From 38091d0bc2ceea9c4bbd0fba488641428d0a5043 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Tue, 17 Jun 2025 10:15:20 -0400 Subject: [PATCH] test/byte-vars: Restrict var usage to single-buffer Add/modify test cases to use the `rule-strict-keywords` where appropriate. 2 new test cases - bytemath-07 Test 05 for release 8 and later - bytemath-08 Using additional "lol" signature - bytemath-09 Using additional "lol" signature Issue: 1412 --- tests/bug-7549-01/test.yaml | 3 +++ tests/detect-bytemath-05/README.md | 3 +++ tests/detect-bytemath-07/test.rules | 5 +++++ tests/detect-bytemath-07/test.yaml | 14 ++++++++++++++ tests/detect-bytemath-08/test.rules | 6 ++++++ tests/detect-bytemath-08/test.yaml | 14 ++++++++++++++ tests/detect-bytemath-09/input.pcap | Bin 0 -> 641 bytes tests/detect-bytemath-09/test.rules | 1 + tests/detect-bytemath-09/test.yaml | 12 ++++++++++++ 9 files changed, 58 insertions(+) create mode 100644 tests/detect-bytemath-05/README.md create mode 100644 tests/detect-bytemath-07/test.rules create mode 100644 tests/detect-bytemath-07/test.yaml create mode 100644 tests/detect-bytemath-08/test.rules create mode 100644 tests/detect-bytemath-08/test.yaml create mode 100644 tests/detect-bytemath-09/input.pcap create mode 100644 tests/detect-bytemath-09/test.rules create mode 100644 tests/detect-bytemath-09/test.yaml diff --git a/tests/bug-7549-01/test.yaml b/tests/bug-7549-01/test.yaml index 4c17099fb..0a02f3ade 100644 --- a/tests/bug-7549-01/test.yaml +++ b/tests/bug-7549-01/test.yaml @@ -1,6 +1,9 @@ requires: min-version: 8 +args: + - --strict-rule-keywords + checks: - shell: args: grep "Unknown byte_extract var seen.*rpkt_len" stderr | wc -l | xargs diff --git a/tests/detect-bytemath-05/README.md b/tests/detect-bytemath-05/README.md new file mode 100644 index 000000000..6679d6da1 --- /dev/null +++ b/tests/detect-bytemath-05/README.md @@ -0,0 +1,3 @@ +This test is for Redmine issue https://redmine.openinfosecfoundation.org/issues/1412 + +Ensure that variable usage is restricted to a single buffer diff --git a/tests/detect-bytemath-07/test.rules b/tests/detect-bytemath-07/test.rules new file mode 100644 index 000000000..bbaad2932 --- /dev/null +++ b/tests/detect-bytemath-07/test.rules @@ -0,0 +1,5 @@ +alert tcp any any -> any any (msg:"byte_math varname test sig"; \ + ipv4.hdr; byte_extract:1,5,rpkt_len,relative; \ + byte_math:bytes rpkt_len, offset 1, oper +, rvalue 102, result result_val; \ + tcp.hdr; byte_test: 1, =, result_val, 1, relative; \ + sid:1;) diff --git a/tests/detect-bytemath-07/test.yaml b/tests/detect-bytemath-07/test.yaml new file mode 100644 index 000000000..d4dcc8464 --- /dev/null +++ b/tests/detect-bytemath-07/test.yaml @@ -0,0 +1,14 @@ +pcap: ../detect-bytemath-01/input.pcap + +requires: + min-version: 8 + +args: +- --strict-rule-keywords + +exit-code: 1 + +checks: + - shell: + args: grep "Unknown byte_extract var seen in byte_test - result_val" suricata.log | wc -l | xargs + expect: 1 diff --git a/tests/detect-bytemath-08/test.rules b/tests/detect-bytemath-08/test.rules new file mode 100644 index 000000000..554602414 --- /dev/null +++ b/tests/detect-bytemath-08/test.rules @@ -0,0 +1,6 @@ +alert http any any -> any any (msg:"byte_extract Test"; \ + flow:established,to_client; \ + http.header.raw; content:"Content|2D|Length|3A 20|"; content:!"|0D 0A|"; within:3; \ + byte_extract:2,0,content-length,relative,string,dec; content:"|0D 0A|"; distance:0; within:2; \ + http.server; content:"Neuro"; byte_test:2,=,content-length,0,relative,little; \ + priority:3; sid:1;); diff --git a/tests/detect-bytemath-08/test.yaml b/tests/detect-bytemath-08/test.yaml new file mode 100644 index 000000000..ccea36961 --- /dev/null +++ b/tests/detect-bytemath-08/test.yaml @@ -0,0 +1,14 @@ +pcap: ../detect-bytemath-01/input.pcap + +requires: + min-version: 8 + +args: +- --strict-rule-keywords + +exit-code: 1 + +checks: + - shell: + args: grep "Unknown byte_extract var seen in byte_test - content-length" suricata.log | wc -l | xargs + expect: 1 diff --git a/tests/detect-bytemath-09/input.pcap b/tests/detect-bytemath-09/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..986edf03f2eb244cad25c0e60e1cc087c796f8f7 GIT binary patch literal 641 zcmca|c+)~A1{MYwaA0F#U<7jhmokPXSg|pf0ofq@P>TJBmsx3p;v@%U4hB~S1`Uuh z2e#7-4y^dfwMM`<`_USP0H8uHAZ7?)QegPI24c!|dxR z$RvgUpg9Z-DL~8}AOtkU9Ae5c7lbMKg_GEw4sXa=w*J&yR8!F0!VNSfH9!DpiUq`! zH{NUvc|buB_L4Yi-x+JrSUP>8D%g|+sE;zRnj)dVU@y$T;O-itpr2crR9TW*td~)e zo0^!T;1LoMpl_&W$jcR4oLZ#on4X$fVxQLfIHT2z)=WToJjT3VE!o0ylJTExrcoDXz=UWu+xYF>It zhLwUL(0{yKIjN~7#X!H8aDyGQEfV1+iN87K=UVnUr@xqX57kR(0qP8N`5KUy{_JF6 F001iXt}p-q literal 0 HcmV?d00001 diff --git a/tests/detect-bytemath-09/test.rules b/tests/detect-bytemath-09/test.rules new file mode 100644 index 000000000..bb8b55e67 --- /dev/null +++ b/tests/detect-bytemath-09/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"byte_extract Test"; flow:established,to_client; content:"Content|2D|Length|3A 20|"; http_raw_header; content:!"|0D 0A|"; within:3; http_raw_header; byte_extract:2,0,content-length,relative,string,dec; content:"|0D 0A|"; distance:0; within:2; http_raw_header; file_data; content:"test"; byte_test:2,=,content-length,0,relative,little; priority:3; sid:44412999;) diff --git a/tests/detect-bytemath-09/test.yaml b/tests/detect-bytemath-09/test.yaml new file mode 100644 index 000000000..dd08797b7 --- /dev/null +++ b/tests/detect-bytemath-09/test.yaml @@ -0,0 +1,12 @@ + +checks: + - shell: + min-version: 8 + args: grep "Warning. detect-byte. Using byte variable from a different buffer may produce indeterminate results; variable. \"content-length\"" suricata.log | wc -l | xargs + expect: 1 + + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 44412999