From d4923760dfebcb2dd7c1d03a627a879b7688eb28 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Fri, 27 Feb 2026 15:40:49 -0600 Subject: [PATCH 1/3] misc: shell check requires cleanups - Move require expressions in shell check to requires object - Error if an unknown key is provided in a shell check --- run.py | 16 +++++----------- tests/bug-6278-2/test.yaml | 3 ++- tests/datarep-03-bad-reputation/test.yaml | 9 ++++++--- tests/pcre-invalid-rule-01/test.yaml | 3 ++- .../udp-hlen-invalid-non-strict/test.yaml | 3 ++- tests/udp-5379/udp-hlen-invalid-strict/test.yaml | 3 ++- 6 files changed, 19 insertions(+), 18 deletions(-) diff --git a/run.py b/run.py index 21e65a117..d017c2f47 100755 --- a/run.py +++ b/run.py @@ -483,6 +483,9 @@ def run(self): class ShellCheck: def __init__(self, config, env, suricata_config, output_dir, test_dir): + for key in config: + if key not in ["requires", "args", "expect"]: + raise Exception("Unexpected key in shell check: {}".format(key)) self.config = config self.env = env self.suricata_config = suricata_config @@ -490,19 +493,10 @@ def __init__(self, config, env, suricata_config, output_dir, test_dir): self.script_cwd = test_dir def run(self): - shell_args = {} if not self.config or "args" not in self.config: raise TestError("shell check missing args") - req_version = self.config.get("version") - min_version = self.config.get("min-version") - lt_version = self.config.get("lt-version") - if req_version is not None: - shell_args["version"] = req_version - if min_version is not None: - shell_args["min-version"] = min_version - if lt_version is not None: - shell_args["lt-version"] = lt_version - check_requires(shell_args, self.suricata_config, self.script_cwd) + requires = self.config.get("requires", {}) + check_requires(requires, self.suricata_config, self.script_cwd) try: if WIN32: diff --git a/tests/bug-6278-2/test.yaml b/tests/bug-6278-2/test.yaml index 6b7aee4b4..7120b45a6 100644 --- a/tests/bug-6278-2/test.yaml +++ b/tests/bug-6278-2/test.yaml @@ -10,4 +10,5 @@ checks: - shell: args: grep -c 'no user name was provided - ensure it is specified either in the configuration file (run-as.user) or in command-line arguments (--user)' stderr expect: 1 - min-version: 7 + requires: + min-version: 7 diff --git a/tests/datarep-03-bad-reputation/test.yaml b/tests/datarep-03-bad-reputation/test.yaml index e72aea0e3..061650e37 100644 --- a/tests/datarep-03-bad-reputation/test.yaml +++ b/tests/datarep-03-bad-reputation/test.yaml @@ -9,14 +9,17 @@ args: checks: - shell: - min-version: 8 + requires: + min-version: 8 args: grep "invalid datarep value" suricata.log | wc -l | xargs expect: 1 - shell: - lt-version: 8 + requires: + lt-version: 8 args: grep "is not a valid reputation value" suricata.log | wc -l | xargs expect: 1 - shell: - lt-version: 8 + requires: + lt-version: 8 args: grep "bad rep for dataset" suricata.log | wc -l | xargs expect: 1 diff --git a/tests/pcre-invalid-rule-01/test.yaml b/tests/pcre-invalid-rule-01/test.yaml index 996b4f9a7..e594fbd3e 100644 --- a/tests/pcre-invalid-rule-01/test.yaml +++ b/tests/pcre-invalid-rule-01/test.yaml @@ -26,7 +26,8 @@ checks: expect: 1 - shell: - min-version: 7 + requires: + min-version: 7 args: grep -o "use a sticky.