Skip to content

Commit

Permalink
tests/luaxform: Lua transform tests
Browse files Browse the repository at this point in the history
This commit adds tests for new Lua transform
- Basic transform operation
- Ensure non-existent Lua scripts are detected
- Ensure Lua scripts without transform functions are detected
- Ensure Lua scripts properly receive optional transform arguments
  • Loading branch information
jlucovsky committed Oct 7, 2024
1 parent ebec860 commit 47cf35a
Show file tree
Hide file tree
Showing 25 changed files with 233 additions and 1 deletion.
1 change: 1 addition & 0 deletions tests/lua/lua-transform-01/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Lua transform test: returns input buffer in uppercase. The rule will match on the uppercase output
Binary file added tests/lua/lua-transform-01/test.pcap
Binary file not shown.
1 change: 1 addition & 0 deletions tests/lua/lua-transform-01/test.rules
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua;content:"EXEC_POST.PHP"; sid:1; rev:1;)
14 changes: 14 additions & 0 deletions tests/lua/lua-transform-01/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
requires:
min-version: 8

args:
- --set default-rule-path=${TEST_DIR}
- --set security.lua.allow-rules=true

checks:
- filter:
count: 1
match:
event_type: alert
alert.signature_id: 1
http.url: /exec_post.php
15 changes: 15 additions & 0 deletions tests/lua/lua-transform-01/transform.lua
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
function init (args)
local needs = {}
return needs
end

-- Arguments supported
local bytes_key = "bytes"
local offset_key = "offset"
function transform(input_len, input, argc, args)
local bytes = input_len
local offset = 0

local sub = string.sub(input, offset + 1, offset + bytes)
return string.upper(sub), bytes
end
1 change: 1 addition & 0 deletions tests/lua/lua-transform-02/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Lua transform: Ensure non-existent lua scripts are detected.
1 change: 1 addition & 0 deletions tests/lua/lua-transform-02/test.rules
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
alert http any any -> any any (msg:"TEST"; http.uri; luaxform:no_filetransform.lua;content:"EXEC_POST.PHP"; sid:1; rev:1;)
20 changes: 20 additions & 0 deletions tests/lua/lua-transform-02/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
requires:
min-version: 8

args:
- --set default-rule-path=${TEST_DIR}
- --set security.lua.allow-rules=true
- --set logging.outputs.1.file.type=json
- -T

exit-code: 1

pcap: false
checks:
- filter:
count: 1
filename: suricata.log
match:
event_type: engine
engine.message.__startswith: "couldn't load file"
engine.message.__find: "no_filetransform.lua: No such file or directory"
1 change: 1 addition & 0 deletions tests/lua/lua-transform-03/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Lua transform test: ensure lua script has a transform function
1 change: 1 addition & 0 deletions tests/lua/lua-transform-03/test.rules
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua;content:"EXEC_POST.PHP"; sid:1; rev:1;)
20 changes: 20 additions & 0 deletions tests/lua/lua-transform-03/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
requires:
min-version: 8

args:
- --set default-rule-path=${TEST_DIR}
- --set security.lua.allow-rules=true
- --set logging.outputs.1.file.type=json
- -T

pcap: false

exit-code: 1

checks:
- filter:
count: 1
filename: suricata.log
match:
engine.message.__find: "no transform function in script"
event_type: engine
15 changes: 15 additions & 0 deletions tests/lua/lua-transform-03/transform.lua
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
function init (args)
local needs = {}
return needs
end

-- Arguments supported
local bytes_key = "bytes"
local offset_key = "offset"
function no_transform(input_len, input, argc, args)
local bytes = input_len
local offset = 0

local sub = string.sub(input, offset + 1, offset + bytes)
return string.upper(sub), bytes
end
1 change: 1 addition & 0 deletions tests/lua/lua-transform-04/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Ensure Lua transform receives optional transform function arguments
1 change: 1 addition & 0 deletions tests/lua/lua-transform-04/test.rules
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua, bytes 0, offset 2;content:"EXEC_POST.PHP"; sid:1; rev:1;)
18 changes: 18 additions & 0 deletions tests/lua/lua-transform-04/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
requires:
min-version: 8

args:
- --set default-rule-path=${TEST_DIR}
- --set security.lua.allow-rules=true

pcap: ../lua-transform-01/test.pcap

checks:

