s-v features + s-v bug fixes + tests for Bug 5379/v9

run.py

@@ -187,16 +187,14 @@ def is_equal(self, a, b):
           - 4.0 would match 4.0.x.
           - 4.0.3 would match only 4.0.3.
         """
-        if not a.major == b.major:
+        if a.major != b.major:
             return False
 
-        if a.minor is not None and b.minor is not None:
-            if a.minor != b.minor:
-                return False
+        if a.minor is not None and b.minor is not None and a.minor >= 0 and b.minor >= 0 and a.minor != b.minor:
+            return False
 
-        if a.patch is not None and b.patch is not None:
-            if a.patch != b.patch:
-                return False
+        if a.patch is not None and b.patch is not None and a.patch >= 0 and b.patch >= 0 and a.patch != b.patch:
+            return False
 
         return True
 
@@ -397,13 +395,26 @@ def run(self):
 
 class ShellCheck:
 
-    def __init__(self, config, env):
+    def __init__(self, config, env, suricata_config):
         self.config = config
         self.env = env
+        self.suricata_config = suricata_config
 
     def run(self):
+        shell_args = {}
         if not self.config or "args" not in self.config:
             raise TestError("shell check missing args")
+        req_version = self.config.get("version")
+        min_version = self.config.get("min-version")
+        lt_version = self.config.get("lt-version")
+        if req_version is not None:
+            shell_args["version"] = req_version
+        if min_version is not None:
+            shell_args["min-version"] = min_version
+        if lt_version is not None:
+            shell_args["lt-version"] = lt_version
+        check_requires(shell_args, self.suricata_config)
+
         try:
             if WIN32:
                 print("skipping shell check on windows")
@@ -732,7 +743,7 @@ def perform_filter_checks(self, check, count, test_num, test_name):
 
     @handle_exceptions
     def perform_shell_checks(self, check, count, test_num, test_name):
-        count = ShellCheck(check, self.build_env()).run()
+        count = ShellCheck(check, self.build_env(), self.suricata_config).run()
         return count
 
     @handle_exceptions

tests/pcre-invalid-rule-01/test.yaml

@@ -1,5 +1,5 @@
 requires:
-    min-version: 7.0
+    min-version: 6
 
 checks:
 
@@ -24,6 +24,7 @@ checks:
         expect: 1
 
     - shell:
+        min-version: 7
         args: grep -o "use a sticky.*\"data from tracked files" suricata.log | wc -l | xargs
         expect: 1
 

tests/smb2-07/test.yaml

@@ -11,7 +11,7 @@ args:
 
 checks:
   - filter:
-      version: 6
+      version: 6.0.0  # FIXME ref: https://redmine.openinfosecfoundation.org/issues/5820
       count: 58
       match:
         event_type: smb

tests/smtp-eve/test.yaml

@@ -64,7 +64,7 @@ checks:
       src_port: 1470
       tx_id: 0
 - filter:
-    version: 6
+    version: 6.0.0 # FIXME ref: https://redmine.openinfosecfoundation.org/issues/5821
     count: 1
     match:
       app_proto: smtp

tests/tcp-5379/README.md

@@ -0,0 +1,8 @@
+Description
+===========
+Illustration that if there are trailing bytes in a TCP packet, unlike UDP, TCP parses the
+correct data and alerts on it too.
+
+PCAP
+====
+Created with Scapy.

tests/tcp-5379/test.rules

@@ -0,0 +1,2 @@
+alert tcp any any -> any any (msg:"Ends with AAA"; content:"AAA"; endswith; sid:1; rev:1;)
+alert tcp any any -> any any (msg:"Ends with DDD"; content:"DDD"; endswith; sid:2; rev:1;)

tests/tcp-5379/test.yaml

@@ -0,0 +1,13 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 1
+
+- filter:
+    count: 0
+    match:
+      alert.signature_id: 2

tests/udp-5379/udp-hlen-invalid-non-strict/README.md

@@ -0,0 +1,7 @@
+Description
+===========
+Test to check that the use of decoder event udp.hlen_invalid in rule issues warning.
+
+PCAP
+====
+Created with Scapy.

