Datajson v3.1

tests/datajson/datajson-01-ip/src.lst

@@ -0,0 +1 @@
+10.16.1.11,{"test": "success","context":3}

tests/datajson/datajson-01-ip/test.rules

@@ -0,0 +1 @@
+alert http any any -> any any (flow:established,to_server; http.host; content:"testmyids.com"; ip.src; datajson:isset,src_ip,type ip,load src.lst,key src_ip; sid:1;)

tests/datajson/datajson-01-ip/test.yaml

@@ -0,0 +1,20 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - src/datasets.c
+
+args:
+ - -k none --set datasets.enabled=yes
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        alert.extra.src_ip.test: success

tests/datajson/datajson-02-multiple/host.lst

@@ -0,0 +1 @@
+d3d3LnRlc3RteWlkcy5jb20=,{"context":"gold old test", "year": 2005}

tests/datajson/datajson-02-multiple/src.lst

@@ -0,0 +1 @@
+10.16.1.11,{"test": "success","context":3}

tests/datajson/datajson-02-multiple/test.rules

@@ -0,0 +1 @@
+alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,badhost,type string,load host.lst,key bad_host; ip.src; datajson:isset,src_ip,type ip,load src.lst,key src_ip; sid:1;)

tests/datajson/datajson-02-multiple/test.yaml

@@ -0,0 +1,21 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - src/datasets.c
+
+args:
+ - -k none --set datasets.enabled=yes
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        alert.extra.src_ip.test: success
+        alert.extra.bad_host.year: 2005

tests/datajson/datajson-04-hashes/badmd5.lst

@@ -0,0 +1 @@
+b65d49730d16e5a8a7b2ab95350848b8,{"year": 2007, "where": "home"}

tests/datajson/datajson-04-hashes/badsha.lst

@@ -0,0 +1,2 @@
+e0ca4ff795b3f32d45260678e4ab79884793c05a149f2b350d10274451dc210a,{"year":2005,"where":"internet"}
+#E0CA4FF795B3F32D45260678E4AB79884793C05A149F2B350D10274451DC210A,{"year":2005,"where":"internet"}

tests/datajson/datajson-04-hashes/badsha1.lst

@@ -0,0 +1 @@
+6951a4eb86e09aac29a003a35ee4d6b4a8468a6e,{"year":2006,"where":"internet"}

tests/datajson/datajson-04-hashes/test.rules

@@ -0,0 +1,2 @@
+alert http any any -> any any (flow:established,to_server; http.host; content: "testmyids"; to_sha256; datajson:isset,badcat,type sha256,load badsha.lst,key bad_sha; sid:1; rev:1;)
+alert http any any -> any any (flow:established,to_server; http.host; content: "testmyids"; to_md5; datajson:isset,badmd5,type md5,load badmd5.lst,key bad_md5; sid:2; rev:1;)

tests/datajson/datajson-04-hashes/test.yaml

@@ -0,0 +1,26 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - src/datasets.c
+
+args:
+ - -k none --set datasets.enabled=yes
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        alert.extra.bad_sha.year: 2005
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+        alert.extra.bad_md5.year: 2007

tests/datajson/datajson-05-duplicate/host.lst

@@ -0,0 +1,2 @@
+d3d3LnRlc3RteWlkcy5jb20=,{"context":"good old test", "year": 2005}
+d3d3LnRlc3RteWlkcy5jb20=,{"context":"gold old test", "year": 2006}

tests/datajson/datajson-05-duplicate/src.lst

@@ -0,0 +1,2 @@
+10.16.1.11,{"test": "success","context":1}
+10.16.1.11,{"test": "fail","context":2}

tests/datajson/datajson-05-duplicate/test.rules

@@ -0,0 +1 @@
+alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,badhost,type string,load host.lst,key bad_host; ip.src; datajson:isset,src_ip,type ip,load src.lst,key src_ip; sid:1;)

tests/datajson/datajson-05-duplicate/test.yaml

@@ -0,0 +1,21 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - src/datasets.c
+
+args:
+ - -k none --set datasets.enabled=yes
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        alert.extra.src_ip.test: success
+        alert.extra.bad_host.year: 2005

tests/datajson/datajson-06-valid-json/host.lst

@@ -0,0 +1 @@
+d3d3LnRlc3RteWlkcy5jb20=,"context"

tests/datajson/datajson-06-valid-json/ip.lst

@@ -0,0 +1,2 @@
+10.16.1.12,1.2
+10.16.1.11,42

tests/datajson/datajson-06-valid-json/ip2.lst

@@ -0,0 +1 @@
+10.16.1.11,1.2

tests/datajson/datajson-06-valid-json/test.rules

@@ -0,0 +1,2 @@
+alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,badhost,type string,load host.lst,key bad_host; ip.src; datajson:isset,bip,type ipv6,load ip.lst,key ip; sid:1;)
+alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,badhost,type string,load host.lst,key bad_host; ip.src; datajson:isset,bip2,type ipv6,load ip2.lst,key ip; sid:2;)

tests/datajson/datajson-06-valid-json/test.yaml

@@ -0,0 +1,28 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - src/datasets.c
+
+args:
+ - -k none --set datasets.enabled=yes
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        alert.extra.ip: 42
+        alert.extra.bad_host: context
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+        alert.extra.ip: 1.2
+        alert.extra.bad_host: context