- shell:
args: grep "1 item.* bytes 0" stdout | wc -l | xargs
expect: 1

- shell:
args: grep "2 item.* offset 2" stdout| wc -l | xargs
expect: 1
18 changes: 18 additions & 0 deletions tests/lua/lua-transform-04/transform.lua
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
function init (args)
local needs = {}
return needs
end

-- Arguments supported
local bytes_key = "bytes"
local offset_key = "offset"
function transform(input_len, input, argc, args)
offset = 0
bytes = input_len
for i, item in ipairs(args) do
print(i .. " item: " .. item)
end

local sub = string.sub(input, offset + 1, offset + bytes)
return string.upper(sub), bytes
end
2 changes: 1 addition & 1 deletion tests/lua/lua-transform-05/transform.lua
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,5 @@ function init (args)
end

function transform(input_len, input, argc, args)
return nil
return nil, 0
end
1 change: 1 addition & 0 deletions tests/lua/lua-transform-06/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Lua transform test: transform function returns 1 parameter when 2 are required.
1 change: 1 addition & 0 deletions tests/lua/lua-transform-06/test.rules
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua;content:"EXEC_POST.PHP"; sid:1; rev:1;)
16 changes: 16 additions & 0 deletions tests/lua/lua-transform-06/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
requires:
min-version: 8

args:
- --set default-rule-path=${TEST_DIR}
- --set security.lua.allow-rules=true

pcap: ../lua-transform-01/test.pcap

checks:
- filter:
count: 0
match:
event_type: alert
alert.signature_id: 1
http.url: /exec_post.php
16 changes: 16 additions & 0 deletions tests/lua/lua-transform-06/transform.lua
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
function init (args)
local needs = {}
return needs
end

-- Arguments supported
local bytes_key = "bytes"
local offset_key = "offset"
function transform(input_len, input, argc, args)
local bytes = input_len
local offset = 0

local sub = string.sub(input, offset + 1, offset + bytes)
-- Note -- only one value is returned when 2 are expected: buffer, byte-count
return string.upper(sub)
end
2 changes: 2 additions & 0 deletions tests/lua/lua-transform-07/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Ensure Lua transform receives optional transform function arguments. The Lua transform script
is also provided as an example in the documentation.
1 change: 1 addition & 0 deletions tests/lua/lua-transform-07/test.rules
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua, bytes 12, offset 2;content:"XEC_POST.PHP"; sid:1; rev:1;)
16 changes: 16 additions & 0 deletions tests/lua/lua-transform-07/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
requires:
min-version: 8

args:
- --set default-rule-path=${TEST_DIR}
- --set security.lua.allow-rules=true

pcap: ../lua-transform-01/test.pcap

checks:

- filter:
count: 1
match:
event_type: alert
alert.signature_id: 1
51 changes: 51 additions & 0 deletions tests/lua/lua-transform-07/transform.lua
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
function init (args)
local needs = {}
return needs
end

local function get_value(item, key)
if string.find(item, key) then
local _, value = string.match(item, "(%a+)%s*(%d*)")
if value ~= "" then
return tonumber(value)
end
end

return nil
end

-- Arguments supported
local bytes_key = "bytes"
local offset_key = "offset"
function transform(input_len, input, argc, args)
local bytes = input_len
local offset = 0

-- Look for optional bytes and offset arguments
for i, item in ipairs(args) do
local value = get_value(item, bytes_key)
if value ~= nil then
bytes = value
else
value = get_value(item, offset_key)
if value ~= nil then
offset = value
end
end
end

local str_len = #input
if offset < 0 or offset > str_len then
print("offset is out of bounds: " .. offset)
return nil
end

local avail_len = str_len - offset
if bytes < 0 or bytes > avail_len then
print("invalid bytes " .. bytes .. " or bytes exceeds available length " .. avail_len)
return nil
end

local sub = string.sub(input, offset + 1, offset + bytes)
return string.upper(sub), bytes
end

0 comments on commit 47cf35a

Please sign in to comment.