Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tests: add rule type check for tcp-window #2104

Closed
wants to merge 1 commit into from
Closed

tests: add rule type check for tcp-window #2104

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions tests/rules/tcp_window/test.rules
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
alert tcp any any -> any any (msg:"TCP window size"; window:30336; sid:1;)
alert tcp any any -> any any (msg:"TCP window size"; tcp.window:!1024; sid:2;)
22 changes: 22 additions & 0 deletions tests/rules/tcp_window/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
requires:
min-version: 8.0
pcap: false

args:
- --engine-analysis

checks:
- filter:
filename: rules.json
count: 1
match:
id: 1
lists.packet.matches[0].name: "window"
lists.packet.matches[0].window.equql: 30336
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo?

- filter:
filename: rules.json
count: 1
match:
id: 2
lists.packet.matches[0].name: "tcp.window"
lists.packet.matches[0].window.not.equal: 1024
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm I don't think this will match the Suricata PR. Have you tried running it with your Suricata work? Please note that this PR must pass with your Suricata PR OISF/suricata#12024

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let us know if you need assistance in how to do that, ok?

Copy link
Contributor Author

@Nancyenos Nancyenos Oct 24, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let us know if you need assistance in how to do that, ok?

yes, i need some assistance on how to test
python3 ../suricata-verify/run.py tcp_window
am using that
do I need a pcap file in the directory, i have been trying to check documentation but am not sure
a kick in the right direction will be much appreciated @jufajardini @inashivb

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, i need some assistance on how to test python3 ../suricata-verify/run.py tcp_window am using that do I need a pcap file in the directory, i have been trying to check documentation but am not sure a kick in the right direction will be much appreciated @jufajardini @inashivb

When you run that, what do you see? If you ran that from the Suricata directory with patch changes to Suricata, invoking the suricata-verify folder where you have this SV test, you should see the result of Suricata running the test. And as Shivani has pointed out, if the test is still like in this PR, the checks should fail, as these checks won't match on the output generated by the patch you've shared. Does this make sense?

You don't need a pcap, as the test.yaml indicates:

requires:
    pcap: false

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you're unsure what the output should look like, you can try running a different test from the tests/rules directory, and check what SV reports, and also what the output folder for that specific test will have

Loading