Merge pull request #764 from wazuh/749-pcre-regex-support

Tests for pcre2 regex type for rules and decoders

tools/rules-testing/decoders/test_osmatch_regex_decoders.xml

@@ -0,0 +1,28 @@
+<!-- regex tests  -->
+<decoder name="test_osmatch_1">
+  <program_name>^test_osmatch_1$</program_name>
+</decoder>
+
+<decoder name="test_osmatch_1_child">
+  <parent>test_osmatch_1</parent>
+  <regex>\S+ (\S+) (\w+) (\S+)</regex>
+  <order>url,action,querystring</order>
+</decoder>
+
+<!-- prematch tests-->
+<decoder name="test_osmatch_2">
+  <prematch>test_osmatch_2</prematch>
+</decoder>
+
+<decoder name="test_osmatch_2_child">
+  <parent>test_osmatch_2</parent>
+  <regex offset="after_parent">\S+ regex_example_(\d+)</regex>
+  <order>id</order>
+</decoder>
+
+<!-- action tests -->
+<decoder name="test_osmatch_3">
+  <program_name>^test_osmatch_3$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>action</order>
+</decoder>

tools/rules-testing/decoders/test_osregex_regex_decoders.xml

@@ -0,0 +1,101 @@
+<!-- action tests -->
+<decoder name="test_osregex_3">
+  <program_name>^test_osregex_3$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>action</order>
+</decoder>
+
+<!-- extra_data tests -->
+<decoder name="test_osregex_4">
+  <program_name>^test_osregex_4$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>extra_data</order>
+</decoder>
+
+<!-- id tests -->
+<decoder name="test_osregex_5">
+  <program_name>^test_osregex_5$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>id</order>
+</decoder>
+
+<!-- pre-decoding loaded fields -->
+<!-- location,hostname,program_name tests -->
+<decoder name="test_osregex_6">
+  <program_name>^test_osregex_6$</program_name>
+</decoder>
+
+<!-- match tests -->
+<decoder name="test_osregex_7">
+  <program_name>^test_osregex_7$</program_name>
+</decoder>
+
+<!-- protocol tests -->
+<decoder name="test_osregex_8">
+  <program_name>^test_osregex_8$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>protocol</order>
+</decoder>
+
+<!-- user tests -->
+<decoder name="test_osregex_9">
+  <program_name>^test_osregex_9$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>user</order>
+</decoder>
+
+<!-- url tests -->
+<decoder name="test_osregex_10">
+  <program_name>^test_osregex_10$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>url</order>
+</decoder>
+
+<!-- srcport tests -->
+<decoder name="test_osregex_11">
+  <program_name>^test_osregex_11$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>srcport</order>
+</decoder>
+
+<!-- dstport tests -->
+<decoder name="test_osregex_12">
+  <program_name>^test_osregex_12$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>dstport</order>
+</decoder>
+
+<!-- status tests -->
+<decoder name="test_osregex_13">
+  <program_name>^test_osregex_13$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>status</order>
+</decoder>
+
+<!-- system_name tests -->
+<decoder name="test_osregex_14">
+  <program_name>^test_osregex_14$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>system_name</order>
+</decoder>
+
+<!-- data tests -->
+<decoder name="test_osregex_15">
+  <program_name>^test_osregex_15$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>data</order>
+</decoder>
+
+<!-- srcgeoip tests -->
+<decoder name="test_osregex_16">
+  <program_name>^test_osregex_16$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>srcip</order>
+</decoder>
+
+ <!-- dstgeoip -->
+<decoder name="test_osregex_17">
+  <program_name>^test_osregex_17$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>dstip</order>
+</decoder>

