From 22112490b0e0e31a96ba6d06871972df45d92717 Mon Sep 17 00:00:00 2001
From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Fri, 20 Jun 2025 17:38:34 +0530
Subject: [PATCH 1/3] flowbits: add tests for invalid flowbit cmd combinations

Bug 7772
Bug 7773
Bug 7774
Bug 7817
Bug 7818
---
 tests/flowbits-invalid-01/suricata.yaml | 12 ++++++++++++
 tests/flowbits-invalid-01/test.rules    |  1 +
 tests/flowbits-invalid-01/test.yaml     | 16 ++++++++++++++++
 tests/flowbits-invalid-02/suricata.yaml | 12 ++++++++++++
 tests/flowbits-invalid-02/test.rules    |  1 +
 tests/flowbits-invalid-02/test.yaml     | 16 ++++++++++++++++
 tests/flowbits-invalid-03/suricata.yaml | 12 ++++++++++++
 tests/flowbits-invalid-03/test.rules    |  1 +
 tests/flowbits-invalid-03/test.yaml     | 16 ++++++++++++++++
 tests/flowbits-invalid-04/suricata.yaml | 12 ++++++++++++
 tests/flowbits-invalid-04/test.rules    |  1 +
 tests/flowbits-invalid-04/test.yaml     | 16 ++++++++++++++++
 tests/flowbits-invalid-05/suricata.yaml | 12 ++++++++++++
 tests/flowbits-invalid-05/test.rules    |  1 +
 tests/flowbits-invalid-05/test.yaml     | 16 ++++++++++++++++
 15 files changed, 145 insertions(+)
 create mode 100644 tests/flowbits-invalid-01/suricata.yaml
 create mode 100644 tests/flowbits-invalid-01/test.rules
 create mode 100644 tests/flowbits-invalid-01/test.yaml
 create mode 100644 tests/flowbits-invalid-02/suricata.yaml
 create mode 100644 tests/flowbits-invalid-02/test.rules
 create mode 100644 tests/flowbits-invalid-02/test.yaml
 create mode 100644 tests/flowbits-invalid-03/suricata.yaml
 create mode 100644 tests/flowbits-invalid-03/test.rules
 create mode 100644 tests/flowbits-invalid-03/test.yaml
 create mode 100644 tests/flowbits-invalid-04/suricata.yaml
 create mode 100644 tests/flowbits-invalid-04/test.rules
 create mode 100644 tests/flowbits-invalid-04/test.yaml
 create mode 100644 tests/flowbits-invalid-05/suricata.yaml
 create mode 100644 tests/flowbits-invalid-05/test.rules
 create mode 100644 tests/flowbits-invalid-05/test.yaml