tests/datajson/datajson-07-dataset/host.lst

@@ -0,0 +1 @@
+d3d3LnRlc3RteWlkcy5jb20=

tests/datajson/datajson-07-dataset/ip.lst

@@ -0,0 +1 @@
+10.16.1.11

tests/datajson/datajson-07-dataset/test.rules

@@ -0,0 +1,2 @@
+alert http any any -> any any (flow:established,to_server; ip.src; datajson:isset,bip,type ipv6,load ip.lst,key ip; sid:1;)
+alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,badhost,type string,load host.lst,key bad_host; sid:2;)

tests/datajson/datajson-07-dataset/test.yaml

@@ -0,0 +1,10 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - src/datasets.c
+
+args:
+ - -k none --set datasets.enabled=yes
+
+exit-code: 1

tests/datajson/datajson-08-invalid-json/ip.lst

@@ -0,0 +1,2 @@
+10.16.1.12,42
+10.16.1.11,kjefe ef fef

tests/datajson/datajson-08-invalid-json/test.rules

@@ -0,0 +1 @@
+alert http any any -> any any (flow:established,to_server; ip.src; datajson:isset,bip,type ipv6,load ip.lst,key ip; sid:1;)

tests/datajson/datajson-08-invalid-json/test.yaml

@@ -0,0 +1,10 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - src/datasets.c
+
+args:
+ - -k none --set datasets.enabled=yes
+
+exit-code: 1

tests/datajson/datajson-09-jsonformat/hosts-direct.json

@@ -0,0 +1 @@
+[ {"context":"gold old test", "year": 2005, "host": "www.testmyids.com"} ]

tests/datajson/datajson-09-jsonformat/hosts-nested-key.json

@@ -0,0 +1,21 @@
+{
+  "info": {
+    "threat": [
+      {
+        "context": "gold old test",
+        "year": 2005,
+        "host": {
+          "fqdn": "www.testmyids.com",
+          "domain": "testmyids.com"
+        }
+      },
+      {
+        "context": "old test",
+        "year": 2023,
+        "host": {
+          "domain": "testmyids.com"
+        }
+      }
+    ]
+  }
+}

tests/datajson/datajson-09-jsonformat/hosts-nested.json

@@ -0,0 +1 @@
+{ "info": {"threat": [ {"context":"gold old test", "year": 2005, "host": "www.testmyids.com"} ] } }

tests/datajson/datajson-09-jsonformat/hosts.json

@@ -0,0 +1 @@
+{"threat": [ {"context":"gold old test", "year": 2005, "host": "www.testmyids.com"} ] }

tests/datajson/datajson-09-jsonformat/src.json

@@ -0,0 +1,3 @@
+[
+    {"ip": "10.16.1.11", "test": "success","context":3}
+]

tests/datajson/datajson-09-jsonformat/test.rules

@@ -0,0 +1,7 @@
+alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,badhost,type string,load hosts.json,key bad_host,json_key host, array_key threat; ip.src; datajson:isset,src_ip,type ip,load src.json,key src_ip,json_key ip; sid:1;)
+
+alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,dbadhost,type string,load hosts-direct.json,key dbad_host,json_key host; ip.src; datajson:isset,src_ip,type ip,load src.json,key src_ip,json_key ip; sid:2;)
+
+alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,nbadhost,type string,load hosts-nested.json,key nbad_host,json_key host, array_key info.threat; ip.src; datajson:isset,src_ip,type ip,load src.json,key src_ip,json_key ip; sid:3;)
+
+alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,nkbadhost,type string,load hosts-nested-key.json,key nkbad_host,json_key host.fqdn, array_key info.threat; ip.src; datajson:isset,src_ip,type ip,load src.json,key src_ip,json_key ip; sid:4;)

tests/datajson/datajson-09-jsonformat/test.yaml

@@ -0,0 +1,43 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - src/datasets.c
+
+args:
+ - -k none --set datasets.enabled=yes
+
+checks:
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        alert.extra.src_ip.test: success
+        alert.extra.bad_host.year: 2005
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+        alert.extra.src_ip.test: success
+        alert.extra.dbad_host.year: 2005
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+        alert.extra.src_ip.test: success
+        alert.extra.nbad_host.year: 2005
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
+        alert.extra.src_ip.test: success
+        alert.extra.nkbad_host.year: 2005
+        alert.extra.nkbad_host.host.domain: testmyids.com

tests/detect-pcre/detect-pcre-06/test.rules

@@ -0,0 +1,5 @@
+alert http any any -> any any (http.user_agent; pcre:"/^(?P<alert_ua>[a-zA-Z]+)/"; priority:1; sid:1;)
+alert http any any -> any any (http.user_agent; pcre:"/^([a-zA-Z]+).*Ubuntu\/(\d+\.\d).*Firefox\/(.*)/ ,alert:user_agent, flow:ubuntu, pkt:firefox"; sid:2;)
+# Shouldn't match
+alert http any any -> any any (msg:"pcre flowvar http header, user-agent, no match"; content:"User-Agent: "; http_header; pcre:"/(?P<alert_ua>.*)\r\n/HR"; content:"xyz"; http_header; priority:1; sid:3;)
+alert http any any -> any any (msg:"pcre flowvar http header, server, no match"; content:"Server: "; http_header; pcre:"/(?P<alert_ua>.*)\r\n/HR"; content:"xyz"; http_header; priority:3; sid:4;)

tests/detect-pcre/detect-pcre-06/test.yaml

@@ -0,0 +1,41 @@
+pcap: ../detect-pcre-05/input.pcap
+
+requires:
+  min-version: 8
+
+args:
+- --set stream.midstream=true
+
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      alert.extra.ua: Mozilla
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+      alert.extra.user_agent: Mozilla
+      metadata.flowvars[0].ubuntu: "8.1"
+      metadata.pktvars[0].firefox: "3.0.13"
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 4