From 8355bc9aa5bccc42740ca5e2e9eb64d007e84b91 Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Thu, 9 Jan 2025 15:08:54 +0530 Subject: [PATCH] dataset/rep: add tests for error conditions --- .../datarep-bad-datarep-string/datarep.rules | 1 + .../datarep-bad-datarep-string/dns_string.rep | 1 + .../datarep-bad-datarep-string/suricata.yaml | 20 +++++++++++++++++ .../datarep-bad-datarep-string/test.yaml | 22 +++++++++++++++++++ .../datarep-bad-datarep-value/datarep.rules | 1 + .../datarep-bad-datarep-value/dns_string.rep | 1 + .../datarep-bad-datarep-value/suricata.yaml | 20 +++++++++++++++++ .../datarep-bad-datarep-value/test.yaml | 22 +++++++++++++++++++ .../datarep-datasets-mix/datasets.csv | 2 ++ .../datarep-datasets-mix/suricata.yaml | 20 +++++++++++++++++ .../datasets/datarep-datasets-mix/test.rules | 2 ++ tests/datasets/datarep-datasets-mix/test.yaml | 19 ++++++++++++++++ .../datasets-datarep-mix/datarep.rules | 1 + .../datasets-datarep-mix/dns_string.rep | 2 ++ .../datasets-datarep-mix/suricata.yaml | 20 +++++++++++++++++ tests/datasets/datasets-datarep-mix/test.yaml | 19 ++++++++++++++++ 16 files changed, 173 insertions(+) create mode 100644 tests/datasets/datarep-bad-datarep-string/datarep.rules create mode 100644 tests/datasets/datarep-bad-datarep-string/dns_string.rep create mode 100644 tests/datasets/datarep-bad-datarep-string/suricata.yaml create mode 100644 tests/datasets/datarep-bad-datarep-string/test.yaml create mode 100644 tests/datasets/datarep-bad-datarep-value/datarep.rules create mode 100644 tests/datasets/datarep-bad-datarep-value/dns_string.rep create mode 100644 tests/datasets/datarep-bad-datarep-value/suricata.yaml create mode 100644 tests/datasets/datarep-bad-datarep-value/test.yaml create mode 100644 tests/datasets/datarep-datasets-mix/datasets.csv create mode 100644 tests/datasets/datarep-datasets-mix/suricata.yaml create mode 100644 tests/datasets/datarep-datasets-mix/test.rules create mode 100644 tests/datasets/datarep-datasets-mix/test.yaml create mode 100644 tests/datasets/datasets-datarep-mix/datarep.rules create mode 100644 tests/datasets/datasets-datarep-mix/dns_string.rep create mode 100644 tests/datasets/datasets-datarep-mix/suricata.yaml create mode 100644 tests/datasets/datasets-datarep-mix/test.yaml diff --git a/tests/datasets/datarep-bad-datarep-string/datarep.rules b/tests/datasets/datarep-bad-datarep-string/datarep.rules new file mode 100644 index 000000000..7fc15e203 --- /dev/null +++ b/tests/datasets/datarep-bad-datarep-string/datarep.rules @@ -0,0 +1 @@ +alert dns any any -> any any (dns.query; datarep:dns_string, >, 200, load dns_string.rep, type string; sid:1;) diff --git a/tests/datasets/datarep-bad-datarep-string/dns_string.rep b/tests/datasets/datarep-bad-datarep-string/dns_string.rep new file mode 100644 index 000000000..e7da6df58 --- /dev/null +++ b/tests/datasets/datarep-bad-datarep-string/dns_string.rep @@ -0,0 +1 @@ +Z29vZ2xlLm;NvbQ==,1 diff --git a/tests/datasets/datarep-bad-datarep-string/suricata.yaml b/tests/datasets/datarep-bad-datarep-string/suricata.yaml new file mode 100644 index 000000000..bb94cf5cb --- /dev/null +++ b/tests/datasets/datarep-bad-datarep-string/suricata.yaml @@ -0,0 +1,20 @@ +%YAML 1.1 +--- + +# Logging configuration. This is not about logging IDS alerts/events, but +# output