*\"data from tracked files" suricata.log | wc -l | xargs expect: 1 diff --git a/tests/udp-5379/udp-hlen-invalid-non-strict/test.yaml b/tests/udp-5379/udp-hlen-invalid-non-strict/test.yaml index 382f235ad..853741c04 100644 --- a/tests/udp-5379/udp-hlen-invalid-non-strict/test.yaml +++ b/tests/udp-5379/udp-hlen-invalid-non-strict/test.yaml @@ -10,7 +10,8 @@ command: | checks: - shell: - version: 7 + requires: + version: 7 args: |- grep "Warning: detect: decode-event keyword no longer supports event \"decoder.udp.hlen_invalid\"" suricata.log | wc -l expect: 1 diff --git a/tests/udp-5379/udp-hlen-invalid-strict/test.yaml b/tests/udp-5379/udp-hlen-invalid-strict/test.yaml index fed9fc304..a1634a3b3 100644 --- a/tests/udp-5379/udp-hlen-invalid-strict/test.yaml +++ b/tests/udp-5379/udp-hlen-invalid-strict/test.yaml @@ -9,7 +9,8 @@ command: | checks: - shell: - version: 7 + requires: + version: 7 args: |- grep "Error: detect: decode-event keyword no longer supports event \"decoder.udp.hlen_invalid\"" suricata.log | wc -l expect: 1 From b9e2bc1f29728bd4cb77b6edeefe5a0d791f2b87 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Fri, 27 Feb 2026 16:05:49 -0600 Subject: [PATCH 2/3] misc: filter check requires cleanups - Move require expressions in filter check to requires object - Error if an unknown key is provided in a filter check --- run.py | 15 ++---- .../test.yaml | 51 +++++++++++-------- .../test.yaml | 50 ++++++++++-------- .../test.yaml | 33 +++++++----- tests/app-layer-template/test.yaml | 3 +- tests/bittorrent-dht/test.yaml | 6 ++- tests/bug-1449-01/test.yaml | 6 ++- tests/bug-1450-02/test.yaml | 3 +- tests/bug-2491-02/test.yaml | 14 ++--- tests/bug-4663-02/test.yaml | 3 +- tests/bug-4663-03/test.yaml | 3 +- tests/bug-4663/test.yaml | 3 +- tests/bug-4877/test.yaml | 3 +- tests/bug-4953/test.yaml | 9 ++-- tests/bug-5162/test.yaml | 3 +- tests/bug-5464-verdict-05/test.yaml | 12 +++-- tests/datasets-invalid-encoding/test.yaml | 6 ++- .../datarep-bad-datarep-string/test.yaml | 3 +- .../datarep-bad-datarep-value/test.yaml | 3 +- tests/dcerpc-smb-fail/test.yaml | 3 +- tests/dcerpc/dcerpc-dce-iface-01/test.yaml | 6 ++- tests/dcerpc/dcerpc-dce-iface-02/test.yaml | 3 +- tests/dcerpc/dcerpc-dce-opnum/test.yaml | 3 +- tests/dcerpc/dcerpc-dce-stub-data/test.yaml | 3 +- tests/decode-too-small/test.yaml | 3 +- tests/decode-unknown-2/test.yaml | 8 +-- .../defrag/bug-6887-defrag-ipv6-tcp/test.yaml | 3 +- tests/dhcp-eve-extended/test.yaml | 9 ++-- tests/dnp3/dnp3-dnp3_obj-alert/test.yaml | 3 +- tests/dns-over-http2/test.yaml | 3 +- tests/dns-reversed-udp-1/test.yaml | 4 +- .../task-7018-dns-ips-stream-rule/test.yaml | 30 +++++++---- .../task-7018-ids-dns-stream-rule/test.yaml | 12 +++-- tests/dns/v2/dns-invalid-opcode/test.yaml | 6 ++- .../test.yaml | 18 ++++--- .../test.yaml | 12 +++-- .../test.yaml | 18 ++++--- tests/enip-keywords/test.yaml | 6 ++- tests/eve-flow-vlan-02/test.yaml | 6 +-- tests/eve-flow-vlan/test.yaml | 4 +- tests/eve-payload-07-http-gap/test.yaml | 15 ++++-- tests/exception-policy-applayer-02/test.yaml | 6 ++- tests/exception-policy-default-02/test.yaml | 3 +- tests/exception-policy-default-03/test.yaml | 23 ++++++--- tests/exception-policy-default-04/test.yaml | 3 +- .../test.yaml | 6 ++- .../test.yaml | 3 +- .../test.yaml | 3 +- .../test.yaml | 6 ++- .../test.yaml | 3 +- .../test.yaml | 6 ++- .../test.yaml | 6 ++- tests/exception-policy-midstream-01/test.yaml | 6 ++- tests/exception-policy-midstream-02/test.yaml | 9 ++-- tests/exception-policy-midstream-03/test.yaml | 3 +- tests/exception-policy-midstream-04/test.yaml | 6 ++- tests/exception-policy-midstream-05/test.yaml | 6 ++- tests/exception-policy-midstream-06/test.yaml | 6 ++- tests/exception-policy-midstream-07/test.yaml | 3 +- .../test.yaml | 6 ++- tests/filestore-alert-log/test.yaml | 3 +- tests/ftp-epsv/test.yaml | 3 +- tests/ftp/ftp-too-long-command/test.yaml | 9 ++-- tests/ftp/ftp-too-long-response/test.yaml | 6 ++- tests/http-gap-simple-frames/test.yaml | 3 +- tests/http-not09/test.yaml | 6 ++- .../http-xff-eve-forward-extra-data/test.yaml | 3 +- .../http-xff-eve-reverse-extra-data/test.yaml | 3 +- tests/http2-errorcode/test.yaml | 3 +- tests/http2-upgrade/test.yaml | 3 +- tests/ikev2-weak-dh/test.yaml | 3 +- tests/krb5-kerberoasting/test.yaml | 3 +- tests/krb5-request-frag-log/test.yaml | 4 +- tests/nfs3-01/test.yaml | 24 ++++++--- tests/output-eve-tftp-01/test.yaml | 3 +- .../pgsql/pgsql-pwd-output-disabled/test.yaml | 3 +- tests/rfb-protocol-3.3/test.yaml | 3 +- tests/rules/ftpbounce/test.yaml | 6 ++- tests/rules/icmp_id/test.yaml | 6 ++- tests/rules/tcp-seq-keyword/test.yaml | 12 +++-- tests/rules/tcp_ack/test.yaml | 18 ++++--- tests/rules/tcp_window/test.yaml | 12 +++-- tests/sip-pattern-matching/test.yaml | 6 ++- tests/sip-tcp-method/test.yaml | 9 ++-- tests/sip-tcp-pattern-matching/test.yaml | 9 ++-- tests/sip-tcp-protocol/test.yaml | 15 ++++-- tests/sip-tcp-request-line/test.yaml | 9 ++-- tests/sip-tcp-response-line/test.yaml | 9 ++-- tests/sip-tcp-stat-code/test.yaml | 9 ++-- tests/sip-tcp-stat-msg/test.yaml | 9 ++-- tests/sip-tcp-uri/test.yaml | 9 ++-- tests/smb-eicar-file/test.yaml | 3 +- tests/smb2-07/test.yaml | 6 ++- tests/smtp-eve/test.yaml | 3 +- tests/smtp-tls-protodetect/test.yaml | 9 ++-- tests/snmp-v3-encrypted/test.yaml | 3 +- .../http/stream-async-6063-srv-01/test.yaml | 6 ++- .../http/stream-async-6063-srv-02/test.yaml | 6 ++- tests/stream-depth-reached-event/test.yaml | 3 +- .../tcp-fastopen-10-syn-data-ignore/test.yaml | 12 +++-- tests/test-bad-byte-extract-rule-1/test.yaml | 3 +- tests/test-bad-byte-extract-rule-2/test.yaml | 3 +- .../test-bad-content-quotes-rule-1/test.yaml | 3 +- tests/test-bad-depth-depth-rule-1/test.yaml | 3 +- .../test-bad-depth-distance-rule-1/test.yaml | 3 +- .../test-bad-depth-distance-rule-2/test.yaml | 3 +- tests/test-bad-depth-rule-1/test.yaml | 3 +- tests/test-bad-depth-within-rule-1/test.yaml | 3 +- tests/test-bad-depth-within-rule-2/test.yaml | 3 +- tests/test-bad-hex-rule-1/test.yaml | 6 ++- tests/test-bad-hex-rule-2/test.yaml | 3 +- tests/test-bad-hex-rule-3/test.yaml | 3 +- tests/test-bad-http-host-rule-1/test.yaml | 6 ++- tests/test-bad-http-host-rule-2/test.yaml | 6 ++- .../test.yaml | 3 +- .../test-bad-offset-distance-rule-1/test.yaml | 3 +- tests/test-bad-offset-offset-rule-1/test.yaml | 3 +- tests/test-bad-offset-within-rule-1/test.yaml | 3 +- .../test-bad-quotation-marks-rule-1/test.yaml | 3 +- .../test.yaml | 3 +- tests/test-bad-semicolon-rule-1/test.yaml | 3 +- tests/test-bad-semicolon-rule-2/test.yaml | 3 +- tests/test-bad-within-within-rule-1/test.yaml | 3 +- tests/tls/tls-eve-custom-fields/test.yaml | 6 ++- .../util-action-01/test.yaml | 3 +- .../util-action-02/test.yaml | 3 +- .../util-action-05/test.yaml | 3 +- .../util-action-09/test.yaml | 3 +- .../util-action-10/test.yaml | 3 +- .../util-action-11/test.yaml | 3 +- .../util-action-12/test.yaml | 3 +- .../util-action-14/test.yaml | 3 +- .../util-action-15/test.yaml | 3 +- tests/vxlan-decoder-03/test.yaml | 9 ++-- 134 files changed, 588 insertions(+), 326 deletions(-) diff --git a/run.py b/run.py index d017c2f47..563f2ec9a 100755 --- a/run.py +++ b/run.py @@ -533,6 +533,9 @@ def run(self): class FilterCheck: def __init__(self, config, outdir, suricata_config, test_version, script_cwd=None): + for key in config: + if key not in ["count", "match", "filename", "requires"]: + raise Exception("Unexpected key in filter check: {}".format(key)) self.config = config self.outdir = outdir self.suricata_config = suricata_config @@ -542,19 +545,7 @@ def __init__(self, config, outdir, suricata_config, test_version, script_cwd=Non def run(self): requires = self.config.get("requires", {}) - req_version = self.config.get("version") - min_version = self.config.get("min-version") - lt_version = self.config.get("lt-version") - if req_version is not None: - requires["version"] = req_version - if min_version is not None: - requires["min-version"] = min_version - if lt_version is not None: - requires["lt-version"] = lt_version check_filter_test_version_compat(requires, self.test_version) - feature = self.config.get("feature") - if feature is not None: - requires["features"] = [feature] check_requires(requires, self.suricata_config, self.script_cwd) if "filename" in self.config: diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/test.yaml b/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/test.yaml index 59ada7e81..fca1e5794 100644 --- a/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/test.yaml +++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/test.yaml @@ -9,8 +9,9 @@ pcap: ../alert-max-append-higher-priority/input.pcap checks: # Sub-test 1 - filter: - lt-version: 8.0.4 - gt-version: 8.0.4 + requires: + lt-version: 8.0.4 + gt-version: 8.0.4 count: 1 match: event_type: alert @@ -20,8 +21,9 @@ checks: verdict.action: drop # Sub-test 2 - filter: - lt-version: 8.0.4 - gt-version: 8.0.4 + requires: + lt-version: 8.0.4 + gt-version: 8.0.4 count: 1 match: event_type: alert @@ -31,10 +33,11 @@ checks: verdict.action: drop # Sub-test 3 - filter: - # suricata 7 doesn't show this alert. - # if we don't drop the flow, it matches against the stream - # (pkt_srt: stream (flow timeout)) - min-version: 8.0.4 + requires: + # suricata 7 doesn't show this alert. + # if we don't drop the flow, it matches against the stream + # (pkt_srt: stream (flow timeout)) + min-version: 8.0.4 count: 1 match: event_type: alert @@ -44,18 +47,20 @@ checks: verdict.action: drop # Sub-test 4 - filter: - # suricata 8 doesn't show this alert - lt-version: 8.0 + requires: + # suricata 8 doesn't show this alert + lt-version: 8.0 count: 1 match: event_type: alert alert.signature_id: 4 # Sub-test 5 - filter: - # suricata 7 doesn't show this alert. - # if we don't drop the flow, it matches against the stream - # (pkt_srt: stream (flow timeout)) - lt-version: 8.0 + requires: + # suricata 7 doesn't show this alert. + # if we don't drop the flow, it matches against the stream + # (pkt_srt: stream (flow timeout)) + lt-version: 8.0 count: 0 match: event_type: alert @@ -65,7 +70,8 @@ checks: verdict.action: drop # Sub-test 6 - filter: - min-version: 8.0.4 + requires: + min-version: 8.0.4 count: 0 match: event_type: alert @@ -78,8 +84,9 @@ checks: alert.signature_id: 5 # Sub-test 8 - filter: - lt-version: 8.0.4 - gt-version: 8.0.4 + requires: + lt-version: 8.0.4 + gt-version: 8.0.4 count: 1 match: event_type: drop @@ -94,9 +101,10 @@ checks: flow.action: drop # Sub-test 10 - filter: - # as suricata 7 won't have a match for sid 3, - # the overflow check fails for 7 - min-version: 8.0.4 + requires: + # as suricata 7 won't have a match for sid 3, + # the overflow check fails for 7 + min-version: 8.0.4 count: 1 match: event_type: stats @@ -108,7 +116,8 @@ checks: stats.ips.drop_reason.rules: 1 # Sub-test 11 - filter: - lt-version: 8.0 + requires: + lt-version: 8.0 count: 1 match: event_type: stats diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/test.yaml b/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/test.yaml index f8204218e..5dd50fc63 100644 --- a/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/test.yaml +++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/test.yaml @@ -7,16 +7,18 @@ args: checks: # Subtest 1 - filter: - lt-version: 8.0.4 - gt-version: 8.0.4 + requires: + lt-version: 8.0.4 + gt-version: 8.0.4 count: 0 match: event_type: alert alert.signature_id: 1 # Subtest 2 - filter: - lt-version: 8.0.4 - gt-version: 8.0.4 + requires: + lt-version: 8.0.4 + gt-version: 8.0.4 count: 1 match: event_type: alert @@ -26,8 +28,9 @@ checks: verdict.action: drop # Subtest 3 - filter: - lt-version: 8.0.4 - gt-version: 8.0.4 + requires: + lt-version: 8.0.4 + gt-version: 8.0.4 count: 1 match: event_type: alert @@ -38,16 +41,18 @@ checks: # Subtest 4 # Matches, but not enough space in packet alert queue - filter: - lt-version: 8.0.4 - gt-version: 8.0.4 + requires: + lt-version: 8.0.4 + gt-version: 8.0.4 count: 0 match: event_type: alert alert.signature_id: 4 # Subtest 5 - filter: - lt-version: 8.0.4 - gt-version: 8.0.4 + requires: + lt-version: 8.0.4 + gt-version: 8.0.4 count: 1 match: event_type: alert @@ -58,16 +63,18 @@ checks: # Subtest 6 # Matches, but not enough space in packet alert queue - filter: - lt-version: 8.0.4 - gt-version: 8.0.4 + requires: + lt-version: 8.0.4 + gt-version: 8.0.4 count: 0 match: event_type: alert alert.signature_id: 6 # Subtest 7 - filter: - lt-version: 8.0.4 - gt-version: 8.0.4 + requires: + lt-version: 8.0.4 + gt-version: 8.0.4 count: 1 match: event_type: drop @@ -75,8 +82,9 @@ checks: drop.reason: rules # Subtest 8 - filter: - lt-version: 8.0.4 - gt-version: 8.0.4 + requires: + lt-version: 8.0.4 + gt-version: 8.0.4 count: 1 match: event_type: drop @@ -84,16 +92,18 @@ checks: drop.reason: "flow drop" # Subtest 9 - filter: - lt-version: 8.0.4 - gt-version: 8.0.4 + requires: + lt-version: 8.0.4 + gt-version: 8.0.4 count: 1 match: event_type: flow flow.action: "drop" # Subtest 10 - filter: - lt-version: 8.0.4 - gt-version: 8.0.4 + requires: + lt-version: 8.0.4 + gt-version: 8.0.4 count: 1 match: event_type: stats diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/test.yaml b/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/test.yaml index 7a406cc87..3e57e7c4e 100644 --- a/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/test.yaml +++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/test.yaml @@ -7,8 +7,9 @@ args: checks: # Sub-test 1 - filter: - lt-version: 8.0.4 - gt-version: 8.0.4 + requires: + lt-version: 8.0.4 + gt-version: 8.0.4 count: 1 match: event_type: alert @@ -17,8 +18,9 @@ checks: verdict.action: drop # Sub-test 2 - filter: - lt-version: 8.0.4 - gt-version: 8.0.4 + requires: + lt-version: 8.0.4 + gt-version: 8.0.4 count: 1 match: event_type: alert @@ -27,8 +29,9 @@ checks: verdict.action: drop # Sub-test 3 - filter: - # as with drop-5180-01 test, 7.0.x doesn't show this alert - min-version: 8.0.4 + requires: + # as with drop-5180-01 test, 7.0.x doesn't show this alert + min-version: 8.0.4 count: 1 match: event_type: alert @@ -37,8 +40,9 @@ checks: verdict.action: drop # Sub-test 4 - filter: - # as with drop-5180-01 test, 7.0.x shows this alert - lt-version: 8.0 + requires: + # as with drop-5180-01 test, 7.0.x shows this alert + lt-version: 8.0 count: 1 match: event_type: alert @@ -51,9 +55,10 @@ checks: alert.signature_id: 5 # Sub-test 6 - filter: - min-version: 8.0.4 - lt-version: 8.0.4 - gt-version: 8.0.4 + requires: + min-version: 8.0.4 + lt-version: 8.0.4 + gt-version: 8.0.4 count: 1 match: event_type: drop @@ -66,7 +71,8 @@ checks: flow.action: drop # Sub-test 8 - filter: - min-version: 8.0.4 + requires: + min-version: 