From 9d88e524aa46bfdcf35923055c2b064cbb831d0e Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Mon, 10 Jun 2024 15:49:50 +0530 Subject: [PATCH] datasets: add tests for string memcap Ticket 3910 --- tests/datasets-memcap-01/README.md | 14 ++++++++++++++ tests/datasets-memcap-01/datasets.csv | 1 + tests/datasets-memcap-01/test.rules | 1 + tests/datasets-memcap-01/test.yaml | 18 ++++++++++++++++++ tests/datasets-memcap-02/README.md | 14 ++++++++++++++ tests/datasets-memcap-02/datasets.csv | 1 + tests/datasets-memcap-02/test.rules | 1 + tests/datasets-memcap-02/test.yaml | 15 +++++++++++++++ 8 files changed, 65 insertions(+) create mode 100644 tests/datasets-memcap-01/README.md create mode 100644 tests/datasets-memcap-01/datasets.csv create mode 100644 tests/datasets-memcap-01/test.rules create mode 100644 tests/datasets-memcap-01/test.yaml create mode 100644 tests/datasets-memcap-02/README.md create mode 100644 tests/datasets-memcap-02/datasets.csv create mode 100644 tests/datasets-memcap-02/test.rules create mode 100644 tests/datasets-memcap-02/test.yaml diff --git a/tests/datasets-memcap-01/README.md b/tests/datasets-memcap-01/README.md new file mode 100644 index 000000000..02cfd4643 --- /dev/null +++ b/tests/datasets-memcap-01/README.md @@ -0,0 +1,14 @@ +Test Description +================ + +This test demonstrates that the memcap settings DO NOT take the string length into account in 7.0.x or below. + +PCAP +==== + +Comes from existing test `flowbit-oring`. + +Related tickets +=============== + +https://redmine.openinfosecfoundation.org/issues/3910 diff --git a/tests/datasets-memcap-01/datasets.csv b/tests/datasets-memcap-01/datasets.csv new file mode 100644 index 000000000..3961eb8ac --- /dev/null +++ b/tests/datasets-memcap-01/datasets.csv @@ -0,0 +1 @@ +Y3VybC83LjQzLjA= diff --git a/tests/datasets-memcap-01/test.rules b/tests/datasets-memcap-01/test.rules new file mode 100644 index 000000000..6bce440ab --- /dev/null +++ b/tests/datasets-memcap-01/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (http.user_agent; dataset:isset,ua-seen,type string,load datasets.csv,memcap 88074,hashsize 1; sid:1;) diff --git a/tests/datasets-memcap-01/test.yaml b/tests/datasets-memcap-01/test.yaml new file mode 100644 index 000000000..ec09db4d2 --- /dev/null +++ b/tests/datasets-memcap-01/test.yaml @@ -0,0 +1,18 @@ +pcap: ../flowbit-oring/input.pcap + +requires: + lt-version: 8 + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 diff --git a/tests/datasets-memcap-02/README.md b/tests/datasets-memcap-02/README.md new file mode 100644 index 000000000..3f48a8aa6 --- /dev/null +++ b/tests/datasets-memcap-02/README.md @@ -0,0 +1,14 @@ +Test Description +================ + +This test demonstrates that the memcap settings take the string length into account in 8.0.x. + +PCAP +==== + +Comes from existing test `flowbit-oring`. + +Related tickets +=============== + +https://redmine.openinfosecfoundation.org/issues/3910 diff --git a/tests/datasets-memcap-02/datasets.csv b/tests/datasets-memcap-02/datasets.csv new file mode 100644 index 000000000..3961eb8ac --- /dev/null +++ b/tests/datasets-memcap-02/datasets.csv @@ -0,0 +1 @@ +Y3VybC83LjQzLjA= diff --git a/tests/datasets-memcap-02/test.rules b/tests/datasets-memcap-02/test.rules new file mode 100644 index 000000000..6bce440ab --- /dev/null +++ b/tests/datasets-memcap-02/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (http.user_agent; dataset:isset,ua-seen,type string,load datasets.csv,memcap 88074,hashsize 1; sid:1;) diff --git a/tests/datasets-memcap-02/test.yaml b/tests/datasets-memcap-02/test.yaml new file mode 100644 index 000000000..650de74dc --- /dev/null +++ b/tests/datasets-memcap-02/test.yaml @@ -0,0 +1,15 @@ +pcap: ../flowbit-oring/input.pcap + +requires: + min-version: 8 + os: linux + +exit-code: 1 + +args: + - -k none + +checks: + - shell: + args: grep "dataset too large for set memcap" suricata.log | wc -l + expect: 1