diff --git a/tests/flowbits-invalid-01/suricata.yaml b/tests/flowbits-invalid-01/suricata.yaml
new file mode 100644
index 000000000..fb8c821fd
--- /dev/null
+++ b/tests/flowbits-invalid-01/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules: yes
+
+logging:
+  outputs:
+    - file:
+        enabled: yes
+        filename: eve.json
+        type: json
diff --git a/tests/flowbits-invalid-01/test.rules b/tests/flowbits-invalid-01/test.rules
new file mode 100644
index 000000000..95b40097f
--- /dev/null
+++ b/tests/flowbits-invalid-01/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg: "Illegal flowbit set + isset combination"; http.method; content:"GET"; flowbits:set,fb1; flowbits:isset,fb1; sid:111;)
diff --git a/tests/flowbits-invalid-01/test.yaml b/tests/flowbits-invalid-01/test.yaml
new file mode 100644
index 000000000..f166a69a5
--- /dev/null
+++ b/tests/flowbits-invalid-01/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  min-version: 8
+
+pcap: false
+
+exit-code: 1
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      count: 1
+      match:
+        log_level: Error
+        engine.message: "invalid flowbit command combination in the same signature: set and isset"
diff --git a/tests/flowbits-invalid-02/suricata.yaml b/tests/flowbits-invalid-02/suricata.yaml
new file mode 100644
index 000000000..fb8c821fd
--- /dev/null
+++ b/tests/flowbits-invalid-02/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules: yes
+
+logging:
+  outputs:
+    - file:
+        enabled: yes
+        filename: eve.json
+        type: json
diff --git a/tests/flowbits-invalid-02/test.rules b/tests/flowbits-invalid-02/test.rules
new file mode 100644
index 000000000..b061b5583
--- /dev/null
+++ b/tests/flowbits-invalid-02/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg: "Illegal flowbit unset + isnotset combination"; http.method; content:"GET"; flowbits:unset,fb1; flowbits:isnotset,fb1; sid:111;)
diff --git a/tests/flowbits-invalid-02/test.yaml b/tests/flowbits-invalid-02/test.yaml
new file mode 100644
index 000000000..338268fbf
--- /dev/null
+++ b/tests/flowbits-invalid-02/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  min-version: 8
+
+pcap: false
+
+exit-code: 1
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      count: 1
+      match:
+        log_level: Error
+        engine.message: "invalid flowbit command combination in the same signature: unset and isnotset"
diff --git a/tests/flowbits-invalid-03/suricata.yaml b/tests/flowbits-invalid-03/suricata.yaml
new file mode 100644
index 000000000..fb8c821fd
--- /dev/null
+++ b/tests/flowbits-invalid-03/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules: yes
+
+logging:
+  outputs:
+    - file:
+        enabled: yes
+        filename: eve.json
+        type: json
diff --git a/tests/flowbits-invalid-03/test.rules b/tests/flowbits-invalid-03/test.rules
new file mode 100644
index 000000000..94eaea171
--- /dev/null
+++ b/tests/flowbits-invalid-03/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg: "Illegal flowbit set + toggle combination"; http.method; content:"GET"; flowbits:set,fb1; flowbits:toggle,fb1; sid:111;)
diff --git a/tests/flowbits-invalid-03/test.yaml b/tests/flowbits-invalid-03/test.yaml
new file mode 100644
index 000000000..1e7bd9e84
--- /dev/null
+++ b/tests/flowbits-invalid-03/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  min-version: 8
+
+pcap: false
+
+exit-code: 1
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      count: 1
+      match:
+        log_level: Error
+        engine.message: "invalid flowbit command combination in the same signature: set and toggle"
diff --git a/tests/flowbits-invalid-04/suricata.yaml b/tests/flowbits-invalid-04/suricata.yaml
new file mode 100644
index 000000000..fb8c821fd
--- /dev/null
+++ b/tests/flowbits-invalid-04/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules: yes
+
+logging:
+  outputs:
+    - file:
+        enabled: yes
+        filename: eve.json
+        type: json
diff --git a/tests/flowbits-invalid-04/test.rules b/tests/flowbits-invalid-04/test.rules
new file mode 100644
index 000000000..b5ecfc50a
--- /dev/null
+++ b/tests/flowbits-invalid-04/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg: "Illegal flowbit isset + isnot combination"; http.method; content:"GET"; flowbits:isset,fb1; flowbits:isnotset,fb1; sid:111;)
diff --git a/tests/flowbits-invalid-04/test.yaml b/tests/flowbits-invalid-04/test.yaml
new file mode 100644
index 000000000..da9c71d9b
--- /dev/null
+++ b/tests/flowbits-invalid-04/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  min-version: 8
+
+pcap: false
+
+exit-code: 1
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      count: 1
+      match:
+        log_level: Error
+        engine.message: "invalid flowbit command combination in the same signature: isset and isnotset"
diff --git a/tests/flowbits-invalid-05/suricata.yaml b/tests/flowbits-invalid-05/suricata.yaml
new file mode 100644
index 000000000..fb8c821fd
--- /dev/null
+++ b/tests/flowbits-invalid-05/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules: yes
+
+logging:
+  outputs:
+    - file:
+        enabled: yes
+        filename: eve.json
+        type: json
diff --git a/tests/flowbits-invalid-05/test.rules b/tests/flowbits-invalid-05/test.rules
new file mode 100644
index 000000000..27c654668
--- /dev/null
+++ b/tests/flowbits-invalid-05/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg: "Illegal flowbit set + unset combination"; http.method; content:"GET"; flowbits:set,fb1; flowbits:unset,fb1; sid:111;)
diff --git a/tests/flowbits-invalid-05/test.yaml b/tests/flowbits-invalid-05/test.yaml
new file mode 100644
index 000000000..8a83dfea7
--- /dev/null
+++ b/tests/flowbits-invalid-05/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  min-version: 8
+
+pcap: false
+
+exit-code: 1
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      count: 1
+      match:
+        log_level: Error
+        engine.message: "invalid flowbit command combination in the same signature: set and unset"

