From 35ea6c1027ea63834d5c73fc76396482524ea135 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Wed, 20 Nov 2024 11:12:03 -0600 Subject: [PATCH] tests: add keyword check to requires test Only for 8.0 for now. requires-fail: With the change to unknown requires statements treated as not meeting requirements, update the rule to use an unknown keyword to make it fail out. This is to test an edge case from ticket #6710. Ticket: #7403 --- tests/requires-fail/README.md | 2 ++ tests/requires-fail/test.rules | 2 +- tests/requires-ok/test.rules | 7 +++++-- tests/requires-ok/test.yaml | 4 ++-- 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/tests/requires-fail/README.md b/tests/requires-fail/README.md index 847303f8c..40e1166fa 100644 --- a/tests/requires-fail/README.md +++ b/tests/requires-fail/README.md @@ -1,3 +1,5 @@ Similar to `../requires-ok` but does include one rule that will fail to load. This is to test that a bad rule after "skipped" rule fails out and is not recorded as skipped. + +Ticket: https://redmine.openinfosecfoundation.org/issues/6710 diff --git a/tests/requires-fail/test.rules b/tests/requires-fail/test.rules index 2d24c964f..87b016785 100644 --- a/tests/requires-fail/test.rules +++ b/tests/requires-fail/test.rules @@ -14,4 +14,4 @@ alert udp any any -> any any (vxlan_vni:10; requires: version >= 10; sid:2;) alert http any any => any any (requires: version >= 10; sid:3;) alert tcp any any -> any any (frame:smtp.not_supported; requires: version >= 10; sid:4;) -alert asdf any any -> any any (requires: version >= 6, foo bar; sid:102; rev:1;) +alert asdf any any -> any any (requires: version >= 6; foo: bar; sid:102; rev:1;) diff --git a/tests/requires-ok/test.rules b/tests/requires-ok/test.rules index eaa41a412..8c42bb80f 100644 --- a/tests/requires-ok/test.rules +++ b/tests/requires-ok/test.rules @@ -4,8 +4,11 @@ alert http any any -> any any (msg:"TEST Suricata >= 7 and < 8"; content:"uid=0" # Rule for Suricata >= 7.0.3 but less than 8... Or >= 8.0.1 alert http any any -> any any (content:"uid=0"; requires: version >= 7.0.3 < 8 | >= 8.0.1; sid:9; rev:1;) -# Rule for Suricata >= 8. -alert http any any -> any any (msg:"TEST Suricata >= 8"; content:"uid=0"; requires: version >= 8.0.0; sid:8; rev:1;) +# Rule for Suricata >= 8, with pretty useless check for sid keyword. +alert http any any -> any any (msg:"TEST Suricata >= 8"; content:"uid=0"; requires: version >= 8.0.0, keyword sid; sid:8; rev:1;) + +# Requires unknown keyword, should be marked as skipped. +alert http any any -> any any (msg:"TEST Requires unknown keyword"; requires: version >= 8, keyword foobar; sid:100; rev:1;) # These rules have something invalid about them, but do follow the general rule # structure, so should be eliminated by the requires statement. diff --git a/tests/requires-ok/test.yaml b/tests/requires-ok/test.yaml index 3e58b91f6..206132ddf 100644 --- a/tests/requires-ok/test.yaml +++ b/tests/requires-ok/test.yaml @@ -50,7 +50,7 @@ checks: count: 1 match: event_type: stats - stats.detect.engines[0].rules_skipped: 5 + stats.detect.engines[0].rules_skipped: 6 stats.detect.engines[0].rules_loaded: 2 stats.detect.engines[0].rules_failed: 0 @@ -60,6 +60,6 @@ checks: count: 1 match: event_type: stats - stats.detect.engines[0].rules_skipped: 6 + stats.detect.engines[0].rules_skipped: 7 stats.detect.engines[0].rules_loaded: 1 stats.detect.engines[0].rules_failed: 0