tools/rules-testing/decoders/test_pcre2_regex_decoders.xml

@@ -0,0 +1,141 @@
+<!-- program_name tests -->
+<decoder name="test_pcre2_0">
+  <program_name type="osmatch">^(?i)test_</program_name>
+  <program_name type="osregex">pcre2_</program_name>
+  <program_name type="pcre2">0$</program_name>
+</decoder>
+
+<decoder name="test_pcre2_0_child">
+  <parent>test_pcre2_0</parent>
+  <regex type="pcre2">\S+ (\w+) (\w+)@(\d+.\d+.\d+.\d+):(\d+)</regex>
+  <regex> (\d+.\d+.\d+.\d+):(\d+)</regex>
+  <order>protocol,user,srcip,srcport,dstip,dstport</order>
+</decoder>
+
+<!-- regex tests  -->
+<decoder name="test_pcre2_1">
+  <program_name>^test_pcre2_1$</program_name>
+</decoder>
+
+<decoder name="test_pcre2_1_child">
+  <parent>test_pcre2_1</parent>
+  <regex>(?i)\S+ </regex>
+  <regex type="osregex">(\S+) </regex>
+  <regex>(\w+) </regex>
+  <regex type="pcre2">(\S+)</regex>
+  <order>url,action,querystring</order>
+</decoder>
+
+<!-- prematch tests-->
+<decoder name="test_pcre2_2">
+  <prematch type="osregex">(?i)test_pcre2_</prematch>
+  <prematch type="pcre2">2</prematch>
+</decoder>
+
+<decoder name="test_pcre2_2_child">
+  <parent>test_pcre2_2</parent>
+  <regex offset="after_parent">\S+ regex_example_(\d+)</regex>
+  <order>id</order>
+</decoder>
+
+<!-- action tests -->
+<decoder name="test_pcre2_3">
+  <program_name>^test_pcre2_3$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>action</order>
+</decoder>
+
+<!-- extra_data tests -->
+<decoder name="test_pcre2_4">
+  <program_name>^test_pcre2_4$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>extra_data</order>
+</decoder>
+
+<!-- id tests -->
+<decoder name="test_pcre2_5">
+  <program_name>^test_pcre2_5$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>id</order>
+</decoder>
+
+<!-- pre-decoding loaded fields -->
+<!-- location,hostname,program_name tests -->
+<decoder name="test_pcre2_6">
+  <program_name>^test_pcre2_6$</program_name>
+</decoder>
+
+<!-- match tests -->
+<decoder name="test_pcre2_7">
+  <program_name>^test_pcre2_7$</program_name>
+</decoder>
+
+<!-- protocol tests -->
+<decoder name="test_pcre2_8">
+  <program_name>^test_pcre2_8$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>protocol</order>
+</decoder>
+
+<!-- user tests -->
+<decoder name="test_pcre2_9">
+  <program_name>^test_pcre2_9$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>user</order>
+</decoder>
+
+<!-- url tests -->
+<decoder name="test_pcre2_10">
+  <program_name>^test_pcre2_10$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>url</order>
+</decoder>
+
+<!-- srcport tests -->
+<decoder name="test_pcre2_11">
+  <program_name>^test_pcre2_11$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>srcport</order>
+</decoder>
+
+<!-- dstport tests -->
+<decoder name="test_pcre2_12">
+  <program_name>^test_pcre2_12$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>dstport</order>
+</decoder>
+
+<!-- status tests -->
+<decoder name="test_pcre2_13">
+  <program_name>^test_pcre2_13$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>status</order>
+</decoder>
+
+<!-- system_name tests -->
+<decoder name="test_pcre2_14">
+  <program_name>^test_pcre2_14$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>system_name</order>
+</decoder>
+
+<!-- data tests -->
+<decoder name="test_pcre2_15">
+  <program_name>^test_pcre2_15$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>data</order>
+</decoder>
+
+<!-- srcgeoip tests -->
+<decoder name="test_pcre2_16">
+  <program_name>^test_pcre2_16$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>srcip</order>
+</decoder>
+
+ <!-- dstgeoip -->
+<decoder name="test_pcre2_17">
+  <program_name>^test_pcre2_17$</program_name>
+  <regex>\S+ (\S+)</regex>
+  <order>dstip</order>
+</decoder>