tests/udp-5379/udp-hlen-invalid-non-strict/test.rules

@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA UDP invalid header length"; decode-event:udp.hlen_invalid; classtype:protocol-command-decode; sid:2200040; rev:2;)

tests/udp-5379/udp-hlen-invalid-non-strict/test.yaml

@@ -0,0 +1,19 @@
+exit-code: 0
+
+command: |
+  ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/etc/classification.config"    \
+      --set reference-config-file="${SRCDIR}/etc/reference.config" -l ${OUTPUT_DIR}         \
+      --set threshold-file="${TEST_DIR}/threshold.config"                                   \
+      -c "${SRCDIR}/suricata.yaml" -r ${TEST_DIR}/input.pcap -S ${TEST_DIR}/test.rules 
+
+checks:
+    - shell:
+        version: 7
+        args: |-
+          grep "Warning: detect: decode-event keyword no longer supports event \"decoder.udp.hlen_invalid\"" suricata.log | wc -l
+        expect: 1
+    - shell:
+        version: 6
+        args: |-
+          grep "\[ERRCODE: SC_WARN_DEPRECATED(203)\] - decode-event keyword no longer supports event \"decoder.udp.hlen_invalid\"" suricata.log | wc -l
+        expect: 1

tests/udp-5379/udp-hlen-invalid-strict/README.md

@@ -0,0 +1,7 @@
+Description
+===========
+Test to check that the use of decoder event udp.hlen_invalid in rule issues an error.
+
+PCAP
+====
+Created with Scapy.

tests/udp-5379/udp-hlen-invalid-strict/test.rules

@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA UDP invalid header length"; decode-event:udp.hlen_invalid; classtype:protocol-command-decode; sid:2200040; rev:2;)

tests/udp-5379/udp-hlen-invalid-strict/test.yaml

@@ -0,0 +1,20 @@
+exit-code: 0
+
+command: |
+  ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/etc/classification.config"    \
+      --set reference-config-file="${SRCDIR}/etc/reference.config" -l ${OUTPUT_DIR}         \
+      --set threshold-file="${TEST_DIR}/threshold.config"                                   \
+      -c "${SRCDIR}/suricata.yaml" -r ${TEST_DIR}/input.pcap -S ${TEST_DIR}/test.rules      \
+      --strict-rule-keywords=all
+
+checks:
+    - shell:
+        version: 7
+        args: |-
+          grep "Error: detect: decode-event keyword no longer supports event \"decoder.udp.hlen_invalid\"" suricata.log | wc -l
+        expect: 1
+    - shell:
+        version: 6
+        args: |-
+          grep "\[ERRCODE: SC_WARN_DEPRECATED(203)\] - decode-event keyword no longer supports event \"decoder.udp.hlen_invalid\"" suricata.log | wc -l
+        expect: 1

tests/udp-5379/udp-len-invalid/README.md

@@ -0,0 +1,8 @@
+Description
+===========
+Test to check that the new decoder event udp.len_invalid actually matches on network data
+that fulfill the criteria: Packet length in UDP header < 8 Bytes.
+
+PCAP
+====
+Created with Scapy and edited to fit the usecase.

tests/udp-5379/udp-len-invalid/test.rules

@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA UDP invalid length field in the header"; decode-event:udp.len_invalid; classtype:protocol-command-decode; sid:2200220; rev:2;)

tests/udp-5379/udp-len-invalid/test.yaml

@@ -0,0 +1,16 @@
+args:
+- -k none
+- --set stats.decoder-events=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.decoder.event.udp.len_invalid: 1
+
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2200220

tests/udp-5379/udp-trailing-data/README.md

@@ -0,0 +1,8 @@
+Description
+===========
+Given that the packet has several trailing bytes, it fails to be processed properly.
+It should ideally not match the rule and alert.
+
+PCAP
+====
+PCAP comes from the redmine ticket [5379](https://redmine.openinfosecfoundation.org/issues/5379)

tests/udp-5379/udp-trailing-data/test.rules

@@ -0,0 +1 @@
+alert udp $EXTERNAL_NET :1024 <> $HOME_NET 0 (msg:"UDP Port 0"; sid:1;)

tests/udp-5379/udp-trailing-data/test.yaml

@@ -0,0 +1,8 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      alert.signature_id: 1