Adds tests for negated content and absent keyword

Ticket: 2224

tests/detect-absent-file-multi/README.md

@@ -0,0 +1,18 @@
+# Test Description
+
+Test `absent` keyword with files
+
+## PCAP
+
+Manually crafted with input
+```
+GET /noheaders HTTP/1.0
+
+HTTP/1.0 500 BAD
+Header1: value1
+
+```
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/2224

tests/detect-absent-file-multi/test.rules

@@ -0,0 +1,10 @@
+alert http any any -> any any (msg:"no file data"; flow:established,to_client; file.data; absent: only; http.stat_code; content: "500"; sid:1;)
+alert http any any -> any any (msg:"no file data, no alert"; flow:established,to_client; file.data; bsize: >0; http.stat_code; content: "500"; sid:2;)
+alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_client; file.data; absent: or_else; content: !"abc"; http.stat_code; content: "500"; sid:3;)
+alert http any any -> any any (msg:"not abc, no alert"; flow:established,to_client; file.data; content: !"abc"; http.stat_code; content: "500"; sid:4;)
+alert http any any -> any any (msg:"alert on only stat code"; flow:established,to_client; http.stat_code; content: "500"; sid:5;)
+alert http any any -> any any (msg:"no file data"; flow:established,to_client; file.data; absent: only; sid:6;)
+alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_client; file.data; absent: or_else; content: !"abc"; sid:7;)
+
+alert http any any -> any any (msg:"no request headers or not abc"; flow:established,to_server; http.request_header; absent: or_else; content: !"abc"; sid:10;)
+alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_server; http.request_header; absent: only; http.uri; content: "noheaders"; sid:11;)

tests/detect-absent-file-multi/test.yaml

@@ -0,0 +1,52 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 4
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 5
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 6
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 7
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 10
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 11

tests/detect-absent-http-request-body/README.md

@@ -0,0 +1,14 @@
+# Test Description
+
+Test `absent` keyword with `http.request_body`
+
+## PCAP
+
+Manually crafted with server
+`python3 -m http.server`
+and client
+`curl -X POST http://127.0.0.1:8000/toto`
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/2224

tests/detect-absent-http-request-body/test.rules

@@ -0,0 +1,6 @@
+alert http any any -> any any (msg:"no request body"; flow:established,to_server; http.request_body; absent: only; http.method; content: "POST"; sid:1;)
+alert http any any -> any any (msg:"no request body, no alert"; flow:established,to_server; http.request_body; bsize: >0; http.method; content: "POST"; sid:2;)
+alert http any any -> any any (msg:"no request body or not abc"; flow:established,to_server; http.request_body; absent: or_else; content: !"abc"; http.method; content: "POST"; sid:3;)
+alert http any any -> any any (msg:"not abc, no alert"; flow:established,to_server; http.request_body; content: !"abc"; http.method; content: "POST"; sid:4;)
+alert http any any -> any any (msg:"no request body"; flow:established,to_server; http.request_body; absent: only; sid:5;)
+alert http any any -> any any (msg:"no request body or not abc"; flow:established,to_server; http.request_body; absent: or_else; content: !"abc"; sid:6;)

tests/detect-absent-http-request-body/test.yaml

@@ -0,0 +1,37 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 4
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 5
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 6

tests/detect-absent-negated-content/README.md

@@ -0,0 +1,11 @@
+# Test Description
+
+Test rules with negated content on buffers that are absent
+
+## PCAP
+
+From the issue https://redmine.openinfosecfoundation.org/issues/2224
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/2224

tests/detect-absent-negated-content/test.rules

@@ -0,0 +1,15 @@
+# This signature should alert with _any_  pcap
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TP test for URI"; flow:established,to_server; http.uri; bsize:1; content:"/"; sid:1;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"No match without `absent` and negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; content:!"example"; sid:5;)
+
+# Positive tests about alerts
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:!"example"; sid:6;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated pcre"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else ; pcre:!"/example/"; sid:7;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent:only; sid:8;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content to fast_pattern"; flow:established,to_server; http.referer; absent:only; sid:9;)
+
+# reference test with positive and negated content
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TP test for UA"; flow:established,to_server; http.user_agent; content:"foo"; content:!"bar"; sid:20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent or negated content matches on the negated content"; flow:established,to_server; http.user_agent; absent: or_else; content:!"bar"; sid:21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only does not match"; flow:established,to_server; http.user_agent; absent: only; sid:22;)

tests/detect-absent-negated-content/test.yaml

@@ -0,0 +1,52 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 5
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 6
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 7
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 8
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 9
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 20
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 21
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 22