tests: add rule type check for flow.age

Ticket: #6312
OISF · Oct 22, 2024 · 3c38988 · 3c38988
1 parent 3e63cd1
commit 3c38988
Show file tree

Hide file tree

Showing 2 changed files with 108 additions and 0 deletions.
diff --git a/tests/rules/flow_age/test.rules b/tests/rules/flow_age/test.rules
@@ -0,0 +1,12 @@
+alert tcp any any -> any any (msg:"Testing flow.age"; flow.age:19; sid:1;)
+alert tcp any any -> any any (msg:"Testing flow.age"; flow.age:0x13; sid:2;)
+alert tcp any any -> any any (msg:"Testing flow.age"; flow.age:!0x14; sid:3;)
+alert tcp any any -> any any (msg:"Testing flow.age"; flow.age:!=20; sid:4;)
+alert tcp any any -> any any (msg:"Testing flow.age"; flow.age:>21; sid:5;)
+alert tcp any any -> any any (msg:"Testing flow.age"; flow.age:>=21; sid:6;)
+alert tcp any any -> any any (msg:"Testing flow.age"; flow.age:<22; sid:7;)
+alert tcp any any -> any any (msg:"Testing flow.age"; flow.age:<=22; sid:8;)
+alert tcp any any -> any any (msg:"Testing flow.age"; flow.age:19-22; sid:9;)
+alert tcp any any -> any any (msg:"Testing flow.age"; flow.age:!19-22; sid:10;)
+alert tcp any any -> any any (msg:"Testing flow.age"; flow.age:&0xc0=0x80; sid:11;)
+alert tcp any any -> any any (msg:"Testing flow.age"; flow.age:&0xc0!=0; sid:12;)
diff --git a/tests/rules/flow_age/test.yaml b/tests/rules/flow_age/test.yaml
@@ -0,0 +1,96 @@
+requires:
+    min-version: 8.0
+    pcap: false
+
+args:
+    - --engine-analysis
+
+checks:
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 1
+      lists.packet.matches[0].name: "flow.age"
+      lists.packet.matches[0].flow_age.equal: 19
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 2
+      lists.packet.matches[0].name: "flow.age"
+      lists.packet.matches[0].flow_age.equal: 19
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 3
+      lists.packet.matches[0].name: "flow.age"
+      lists.packet.matches[0].flow_age.diff: 20
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 4
+      lists.packet.matches[0].name: "flow.age"
+      lists.packet.matches[0].flow_age.diff: 20
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 5
+      lists.packet.matches[0].name: "flow.age"
+      lists.packet.matches[0].flow_age.gt: 21
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 6
+      lists.packet.matches[0].name: "flow.age"
+      lists.packet.matches[0].flow_age.gte: 21
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 7
+      lists.packet.matches[0].name: "flow.age"
+      lists.packet.matches[0].flow_age.lt: 22
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 8
+      lists.packet.matches[0].name: "flow.age"
+      lists.packet.matches[0].flow_age.lte: 22
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 9
+      lists.packet.matches[0].name: "flow.age"
+      lists.packet.matches[0].flow_age.range.min: 19
+      lists.packet.matches[0].flow_age.range.max: 22
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 10
+      lists.packet.matches[0].name: "flow.age"
+      lists.packet.matches[0].flow_age.negated_range.min: 19
+      lists.packet.matches[0].flow_age.negated_range.max: 22
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 11
+      lists.packet.matches[0].name: "flow.age"
+      lists.packet.matches[0].flow_age.bitmask.mask: 192
+      lists.packet.matches[0].flow_age.bitmask.value: 128
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 12
+      lists.packet.matches[0].name: "flow.age"
+      lists.packet.matches[0].flow_age.negated_bitmask.mask: 192
+      lists.packet.matches[0].flow_age.negated_bitmask.value: 0