Adds tests for negated content and absent keyword

tests/detect-absent-file-multi/README.md

@@ -0,0 +1,18 @@
+# Test Description
+
+Test `absent` keyword with files
+
+## PCAP
+
+Manually crafted with input
+```
+GET /noheaders HTTP/1.0
+
+HTTP/1.0 500 BAD
+Header1: value1
+
+```
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/2224

tests/detect-absent-file-multi/test.rules

@@ -0,0 +1,10 @@
+alert http any any -> any any (msg:"no file data"; flow:established,to_client; file.data; absent; http.stat_code; content: "500"; sid:1;)
+alert http any any -> any any (msg:"no file data, no alert"; flow:established,to_client; file.data; bsize: >0; http.stat_code; content: "500"; sid:2;)
+alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_client; file.data; absent: or_else; content: !"abc"; http.stat_code; content: "500"; sid:3;)
+alert http any any -> any any (msg:"not abc, no alert"; flow:established,to_client; file.data; content: !"abc"; http.stat_code; content: "500"; sid:4;)
+alert http any any -> any any (msg:"alert on only stat code"; flow:established,to_client; http.stat_code; content: "500"; sid:5;)
+alert http any any -> any any (msg:"no file data"; flow:established,to_client; file.data; absent; sid:6;)
+alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_client; file.data; absent: or_else; content: !"abc"; sid:7;)
+
+alert http any any -> any any (msg:"no request headers or not abc"; flow:established,to_server; http.request_header; absent: or_else; content: !"abc"; sid:10;)
+alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_server; http.request_header; absent; http.uri; content: "noheaders"; sid:11;)

tests/detect-absent-file-multi/test.yaml

@@ -0,0 +1,52 @@
+requires:
+ min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 4
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 5
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 6
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 7
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 10
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 11

tests/detect-absent-http-request-body/README.md

@@ -0,0 +1,14 @@
+# Test Description
+
+Test `absent` keyword with `http.request_body`
+
+## PCAP
+
+Manually crafted with server
+`python3 -m http.server`
+and client
+`curl -X POST http://127.0.0.1:8000/toto`
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/2224

tests/detect-absent-http-request-body/test.rules

@@ -0,0 +1,6 @@
+alert http any any -> any any (msg:"no request body"; flow:established,to_server; http.request_body; absent; http.method; content: "POST"; sid:1;)
+alert http any any -> any any (msg:"no request body, no alert"; flow:established,to_server; http.request_body; bsize: >0; http.method; content: "POST"; sid:2;)
+alert http any any -> any any (msg:"no request body or not abc"; flow:established,to_server; http.request_body; absent: or_else; content: !"abc"; http.method; content: "POST"; sid:3;)
+alert http any any -> any any (msg:"not abc, no alert"; flow:established,to_server; http.request_body; content: !"abc"; http.method; content: "POST"; sid:4;)
+alert http any any -> any any (msg:"no request body"; flow:established,to_server; http.request_body; absent; sid:5;)
+alert http any any -> any any (msg:"no request body or not abc"; flow:established,to_server; http.request_body; absent: or_else; content: !"abc"; sid:6;)

tests/detect-absent-http-request-body/test.yaml

@@ -0,0 +1,37 @@
+requires:
+ min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 4
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 5
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 6

tests/detect-absent-negated-content/README.md

@@ -0,0 +1,11 @@
+# Test Description
+
+Test rules with negated content on buffers that are absent
+
+## PCAP
+
+From the issue https://redmine.openinfosecfoundation.org/issues/2224
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/2224

tests/detect-absent-negated-content/test.rules

@@ -0,0 +1,17 @@
+# This signature should alert with _any_ pcap
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TP test for URI"; flow:established,to_server; http.uri; bsize:1; content:"/"; sid:1;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"No match without `absent` and negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; content:!"example"; sid:5;)
+
+# Positive tests about alerts
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:!"example"; sid:6;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated pcre"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else ; pcre:!"/example/"; sid:7;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent; sid:8;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content to fast_pattern"; flow:established,to_server; http.referer; absent; sid:9;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or positive content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:"example"; sid:10;)
+
+# reference test with positive and negated content
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TP test for UA"; flow:established,to_server; http.user_agent; content:"foo"; content:!"bar"; sid:20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent or negated content matches on the negated content"; flow:established,to_server; http.user_agent; absent: or_else; content:!"bar"; sid:21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only does not match"; flow:established,to_server; http.user_agent; absent; sid:22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent or positive content matches on the positive content"; flow:established,to_server; http.user_agent; absent: or_else; content:"foo"; sid:23;)

tests/detect-absent-negated-content/test.yaml

@@ -0,0 +1,62 @@
+requires:
+ min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 5
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 6
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 7
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 8
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 9
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 20
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 21
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 22
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 23
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 10

tests/rules/absent/README.md

@@ -0,0 +1,11 @@
+# Test Description
+
+Test `absent` keyword rule analysis
+
+## PCAP
+
+From the issue https://redmine.openinfosecfoundation.org/issues/2224
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/2224

tests/rules/absent/test.rules

@@ -0,0 +1,3 @@
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:!"example"; sid:6;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated pcre"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else ; pcre:!"/example/"; sid:7;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent; sid:8;)

tests/rules/absent/test.yaml

@@ -0,0 +1,37 @@
+requires:
+ min-version: 8
+ pcap: false
+
+args:
+ - --engine-analysis
+
+checks:
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 6
+ engines[2].name: "http_referer"
+ engines[2].matches[0].name: "absent"
+ engines[2].matches[0].absent.or_else: true
+ engines[2].matches[1].name: "content"
+ engines[2].matches[1].content.negated: true
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 7
+ engines[2].name: "http_referer"
+ engines[2].matches[0].name: "absent"
+ engines[2].matches[0].absent.or_else: true
+ engines[2].matches[1].name: "pcre"
+ engines[2].matches[1].pcre.negated: true
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 8
+ engines[2].name: "http_referer"
+ engines[2].matches[0].name: "absent"
+ engines[2].matches[0].absent.or_else: false
+ engines[2].matches.__len: 1