test/byte-vars: Restrict var usage to single-buffer

Add/modify test cases to use the `rule-strict-keywords` where
appropriate.

2 new test cases
- bytemath-07 Test 05 for release 8 and later
- bytemath-08 Using additional "lol" signature
- bytemath-09 Using additional "lol" signature

Issue: 1412

Author: jlucovsky

tests/bug-7549-01/test.yaml

@@ -1,6 +1,9 @@
 requires:
   min-version: 8
 
+args:
+  - --strict-rule-keywords
+
 checks:
   - shell:
         args: grep "Unknown byte_extract var seen.*rpkt_len" stderr | wc -l | xargs

tests/detect-bytemath-05/README.md

@@ -0,0 +1,3 @@
+This test is for Redmine issue https://redmine.openinfosecfoundation.org/issues/1412
+
+Ensure that variable usage is restricted to a single buffer

tests/detect-bytemath-07/test.rules

@@ -0,0 +1,5 @@
+alert tcp any any -> any any (msg:"byte_math varname test sig"; \
+    ipv4.hdr; byte_extract:1,5,rpkt_len,relative; \
+    byte_math:bytes rpkt_len, offset 1, oper +, rvalue 102, result result_val; \
+    tcp.hdr; byte_test: 1, =, result_val, 1, relative; \
+    sid:1;)

tests/detect-bytemath-07/test.yaml

@@ -0,0 +1,14 @@
+pcap: ../detect-bytemath-01/input.pcap
+
+requires:
+  min-version: 8
+
+args:
+- --strict-rule-keywords
+
+exit-code: 1
+
+checks:
+  - shell:
+     args: grep "Unknown byte_extract var seen in byte_test - result_val" suricata.log | wc -l | xargs
+     expect: 1

tests/detect-bytemath-08/test.rules

@@ -0,0 +1,6 @@
+alert http any any -> any any (msg:"byte_extract Test"; \
+        flow:established,to_client; \
+        http.header.raw; content:"Content|2D|Length|3A 20|"; content:!"|0D 0A|"; within:3; \
+        byte_extract:2,0,content-length,relative,string,dec; content:"|0D 0A|"; distance:0; within:2; \
+        http.server; content:"Neuro"; byte_test:2,=,content-length,0,relative,little; \
+        priority:3; sid:1;);

tests/detect-bytemath-08/test.yaml

@@ -0,0 +1,14 @@
+pcap: ../detect-bytemath-01/input.pcap
+
+requires:
+  min-version: 8
+
+args:
+- --strict-rule-keywords
+
+exit-code: 1
+
+checks:
+  - shell:
+     args: grep "Unknown byte_extract var seen in byte_test - content-length" suricata.log | wc -l | xargs
+     expect: 1

tests/detect-bytemath-09/input.pcap

@@ -0,0 +1 @@
+alert http any any -> any any (msg:"byte_extract Test"; flow:established,to_client; content:"Content|2D|Length|3A 20|"; http_raw_header; content:!"|0D 0A|"; within:3; http_raw_header; byte_extract:2,0,content-length,relative,string,dec; content:"|0D 0A|"; distance:0; within:2; http_raw_header; file_data; content:"test"; byte_test:2,=,content-length,0,relative,little; priority:3; sid:44412999;)

tests/detect-bytemath-09/test.rules

@@ -0,0 +1,12 @@
+
+checks:
+  - shell:
+     min-version: 8
+     args: grep "Warning. detect-byte. Using byte variable from a different buffer may produce indeterminate results; variable. \"content-length\"" suricata.log | wc -l | xargs
+     expect: 1
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 44412999