about what Suricata is doing, like startup messages, errors, etc. +logging: + default-log-level: notice + outputs: + - console: + enabled: yes + # type: json + - file: + enabled: yes + level: info + filename: suricata.json + type: json + - syslog: + enabled: no + facility: local5 + format: "[%i] <%d> -- " diff --git a/tests/datasets/datarep-bad-datarep-string/test.yaml b/tests/datasets/datarep-bad-datarep-string/test.yaml new file mode 100644 index 000000000..3ba4d10b5 --- /dev/null +++ b/tests/datasets/datarep-bad-datarep-string/test.yaml @@ -0,0 +1,22 @@ +pcap: ../../flowbit-oring/input.pcap + +requires: + features: + - HAVE_LIBJANSSON + files: + - src/datasets.c + +args: + - -k none + +exit-code: 1 + +checks: + - filter: + min-version: 8 + filename: suricata.json + count: 1 + match: + log_level: "Error" + event_type: "engine" + engine.message.__find: "bad base64 encoding dns_string" diff --git a/tests/datasets/datarep-bad-datarep-value/datarep.rules b/tests/datasets/datarep-bad-datarep-value/datarep.rules new file mode 100644 index 000000000..7fc15e203 --- /dev/null +++ b/tests/datasets/datarep-bad-datarep-value/datarep.rules @@ -0,0 +1 @@ +alert dns any any -> any any (dns.query; datarep:dns_string, >, 200, load dns_string.rep, type string; sid:1;) diff --git a/tests/datasets/datarep-bad-datarep-value/dns_string.rep b/tests/datasets/datarep-bad-datarep-value/dns_string.rep new file mode 100644 index 000000000..179cfc89d --- /dev/null +++ b/tests/datasets/datarep-bad-datarep-value/dns_string.rep @@ -0,0 +1 @@ +Z29vZ2xlLmNvbQ==,-1 diff --git a/tests/datasets/datarep-bad-datarep-value/suricata.yaml b/tests/datasets/datarep-bad-datarep-value/suricata.yaml new file mode 100644 index 000000000..bb94cf5cb --- /dev/null +++ b/tests/datasets/datarep-bad-datarep-value/suricata.yaml @@ -0,0 +1,20 @@ +%YAML 1.1 +--- + +# Logging configuration. This is not about logging IDS alerts/events, but +# output about what Suricata is doing, like startup messages, errors, etc. +logging: + default-log-level: notice + outputs: + - console: + enabled: yes + # type: json + - file: + enabled: yes + level: info + filename: suricata.json + type: json + - syslog: + enabled: no + facility: local5 + format: "[%i] <%d> -- " diff --git a/tests/datasets/datarep-bad-datarep-value/test.yaml b/tests/datasets/datarep-bad-datarep-value/test.yaml new file mode 100644 index 000000000..20b06fc4c --- /dev/null +++ b/tests/datasets/datarep-bad-datarep-value/test.yaml @@ -0,0 +1,22 @@ +pcap: ../../flowbit-oring/input.pcap + +requires: + features: + - HAVE_LIBJANSSON + files: + - src/datasets.c + +args: + - -k none + +exit-code: 1 + +checks: + - filter: + min-version: 8 + filename: suricata.json + count: 1 + match: + log_level: "Error" + event_type: "engine" + engine.message.__find: "invalid datarep value dns_string" diff --git a/tests/datasets/datarep-datasets-mix/datasets.csv b/tests/datasets/datarep-datasets-mix/datasets.csv new file mode 100644 index 000000000..83907f184 --- /dev/null +++ b/tests/datasets/datarep-datasets-mix/datasets.csv @@ -0,0 +1,2 @@ +Y3VybC83LjQzLjA= +YmxhaA==,1 diff --git a/tests/datasets/datarep-datasets-mix/suricata.yaml b/tests/datasets/datarep-datasets-mix/suricata.yaml new file mode 100644 index 000000000..bb94cf5cb --- /dev/null +++ b/tests/datasets/datarep-datasets-mix/suricata.yaml @@ -0,0 +1,20 @@ +%YAML 1.1 +--- + +# Logging configuration. This is not about logging IDS alerts/events, but +# output about what Suricata is doing, like startup messages, errors, etc. +logging: + default-log-level: notice + outputs: + - console: + enabled: yes + # type: json + - file: + enabled: yes + level: info + filename: suricata.json + type: json + - syslog: + enabled: no + facility: local5 + format: "[%i] <%d> -- " diff --git a/tests/datasets/datarep-datasets-mix/test.rules b/tests/datasets/datarep-datasets-mix/test.rules new file mode 100644 index 000000000..7cd7d6737 --- /dev/null +++ b/tests/datasets/datarep-datasets-mix/test.rules @@ -0,0 +1,2 @@ +alert http any any -> any any (http.user_agent; dataset:isset,ua-seen,type string,load datasets.csv; sid:1;) +alert http any any -> any any (http.user_agent; dataset:isnotset,ua-seen,type string,load datasets.csv; sid:2;) diff --git a/tests/datasets/datarep-datasets-mix/test.yaml b/tests/datasets/datarep-datasets-mix/test.yaml new file mode 100644 index 000000000..977046eff --- /dev/null +++ b/tests/datasets/datarep-datasets-mix/test.yaml @@ -0,0 +1,19 @@ +pcap: ../../flowbit-oring/input.pcap + +requires: + min-version: 8 + +args: + - -k none + +exit-code: 1 + +checks: + - filter: + min-version: 8 + filename: suricata.json + count: 1 + match: + log_level: "Error" + event_type: "engine" + engine.message.__find: "Cannot mix dataset and datarep values for set ua-seen" diff --git a/tests/datasets/datasets-datarep-mix/datarep.rules b/tests/datasets/datasets-datarep-mix/datarep.rules new file mode 100644 index 000000000..7fc15e203 --- /dev/null +++ b/tests/datasets/datasets-datarep-mix/datarep.rules @@ -0,0 +1 @@ +alert dns any any -> any any (dns.query; datarep:dns_string, >, 200, load dns_string.rep, type string; sid:1;) diff --git a/tests/datasets/datasets-datarep-mix/dns_string.rep b/tests/datasets/datasets-datarep-mix/dns_string.rep new file mode 100644 index 000000000..49fe379a8 --- /dev/null +++ b/tests/datasets/datasets-datarep-mix/dns_string.rep @@ -0,0 +1,2 @@ +Z29vZ2xlLmNvbQ==,1 +YmxhaA== diff --git a/tests/datasets/datasets-datarep-mix/suricata.yaml b/tests/datasets/datasets-datarep-mix/suricata.yaml new file mode 100644 index 000000000..bb94cf5cb --- /dev/null +++ b/tests/datasets/datasets-datarep-mix/suricata.yaml @@ -0,0 +1,20 @@ +%YAML 1.1 +--- + +# Logging configuration. This is not about logging IDS alerts/events, but +# output about what Suricata is doing, like startup messages, errors, etc. +logging: + default-log-level: notice + outputs: + - console: + enabled: yes + # type: json + - file: + enabled: yes + level: info + filename: suricata.json + type: json + - syslog: + enabled: no + facility: local5 + format: "[%i] <%d> -- " diff --git a/tests/datasets/datasets-datarep-mix/test.yaml b/tests/datasets/datasets-datarep-mix/test.yaml new file mode 100644 index 000000000..3eac84653 --- /dev/null +++ b/tests/datasets/datasets-datarep-mix/test.yaml @@ -0,0 +1,19 @@ +pcap: ../../flowbit-oring/input.pcap + +requires: + min-version: 8 + +args: + - -k none + +exit-code: 1 + +checks: + - filter: + min-version: 8 + filename: suricata.json + count: 1 + match: + log_level: "Error" + event_type: "engine" + engine.message.__find: "Cannot mix dataset and datarep values for set dns_string"