tools/rules-testing/rules/test_osmatch_regex_rules.xml

@@ -0,0 +1,52 @@
+<group name="qa,test">
+
+  <!-- Testing OSMATCH dynamic field. -->
+  <!-- Dec 19 17:20:08 ubuntu test_osmatch_1[12345]:test_field https://localhost GET format=json -->
+  <rule id="999902" level="3">
+    <decoded_as>test_osmatch_1</decoded_as>
+    <match>test_field</match>
+    <field name="querystring" type="osmatch" negate="yes">!format=json</field>
+    <description>Testing OSMATCH dynamic field double negation</description>
+  </rule>
+
+  <!-- Dec 19 17:20:08 ubuntu test_osmatch_1[12345]:test_field https://localhost GET format=raw -->
+  <rule id="999903" level="3">
+    <decoded_as>test_osmatch_1</decoded_as>
+    <match>test_field</match>
+    <field name="querystring" type="osmatch" negate="no">!format=xml</field>
+    <description>Testing OSMATCH dynamic field negation</description>
+  </rule>
+
+  <!-- Testing OSMATCH regex option. -->
+  <!-- test_osmatch_2 test_regex regex_example_0 -->
+  <rule id="999904" level="3">
+    <decoded_as>test_osmatch_2</decoded_as>
+    <match>test_regex</match>
+    <regex type="osmatch" negate="yes">!regex_example_0</regex>
+    <description>Testing OSMATCH regex double negation</description>
+  </rule>
+  <!-- test_osmatch_2 test_regex regex_example_1 -->
+  <rule id="999905" level="3">
+    <decoded_as>test_osmatch_2</decoded_as>
+    <match>test_regex</match>
+    <regex type="osmatch" negate="no">!regex_example_9</regex>
+    <description>Testing OSMATCH regex negation</description>
+  </rule>
+
+  <!-- Testing OSMATCH action option. -->
+  <!-- Dec 19 17:20:08 ubuntu test_osmatch_3[12345]:test_action action_example_1 -->
+  <rule id="999906" level="3">
+    <decoded_as>test_osmatch_3</decoded_as>
+    <match>test_action</match>
+    <action type="osmatch" negate="yes">!action_example_1</action>
+    <description>Testing OSMATCH action double negation</description>
+  </rule>
+  <!-- Dec 19 17:20:08 ubuntu test_osmatch_3[12345]:test_action action_example_9 -->
+  <rule id="999907" level="3">
+    <decoded_as>test_osmatch_3</decoded_as>
+    <match>test_action</match>
+    <action type="osmatch" negate="no">!action_example_0</action>
+    <description>Testing OSMATCH action negation</description>
+  </rule>
+
+</group>

tools/rules-testing/rules/test_osregex_regex_geoip_rules.xml

@@ -0,0 +1,35 @@
+<group name="qa,test">
+
+    <!-- Testing OSREGEX srcgeoip option. -->
+    <!-- Dec 19 17:20:08 ubuntu test_osregex_16[12345]:test_srcgeoip 41.78.120.9 -->
+    <rule id="999800" level="3">
+        <decoded_as>test_osregex_16</decoded_as>
+        <match>test_srcgeoip</match>
+        <srcgeoip type="osregex" negate="no">CF / Haut\pMbomou</srcgeoip>
+        <description>Testing OSREGEX srcgeoip</description>
+    </rule>
+    <!-- Dec 19 17:20:08 ubuntu test_osregex_16[12345]:test_srcgeoip 194.69.224.10 -->
+    <rule id="999801" level="3">
+        <decoded_as>test_osregex_16</decoded_as>
+        <match>test_srcgeoip</match>
+        <srcgeoip type="osregex" negate="yes">JP / Kuchoro\pgen\pya</srcgeoip>
+        <description>Testing OSREGEX srcgeoip negation</description>
+    </rule>
+
+    <!-- Testing OSREGEX dstgeoip option. -->
+    <!-- Dec 19 17:20:08 ubuntu test_osregex_17[12345]:test_dstgeoip 41.78.120.9 -->
+    <rule id="999802" level="3">
+        <decoded_as>test_osregex_17</decoded_as>
+        <match>test_dstgeoip</match>
+        <dstgeoip type="osregex" negate="no">CF / Haut\pMbomou</dstgeoip>
+        <description>Testing OSREGEX dspgeoip</description>
+    </rule>
+    <!-- Dec 19 17:20:08 ubuntu test_osregex_17[12345]:test_dstgeoip 194.69.224.10 -->
+    <rule id="999803" level="3">
+        <decoded_as>test_osregex_17</decoded_as>
+        <match>test_dstgeoip</match>
+        <dstgeoip type="osregex" negate="yes">JP / Kuchoro\pgen\pya</dstgeoip>
+        <description>Testing OSREGEX dspgeoip negation</description>
+    </rule>
+
+</group>