From 066b7a4837f0b902fb7ec6de87b6a5e3ceec18e6 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Tue, 1 Apr 2025 14:51:23 +0200
Subject: [PATCH 2/3] run.py: expose line number for allowing order checks

---
 README.md | 7 ++++++-
 run.py    | 3 +++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 74a5d6e25..e0c6d7c4c 100644
--- a/README.md
+++ b/README.md
@@ -180,7 +180,12 @@ checks:
         # Check if a string is contained within a JSON list.
         # Eg. "ftp":{"reply":["Opening BINARY mode data connection for temp.txt (1164 bytes).","Transfer complete."], }
         ftp.reply.__contains: 'Transfer complete.'
-
+  - filter:
+      # Check line number of an entry
+      count: 1
+      match:
+        __lineno: 5
+        alert.signature_id: 15
   - shell:
       # A simple shell check. If the command exits with a non-0 exit code the
       # check will fail. The script is run in the output directory of the
diff --git a/run.py b/run.py
index 61ee2f986..83bc41663 100755
--- a/run.py
+++ b/run.py
@@ -574,8 +574,11 @@ def run(self):
 
         count = 0
         with open(json_filename, "r", encoding="utf-8") as fileobj:
+            lineno = 1
             for line in fileobj:
                 event = json.loads(line)
+                event["__lineno"] = lineno
+                lineno = lineno + 1
                 if self.match(event):
                     count += 1
         if count == self.config["count"]:

From da584d52aefd9efa56c2fe0e91cec379ac0a3686 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Tue, 1 Apr 2025 14:51:59 +0200
Subject: [PATCH 3/3] tests: bug 7638 flowbit rule order test

---
 .../bug-7638-flowbits-sigorder-01/test.rules  |  4 +++
 tests/bug-7638-flowbits-sigorder-01/test.yaml | 33 +++++++++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100644 tests/bug-7638-flowbits-sigorder-01/test.rules
 create mode 100644 tests/bug-7638-flowbits-sigorder-01/test.yaml

diff --git a/tests/bug-7638-flowbits-sigorder-01/test.rules b/tests/bug-7638-flowbits-sigorder-01/test.rules
new file mode 100644
index 000000000..59c8c19bd
--- /dev/null
+++ b/tests/bug-7638-flowbits-sigorder-01/test.rules
@@ -0,0 +1,4 @@
+alert http any any -> any any (http.uri; content:"down"; flowbits:set,uritest; sid:11;)
+alert http any any -> any any (http.user_agent; content:"Mozilla"; flowbits:isset, headtest; flowbits:set,moz; sid:10;)
+alert http any any -> any any (http.method; content:"GET"; flowbits:isset,uritest; flowbits:set,headtest; sid:12;)
+alert http any any -> any any (http.host; content:"ether"; flowbits:isset,moz; sid:14;)
diff --git a/tests/bug-7638-flowbits-sigorder-01/test.yaml b/tests/bug-7638-flowbits-sigorder-01/test.yaml
new file mode 100644
index 000000000..c44d0f121
--- /dev/null
+++ b/tests/bug-7638-flowbits-sigorder-01/test.yaml
@@ -0,0 +1,33 @@
+requires:
+    min-version: 8.0
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      __lineno: 1
+      id: 11
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      __lineno: 2
+      id: 12
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      __lineno: 3
+      id: 10
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      __lineno: 4
+      id: 14