forked from OISF/suricata-verify
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This commit adds tests for new Lua transform - Basic transform operation - Ensure non-existent Lua scripts are detected - Ensure Lua scripts without transform functions are detected - Ensure Lua scripts properly receive optional transform arguments
- Loading branch information
Showing
25 changed files
with
211 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Lua transform test: returns input buffer in uppercase. The rule will match on the uppercase output |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua;content:"EXEC_POST.PHP"; sid:1; rev:1;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
requires: | ||
min-version: 8 | ||
|
||
args: | ||
- --set default-rule-path=${TEST_DIR} | ||
- --set security.lua.allow-rules=true | ||
|
||
checks: | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 1 | ||
http.url: /exec_post.php |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
-- Arguments supported | ||
local bytes_key = "bytes" | ||
local offset_key = "offset" | ||
function transform(input_len, input, argc, args) | ||
local bytes = input_len | ||
local offset = 0 | ||
|
||
local sub = string.sub(input, offset + 1, offset + bytes) | ||
return string.upper(sub), bytes | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Lua transform: Ensure non-existent lua scripts are detected. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
alert http any any -> any any (msg:"TEST"; http.uri; luaxform:no_filetransform.lua;content:"EXEC_POST.PHP"; sid:1; rev:1;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
requires: | ||
min-version: 8 | ||
|
||
args: | ||
- --set default-rule-path=${TEST_DIR} | ||
- --set security.lua.allow-rules=true | ||
- --set logging.outputs.1.file.type=json | ||
- -T | ||
|
||
exit-code: 1 | ||
|
||
pcap: false | ||
checks: | ||
- filter: | ||
count: 1 | ||
filename: suricata.log | ||
match: | ||
event_type: engine | ||
engine.message.__startswith: "couldn't load file" | ||
engine.message.__find: "no_filetransform.lua: No such file or directory" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Lua transform test: ensure lua script has a transform function |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua;content:"EXEC_POST.PHP"; sid:1; rev:1;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
requires: | ||
min-version: 8 | ||
|
||
args: | ||
- --set default-rule-path=${TEST_DIR} | ||
- --set security.lua.allow-rules=true | ||
- --set logging.outputs.1.file.type=json | ||
- -T | ||
|
||
pcap: false | ||
|
||
exit-code: 1 | ||
|
||
checks: | ||
- filter: | ||
count: 1 | ||
filename: suricata.log | ||
match: | ||
engine.message.__find: "no transform function in script" | ||
event_type: engine |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
-- Arguments supported | ||
local bytes_key = "bytes" | ||
local offset_key = "offset" | ||
function no_transform(input_len, input, argc, args) | ||
local bytes = input_len | ||
local offset = 0 | ||
|
||
local sub = string.sub(input, offset + 1, offset + bytes) | ||
return string.upper(sub), bytes | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Ensure Lua transform receives optional transform function arguments |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua, bytes 0, offset 2;content:"EXEC_POST.PHP"; sid:1; rev:1;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
requires: | ||
min-version: 8 | ||
|
||
args: | ||
- --set default-rule-path=${TEST_DIR} | ||
- --set security.lua.allow-rules=true | ||
|
||
pcap: ../lua-transform-01/test.pcap | ||
|
||
checks: | ||
|
||
- shell: | ||
args: grep "1 item.* bytes 0" stdout | wc -l | xargs | ||
expect: 1 | ||
|
||
- shell: | ||
args: grep "2 item.* offset 2" stdout| wc -l | xargs | ||
expect: 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
-- Arguments supported | ||
local bytes_key = "bytes" | ||
local offset_key = "offset" | ||
function transform(input_len, input, argc, args) | ||
offset = 0 | ||
bytes = input_len | ||
for i, item in ipairs(args) do | ||
print(i .. " item: " .. item) | ||
end | ||
|
||
local sub = string.sub(input, offset + 1, offset + bytes) | ||
return string.upper(sub), bytes | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,3 @@ | ||
function init (args) | ||
local needs = {} | ||
return needs | ||
end | ||
|
||
function transform(input_len, input, argc, args) | ||
return nil | ||
return nil, 0 | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Lua transform test: transform function returns 1 parameter when 2 are required. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua;content:"EXEC_POST.PHP"; sid:1; rev:1;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
requires: | ||
min-version: 8 | ||
|
||
args: | ||
- --set default-rule-path=${TEST_DIR} | ||
- --set security.lua.allow-rules=true | ||
|
||
pcap: ../lua-transform-01/test.pcap | ||
|
||
checks: | ||
- filter: | ||
count: 0 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 1 | ||
http.url: /exec_post.php |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
-- Arguments supported | ||
local bytes_key = "bytes" | ||
local offset_key = "offset" | ||
function transform(input_len, input, argc, args) | ||
local bytes = input_len | ||
local offset = 0 | ||
|
||
local sub = string.sub(input, offset + 1, offset + bytes) | ||
-- Note -- only one value is returned when 2 are expected: buffer, byte-count | ||
return string.upper(sub) | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
Ensure Lua transform receives optional transform function arguments. The Lua transform script | ||
is also provided as an example in the documentation. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
alert http any any -> any any (msg:"TEST"; http.uri; luaxform:transform.lua, bytes 12, offset 2;content:"XEC_POST.PHP"; sid:1; rev:1;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
requires: | ||
min-version: 8 | ||
|
||
args: | ||
- --set default-rule-path=${TEST_DIR} | ||
- --set security.lua.allow-rules=true | ||
|
||
pcap: ../lua-transform-01/test.pcap | ||
|
||
checks: | ||
|
||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
function init() | ||
end | ||
|
||
local function get_value(item, key) | ||
if string.find(item, key) then | ||
local _, value = string.match(item, "(%a+)%s*(%d*)") | ||
if value ~= "" then | ||
return tonumber(value) | ||
end | ||
end | ||
|
||
return nil | ||
end | ||
|
||
-- Arguments supported | ||
local bytes_key = "bytes" | ||
local offset_key = "offset" | ||
function transform(input_len, input, argc, args) | ||
local bytes = input_len | ||
local offset = 0 | ||
|
||
-- Look for optional bytes and offset arguments | ||
for i, item in ipairs(args) do | ||
local value = get_value(item, bytes_key) | ||
if value ~= nil then | ||
bytes = value | ||
else | ||
value = get_value(item, offset_key) | ||
if value ~= nil then | ||
offset = value | ||
end | ||
end | ||
end | ||
|
||
local str_len = #input | ||
if offset < 0 or offset > str_len then | ||
print("offset is out of bounds: " .. offset) | ||
return nil | ||
end | ||
|
||
local avail_len = str_len - offset | ||
if bytes < 0 or bytes > avail_len then | ||
print("invalid bytes " .. bytes .. " or bytes exceeds available length " .. avail_len) | ||
return nil | ||
end | ||
|
||
local sub = string.sub(input, offset + 1, offset + bytes) | ||
return string.upper(sub), bytes | ||
end |