diff --git a/tests/lua/lua-transform-01/README.md b/tests/lua/lua-transform-01/README.md new file mode 100644 index 000000000..9326f3a9d --- /dev/null +++ b/tests/lua/lua-transform-01/README.md @@ -0,0 +1 @@ +Lua transform test: returns input buffer in uppercase. The rule will match on the uppercase output diff --git a/tests/lua/lua-transform-01/test.pcap b/tests/lua/lua-transform-01/test.pcap new file mode 100644 index 000000000..b9eec15c8 Binary files /dev/null and b/tests/lua/lua-transform-01/test.pcap differ diff --git a/tests/lua/lua-transform-01/test.rules b/tests/lua/lua-transform-01/test.rules new file mode 100644 index 000000000..0f33f6085 --- /dev/null +++ b/tests/lua/lua-transform-01/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua;content:"EXEC_POST.PHP"; sid:1; rev:1;) diff --git a/tests/lua/lua-transform-01/test.yaml b/tests/lua/lua-transform-01/test.yaml new file mode 100644 index 000000000..5a80f136c --- /dev/null +++ b/tests/lua/lua-transform-01/test.yaml @@ -0,0 +1,14 @@ +requires: + min-version: 8 + +args: + - --set default-rule-path=${TEST_DIR} + - --set security.lua.allow-rules=true + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + http.url: /exec_post.php diff --git a/tests/lua/lua-transform-01/transform.lua b/tests/lua/lua-transform-01/transform.lua new file mode 100644 index 000000000..6135f8c40 --- /dev/null +++ b/tests/lua/lua-transform-01/transform.lua @@ -0,0 +1,15 @@ +function init (args) + local needs = {} + return needs +end + +-- Arguments supported +local bytes_key = "bytes" +local offset_key = "offset" +function transform(input_len, input, argc, args) + local bytes = input_len + local offset = 0 + + local sub = string.sub(input, offset + 1, offset + bytes) + return string.upper(sub), bytes +end diff --git a/tests/lua/lua-transform-02/README.md b/tests/lua/lua-transform-02/README.md new file mode 100644 index 000000000..10c8d07e3 --- /dev/null +++ b/tests/lua/lua-transform-02/README.md @@ -0,0 +1 @@ +Lua transform: Ensure non-existent lua scripts are detected. diff --git a/tests/lua/lua-transform-02/test.rules b/tests/lua/lua-transform-02/test.rules new file mode 100644 index 000000000..c16f5a495 --- /dev/null +++ b/tests/lua/lua-transform-02/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"TEST"; http.uri; luaxform:no_filetransform.lua;content:"EXEC_POST.PHP"; sid:1; rev:1;) diff --git a/tests/lua/lua-transform-02/test.yaml b/tests/lua/lua-transform-02/test.yaml new file mode 100644 index 000000000..fcfed6b23 --- /dev/null +++ b/tests/lua/lua-transform-02/test.yaml @@ -0,0 +1,20 @@ +requires: + min-version: 8 + +args: + - --set default-rule-path=${TEST_DIR} + - --set security.lua.allow-rules=true + - --set logging.outputs.1.file.type=json + - -T + +exit-code: 1 + +pcap: false +checks: + - filter: + count: 1 + filename: suricata.log + match: + event_type: engine + engine.message.__startswith: "couldn't load file" + engine.message.__find: "no_filetransform.lua: No such file or directory" diff --git a/tests/lua/lua-transform-03/README.md b/tests/lua/lua-transform-03/README.md new file mode 100644 index 000000000..136e5918e --- /dev/null +++ b/tests/lua/lua-transform-03/README.md @@ -0,0 +1 @@ +Lua transform test: ensure lua script has a transform function diff --git a/tests/lua/lua-transform-03/test.rules b/tests/lua/lua-transform-03/test.rules new file mode 100644 index 000000000..0f33f6085 --- /dev/null +++ b/tests/lua/lua-transform-03/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua;content:"EXEC_POST.PHP"; sid:1; rev:1;) diff --git a/tests/lua/lua-transform-03/test.yaml b/tests/lua/lua-transform-03/test.yaml new file mode 100644 index 000000000..eff429553 --- /dev/null +++ b/tests/lua/lua-transform-03/test.yaml @@ -0,0 +1,20 @@ +requires: + min-version: 8 + +args: + - --set default-rule-path=${TEST_DIR} + - --set security.lua.allow-rules=true + - --set logging.outputs.1.file.type=json + - -T + +pcap: false + +exit-code: 1 + +checks: + - filter: + count: 1 + filename: suricata.log + match: + engine.message.