Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

detect-lua: add tests #1086

Closed
wants to merge 1 commit into from
Closed

detect-lua: add tests #1086

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions tests/detect-lua/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Test http buffer
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to see more details here, like listing the different buffers that are mentioned to be tested by the unittests, and which scripts are covering what.

Binary file added tests/detect-lua/input.pcap
View file
Open in desktop
Binary file not shown.
12 changes: 12 additions & 0 deletions tests/detect-lua/suricata.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
%YAML 1.1
---

outputs:
- eve-log:
enabled: yes
filetype: regular
filename: eve.json
types:
- alert
- flow

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For completeness, I think it's good to add http here, too.

6 changes: 6 additions & 0 deletions tests/detect-lua/test.rules
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
alert http any any -> any any (flow:to_server; lua:test1.lua; sid:1;)
alert tcp any any -> any any (flow:to_server; lua:test2.lua; sid:2;)
alert tcp any any -> any any (flow:to_server; lua:test3.lua; sid:3;)
alert http any any -> any any (flow:to_server; lua:test4.lua; sid:4;)
alert http any any -> any any (flow:to_server; lua:test4.lua; sid:5;)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed that this rule is using test4.lua instead of test5.lua

alert http any any -> any any (flow:to_server; lua:test6.lua; sid:6;)
38 changes: 38 additions & 0 deletions tests/detect-lua/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
requires:
features:
- HAVE_LUA

args:
- -k none
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: remove space in the beginning of the line.
For a pcap like this one, we should also add - --set stream.midstream=true


checks:
- filter:
count: 0
match:
event_type: alert
alert.signature_id: 1
- filter:
count: 0
match:
event_type: alert
alert.signature_id: 2
- filter:
count: 2
match:
event_type: alert
alert.signature_id: 3
- filter:
count: 0
match:
event_type: alert
alert.signature_id: 4
- filter:
count: 0
match:
event_type: alert
alert.signature_id: 5
- filter:
count: 0
match:
event_type: alert
alert.signature_id: 6
27 changes: 27 additions & 0 deletions tests/detect-lua/test1.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
function init (args)
local needs = {}
needs["http.request_headers"] = tostring(true)
needs["flowvar"] = {"cnt"}
return needs
end

function match(args)
a = ScFlowvarGet(0)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've noticed that in the unittests the a versions of the tests were testing the SC variant of the lua functions, and currently we're losing this with these SV tests, so we must tackle this, too, somehow.

if a then
a = tostring(tonumber(a)+1)
print (a)
ScFlowvarSet(0, a, #a)
else
a = tostring(1)
print (a)
ScFlowvarSet(0, a, #a)
end

print ("pre check: " .. (a))
if tonumber(a) == 2 then
print "match"
return 1
end
return 0
end
return 0
27 changes: 27 additions & 0 deletions tests/detect-lua/test2.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
function init (args)
local needs = {}
needs["payload"] = tostring(true)
needs["flowvar"] = {"cnt"}
return needs
end

function match(args)
a = ScFlowvarGet(0)
if a then
a = tostring(tonumber(a)+1)
print (a)
ScFlowvarSet(0, a, #a)
else
a = tostring(1)
print (a)
ScFlowvarSet(0, a, #a)
end

print ("pre check: " .. (a))
if tonumber(a) == 2 then
print "match"
return 1
end
return 0
end
return 0
27 changes: 27 additions & 0 deletions tests/detect-lua/test3.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
function init (args)
local needs = {}
needs["packet"] = tostring(true)
needs["flowvar"] = {"cnt"}
return needs
end

function match(args)
a = ScFlowvarGet(0)
if a then
a = tostring(tonumber(a)+1)
print (a)
ScFlowvarSet(0, a, #a)
else
a = tostring(1)
print (a)
ScFlowvarSet(0, a, #a)
end

print ("pre check: " .. (a))
if tonumber(a) == 2 then
print "match"
return 1
end
return 0
end
return 0
24 changes: 24 additions & 0 deletions tests/detect-lua/test4.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
function init (args)
local needs = {}
needs["http.request_headers"] = tostring(true)
needs["flowint"] = {"cnt"}
return needs
end

function match(args)
print "inspecting"
a = ScFlowintGet(0)
if a then
ScFlowintSet(0, a + 1)
else
ScFlowintSet(0, 1)
end

a = ScFlowintGet(0)
if a == 2 then
print "match"
return 1
end
return 0
end
return 0
17 changes: 17 additions & 0 deletions tests/detect-lua/test5.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
function init (args)
local needs = {}
needs["http.request_headers"] = tostring(true)
needs["flowint"] = {"cnt"}
return needs
end

function match(args)
print "inspecting"
a = ScFlowintIncr(0)
if a == 2 then
print "match"
return 1
end
return 0
end
return 0
22 changes: 22 additions & 0 deletions tests/detect-lua/test6.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
function init (args)
local needs = {}
needs["http.request_headers"] = tostring(true)
needs["flowint"] = {"cnt"}
return needs
end

function match(args)
print "inspecting"
a = ScFlowintGet(0)
if a == nil then
print "new var set to 2"
ScFlowintSet(0, 2)
end
a = ScFlowintDecr(0)
if a == 0 then
print "match"
return 1
end
return 0
end
return 0
13 changes: 13 additions & 0 deletions tests/detect-lua/writepcap.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
#!/usr/bin/env python
from scapy.all import *

pkts = []

pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
Dot1Q(vlan=6)/ \
IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=53, dport=80, flags='P''A')/"POST / HTTP/1.1\r\nHost: www.emergingthreats.net\r\n\r\n"
pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
Dot1Q(vlan=6)/ \
IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=80, dport=53, flags='P''A')/"POST / HTTP/1.1\r\nHost: www.openinfosecfoundation.org\r\n\r\n"
Comment on lines +6 to +11
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the unittests, we have two requests to the server, while here we see packets to different directions.


wrpcap('input.pcap', pkts)