alert tcp any any -> any any (msg:"ttl"; ttl:123; flow:stateless; sid:704;)
alert tcp any any -> any any (msg:"ttl"; ttl:123; prefilter; flow:stateless; sid:705;)
alert tcp any any -> any any (msg:"ttl"; ttl:123; flow:stateless; prefilter; sid:706;)

alert http any any -> any any (uricontent:"abc"; sid:801;)
alert http any any -> any any (content:"abc"; http_uri; sid:802;)
alert http any any -> any any (http.uri; content:"abc"; sid:803;)

alert tcp any any -> any any (msg:"byte_extract with dce"; byte_extract:4,0,var,dce; byte_test:4,>,var,4,little; sid:901;)
alert tcp any any -> any any (msg:"byte_extract with dce"; dcerpc.stub_data; content:"abc"; byte_extract:4,0,var,relative; byte_test:4,>,var,4,little; sid:902;)

alert udp any any -> any any (msg:"UDP with flow direction"; flow:to_server; sid:1001;)

162 changes: 162 additions & 0 deletions tests/rule-types/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,162 @@
requires:
min-version: 7
pcap: false
args:
- --engine-analysis
checks:
- filter:
filename: rules.json
count: 1
match:
id: 101
type: "ip_only"
- filter:
filename: rules.json
count: 1
match:
id: 102
type: "stream"
- filter:
filename: rules.json
count: 1
match:
id: 201
type: "ip_only"
- filter:
filename: rules.json
count: 1
match:
id: 202
type: "pkt"
- filter:
filename: rules.json
count: 1
match:
id: 203
type: "pkt"
- filter:
filename: rules.json
count: 1
match:
id: 301
type: "ip_only"
- filter:
filename: rules.json
count: 1
match:
id: 302
type: "stream"
- filter:
filename: rules.json
count: 1
match:
id: 303
type: "pkt_stream"
- filter:
filename: rules.json
count: 1
match:
id: 401
type: "pd_only"
- filter:
filename: rules.json
count: 1
match:
id: 402
type: "pd_only"
- filter:
filename: rules.json
count: 1
match:
id: 501
type: "app_tx"
- filter:
filename: rules.json
count: 1
match:
id: 601
type: "app_layer"
- filter:
filename: rules.json
count: 1
match:
id: 602
type: "stream"
- filter:
filename: rules.json
count: 1
match:
id: 603
type: "pkt_stream"
- filter:
filename: rules.json
count: 1
match:
id: 701
type: "pkt"
- filter:
filename: rules.json
count: 1
match:
id: 702
type: "pkt"
- filter:
filename: rules.json
count: 1
match:
id: 703
type: "pkt"
- filter:
filename: rules.json
count: 1
match:
id: 704
type: "pkt"
- filter:
filename: rules.json
count: 1
match:
id: 705
type: "pkt"
- filter:
filename: rules.json
count: 1
match:
id: 706
type: "pkt"
- filter:
filename: rules.json
count: 1
match:
id: 801
type: "app_tx"
- filter:
filename: rules.json
count: 1
match:
id: 802
type: "app_tx"
- filter:
filename: rules.json
count: 1
match:
id: 803
type: "app_tx"
- filter:
filename: rules.json
count: 1
match:
id: 901
type: "stream"
- filter:
filename: rules.json
count: 1
match:
id: 902
type: "app_tx"
- filter:
filename: rules.json
count: 1
match:
id: 1001
type: "pkt"