__find: "no transform function in script" + event_type: engine diff --git a/tests/lua/lua-transform-03/transform.lua b/tests/lua/lua-transform-03/transform.lua new file mode 100644 index 000000000..9c79a4715 --- /dev/null +++ b/tests/lua/lua-transform-03/transform.lua @@ -0,0 +1,15 @@ +function init (args) + local needs = {} + return needs +end + +-- Arguments supported +local bytes_key = "bytes" +local offset_key = "offset" +function no_transform(input_len, input, argc, args) + local bytes = input_len + local offset = 0 + + local sub = string.sub(input, offset + 1, offset + bytes) + return string.upper(sub), bytes +end diff --git a/tests/lua/lua-transform-04/README.md b/tests/lua/lua-transform-04/README.md new file mode 100644 index 000000000..ae099cc78 --- /dev/null +++ b/tests/lua/lua-transform-04/README.md @@ -0,0 +1 @@ +Ensure Lua transform receives optional transform function arguments diff --git a/tests/lua/lua-transform-04/test.rules b/tests/lua/lua-transform-04/test.rules new file mode 100644 index 000000000..2224c83df --- /dev/null +++ b/tests/lua/lua-transform-04/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua, bytes 0, offset 2;content:"EXEC_POST.PHP"; sid:1; rev:1;) diff --git a/tests/lua/lua-transform-04/test.yaml b/tests/lua/lua-transform-04/test.yaml new file mode 100644 index 000000000..65b944fec --- /dev/null +++ b/tests/lua/lua-transform-04/test.yaml @@ -0,0 +1,18 @@ +requires: + min-version: 8 + +args: + - --set default-rule-path=${TEST_DIR} + - --set security.lua.allow-rules=true + +pcap: ../lua-transform-01/test.pcap + +checks: + + - shell: + args: grep "1 item.* bytes 0" stdout | wc -l | xargs + expect: 1 + + - shell: + args: grep "2 item.* offset 2" stdout| wc -l | xargs + expect: 1 diff --git a/tests/lua/lua-transform-04/transform.lua b/tests/lua/lua-transform-04/transform.lua new file mode 100644 index 000000000..62a4cd5bd --- /dev/null +++ b/tests/lua/lua-transform-04/transform.lua @@ -0,0 +1,18 @@ +function init (args) + local needs = {} + return needs +end + +-- Arguments supported +local bytes_key = "bytes" +local offset_key = "offset" +function transform(input_len, input, argc, args) + offset = 0 + bytes = input_len + for i, item in ipairs(args) do + print(i .. " item: " .. item) + end + + local sub = string.sub(input, offset + 1, offset + bytes) + return string.upper(sub), bytes +end diff --git a/tests/lua/lua-transform-05/README.md b/tests/lua/lua-transform-05/README.md new file mode 100644 index 000000000..4c158e284 --- /dev/null +++ b/tests/lua/lua-transform-05/README.md @@ -0,0 +1 @@ +Ensure Lua transform that returns nil is treated as though no transformation took place and the buffer is unchanged. diff --git a/tests/lua/lua-transform-05/test.rules b/tests/lua/lua-transform-05/test.rules new file mode 100644 index 000000000..c3588b920 --- /dev/null +++ b/tests/lua/lua-transform-05/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua, bytes 0, offset 2;content:"exec_post.php"; sid:1; rev:1;) diff --git a/tests/lua/lua-transform-05/test.yaml b/tests/lua/lua-transform-05/test.yaml new file mode 100644 index 000000000..5c54f08b6 --- /dev/null +++ b/tests/lua/lua-transform-05/test.yaml @@ -0,0 +1,17 @@ +requires: + min-version: 8 + +args: + - --set default-rule-path=${TEST_DIR} + - --set security.lua.allow-rules=true + +pcap: ../lua-transform-01/test.pcap + +checks: + + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + http.url: /exec_post.php diff --git a/tests/lua/lua-transform-05/transform.lua b/tests/lua/lua-transform-05/transform.lua new file mode 100644 index 000000000..38cb594c0 --- /dev/null +++ b/tests/lua/lua-transform-05/transform.lua @@ -0,0 +1,8 @@ +function init (args) + local needs = {} + return needs +end + +function transform(input_len, input, argc, args) + return nil, 0 +end diff --git a/tests/lua/lua-transform-06/README.md b/tests/lua/lua-transform-06/README.md new file mode 100644 index 000000000..423cac594 --- /dev/null +++ b/tests/lua/lua-transform-06/README.md @@ -0,0 +1 @@ +Lua transform test: transform function returns 1 parameter when 2 are required. diff --git a/tests/lua/lua-transform-06/test.rules b/tests/lua/lua-transform-06/test.rules new file mode 100644 index 000000000..0f33f6085 --- /dev/null +++ b/tests/lua/lua-transform-06/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua;content:"EXEC_POST.PHP"; sid:1; rev:1;) diff --git a/tests/lua/lua-transform-06/test.yaml b/tests/lua/lua-transform-06/test.yaml new file mode 100644 index 000000000..f564e8ccf --- /dev/null +++ b/tests/lua/lua-transform-06/test.yaml @@ -0,0 +1,16 @@ +requires: + min-version: 8 + +args: + - --set default-rule-path=${TEST_DIR} + - --set security.lua.allow-rules=true + +pcap: ../lua-transform-01/test.pcap + +checks: + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 + http.url: /exec_post.php diff --git a/tests/lua/lua-transform-06/transform.lua b/tests/lua/lua-transform-06/transform.lua new file mode 100644 index 000000000..d9d23cf9b --- /dev/null +++ b/tests/lua/lua-transform-06/transform.lua @@ -0,0 +1,16 @@ +function init (args) + local needs = {} + return needs +end + +-- Arguments supported +local bytes_key = "bytes" +local offset_key = "offset" +function transform(input_len, input, argc, args) + local bytes = input_len + local offset = 0 + + local sub = string.sub(input, offset + 1, offset + bytes) + -- Note -- only one value is returned when 2 are expected: buffer, byte-count + return string.upper(sub) +end diff --git a/tests/lua/lua-transform-07/README.md b/tests/lua/lua-transform-07/README.md new file mode 100644 index 000000000..c9f52c1b7 --- /dev/null +++ b/tests/lua/lua-transform-07/README.md @@ -0,0 +1,2 @@ +Ensure Lua transform receives optional transform function arguments. The Lua transform script +is also provided as an example in the documentation. diff --git a/tests/lua/lua-transform-07/test.rules b/tests/lua/lua-transform-07/test.rules new file mode 100644 index 000000000..58cd4ab47 --- /dev/null +++ b/tests/lua/lua-transform-07/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua, bytes 12, offset 2;content:"XEC_POST.PHP"; sid:1; rev:1;) diff --git a/tests/lua/lua-transform-07/test.yaml b/tests/lua/lua-transform-07/test.yaml new file mode 100644 index 000000000..f58bfd940 --- /dev/null +++ b/tests/lua/lua-transform-07/test.yaml @@ -0,0 +1,16 @@ +requires: + min-version: 8 + +args: + - --set default-rule-path=${TEST_DIR} + - --set security.lua.allow-rules=true + +pcap: ../lua-transform-01/test.pcap + +checks: + + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 diff --git a/tests/lua/lua-transform-07/transform.lua b/tests/lua/lua-transform-07/transform.lua new file mode 100644 index 000000000..d1a93e55e --- /dev/null +++ b/tests/lua/lua-transform-07/transform.lua @@ -0,0 +1,51 @@ +function init (args) + local needs = {} + return needs +end + +local function get_value(item, key) + if string.find(item, key) then + local _, value = string.match(item, "(%a+)%s*(%d*)") + if value ~= "" then + return tonumber(value) + end + end + + return nil +end + +-- Arguments supported +local bytes_key = "bytes" +local offset_key = "offset" +function transform(input_len, input, argc, args) + local bytes = input_len + local offset = 0 + + -- Look for optional bytes and offset arguments + for i, item in ipairs(args) do + local value = get_value(item, bytes_key) + if value ~= nil then + bytes = value + else + value = get_value(item, offset_key) + if value ~= nil then + offset = value + end + end + end + + local str_len = #input + if offset < 0 or offset > str_len then + print("offset is out of bounds: " .. offset) + return nil + end + + local avail_len = str_len - offset + if bytes < 0 or bytes > avail_len then + print("invalid bytes " .. bytes .. " or bytes exceeds available length " .. avail_len) + return nil + end + + local sub = string.sub(input, offset + 1, offset + bytes) + return string.upper(sub), bytes +end