From 3c3898889788c6375abc37589784177ec90ffb96 Mon Sep 17 00:00:00 2001 From: Alice Akaki Date: Tue, 22 Oct 2024 18:38:47 -0400 Subject: [PATCH] tests: add rule type check for flow.age Ticket: #6312 --- tests/rules/flow_age/test.rules | 12 +++++ tests/rules/flow_age/test.yaml | 96 +++++++++++++++++++++++++++++++++ 2 files changed, 108 insertions(+) create mode 100644 tests/rules/flow_age/test.rules create mode 100644 tests/rules/flow_age/test.yaml diff --git a/tests/rules/flow_age/test.rules b/tests/rules/flow_age/test.rules new file mode 100644 index 000000000..ce04703c9 --- /dev/null +++ b/tests/rules/flow_age/test.rules @@ -0,0 +1,12 @@ +alert tcp any any -> any any (msg:"Testing flow.age"; flow.age:19; sid:1;) +alert tcp any any -> any any (msg:"Testing flow.age"; flow.age:0x13; sid:2;) +alert tcp any any -> any any (msg:"Testing flow.age"; flow.age:!0x14; sid:3;) +alert tcp any any -> any any (msg:"Testing flow.age"; flow.age:!=20; sid:4;) +alert tcp any any -> any any (msg:"Testing flow.age"; flow.age:>21; sid:5;) +alert tcp any any -> any any (msg:"Testing flow.age"; flow.age:>=21; sid:6;) +alert tcp any any -> any any (msg:"Testing flow.age"; flow.age:<22; sid:7;) +alert tcp any any -> any any (msg:"Testing flow.age"; flow.age:<=22; sid:8;) +alert tcp any any -> any any (msg:"Testing flow.age"; flow.age:19-22; sid:9;) +alert tcp any any -> any any (msg:"Testing flow.age"; flow.age:!19-22; sid:10;) +alert tcp any any -> any any (msg:"Testing flow.age"; flow.age:&0xc0=0x80; sid:11;) +alert tcp any any -> any any (msg:"Testing flow.age"; flow.age:&0xc0!=0; sid:12;) diff --git a/tests/rules/flow_age/test.yaml b/tests/rules/flow_age/test.yaml new file mode 100644 index 000000000..ebed50a0c --- /dev/null +++ b/tests/rules/flow_age/test.yaml @@ -0,0 +1,96 @@ +requires: + min-version: 8.0 + pcap: false + +args: + - --engine-analysis + +checks: +- filter: + filename: rules.json + count: 1 + match: + id: 1 + lists.packet.matches[0].name: "flow.age" + lists.packet.matches[0].flow_age.equal: 19 +- filter: + filename: rules.json + count: 1 + match: + id: 2 + lists.packet.matches[0].name: "flow.age" + lists.packet.matches[0].flow_age.equal: 19 +- filter: + filename: rules.json + count: 1 + match: + id: 3 + lists.packet.matches[0].name: "flow.age" + lists.packet.matches[0].flow_age.diff: 20 +- filter: + filename: rules.json + count: 1 + match: + id: 4 + lists.packet.matches[0].name: "flow.age" + lists.packet.matches[0].flow_age.diff: 20 +- filter: + filename: rules.json + count: 1 + match: + id: 5 + lists.packet.matches[0].name: "flow.age" + lists.packet.matches[0].flow_age.gt: 21 +- filter: + filename: rules.json + count: 1 + match: + id: 6 + lists.packet.matches[0].name: "flow.age" + lists.packet.matches[0].flow_age.gte: 21 +- filter: + filename: rules.json + count: 1 + match: + id: 7 + lists.packet.matches[0].name: "flow.age" + lists.packet.matches[0].flow_age.lt: 22 +- filter: + filename: rules.json + count: 1 + match: + id: 8 + lists.packet.matches[0].name: "flow.age" + lists.packet.matches[0].flow_age.lte: 22 +- filter: + filename: rules.json + count: 1 + match: + id: 9 + lists.packet.matches[0].name: "flow.age" + lists.packet.matches[0].flow_age.range.min: 19 + lists.packet.matches[0].flow_age.range.max: 22 +- filter: + filename: rules.json + count: 1 + match: + id: 10 + lists.packet.matches[0].name: "flow.age" + lists.packet.matches[0].flow_age.negated_range.min: 19 + lists.packet.matches[0].flow_age.negated_range.max: 22 +- filter: + filename: rules.json + count: 1 + match: + id: 11 + lists.packet.matches[0].name: "flow.age" + lists.packet.matches[0].flow_age.bitmask.mask: 192 + lists.packet.matches[0].flow_age.bitmask.value: 128 +- filter: + filename: rules.json + count: 1 + match: + id: 12 + lists.packet.matches[0].name: "flow.age" + lists.packet.matches[0].flow_age.negated_bitmask.mask: 192 + lists.packet.matches[0].flow_age.negated_bitmask.value: 0 \ No newline at end of file