8.0.4 count: 1 match: event_type: stats @@ -78,7 +84,8 @@ checks: stats.ips.drop_reason.rules: 1 # Sub-test 9 - filter: - lt-version: 8.0 + requires: + lt-version: 8.0 count: 1 match: event_type: stats diff --git a/tests/app-layer-template/test.yaml b/tests/app-layer-template/test.yaml index 05b3b2b0b..96c42f4be 100644 --- a/tests/app-layer-template/test.yaml +++ b/tests/app-layer-template/test.yaml @@ -4,7 +4,8 @@ args: checks: - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: dest_ip: 10.16.1.10 diff --git a/tests/bittorrent-dht/test.yaml b/tests/bittorrent-dht/test.yaml index 79fee6688..71d728867 100644 --- a/tests/bittorrent-dht/test.yaml +++ b/tests/bittorrent-dht/test.yaml @@ -296,7 +296,8 @@ checks: src_ip: 190.0.0.1 src_port: 40000 - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: bittorrent_dht.request.id: 6162636465666768696a30313233343536373839 @@ -312,7 +313,8 @@ checks: src_port: 20000 ip_v: 4 - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: anomaly.app_proto: bittorrent-dht diff --git a/tests/bug-1449-01/test.yaml b/tests/bug-1449-01/test.yaml index cb03094fc..e310f33b4 100644 --- a/tests/bug-1449-01/test.yaml +++ b/tests/bug-1449-01/test.yaml @@ -5,14 +5,16 @@ checks: event_type: alert alert.signature_id: 2220017 - filter: - lt-version: 8 + requires: + lt-version: 8 count: 1 match: event_type: smtp smtp.helo: bug.client email.status: PARSE_ERROR - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: smtp diff --git a/tests/bug-1450-02/test.yaml b/tests/bug-1450-02/test.yaml index 32e76c53d..7c42516a8 100644 --- a/tests/bug-1450-02/test.yaml +++ b/tests/bug-1450-02/test.yaml @@ -10,7 +10,8 @@ checks: event_type: alert alert.signature_id: 2230003 - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: alert diff --git a/tests/bug-2491-02/test.yaml b/tests/bug-2491-02/test.yaml index 91421b151..8caeb30b0 100644 --- a/tests/bug-2491-02/test.yaml +++ b/tests/bug-2491-02/test.yaml @@ -9,28 +9,32 @@ checks: match: event_type: alert - filter: - min-version: 8.0 + requires: + min-version: 8.0 count: 1 match: event_type: alert alert.signature_id: 1 pcap_cnt: 2 - filter: - min-version: 8.0 + requires: + min-version: 8.0 count: 1 match: event_type: alert alert.signature_id: 2 pcap_cnt: 2 - filter: - lt-version: 8.0 + requires: + lt-version: 8.0 count: 1 match: event_type: alert alert.signature_id: 1 pcap_cnt: 11 - filter: - lt-version: 8.0 + requires: + lt-version: 8.0 count: 1 match: event_type: alert @@ -59,5 +63,3 @@ checks: tcp.state: close_wait tcp.ts_max_regions: 1 tcp.tc_max_regions: 1 - - diff --git a/tests/bug-4663-02/test.yaml b/tests/bug-4663-02/test.yaml index 6fdfb708d..64844c979 100644 --- a/tests/bug-4663-02/test.yaml +++ b/tests/bug-4663-02/test.yaml @@ -8,7 +8,8 @@ checks: event_type: flow flow.alerted: true - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: flow diff --git a/tests/bug-4663-03/test.yaml b/tests/bug-4663-03/test.yaml index ffbf5c862..f212cf047 100644 --- a/tests/bug-4663-03/test.yaml +++ b/tests/bug-4663-03/test.yaml @@ -17,7 +17,8 @@ checks: match: event_type: flow - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: flow diff --git a/tests/bug-4663/test.yaml b/tests/bug-4663/test.yaml index dab8c7f8a..1a3bc7e0d 100644 --- a/tests/bug-4663/test.yaml +++ b/tests/bug-4663/test.yaml @@ -18,7 +18,8 @@ checks: match: event_type: drop - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: flow diff --git a/tests/bug-4877/test.yaml b/tests/bug-4877/test.yaml index 06c8de74e..69137ac14 100644 --- a/tests/bug-4877/test.yaml +++ b/tests/bug-4877/test.yaml @@ -71,7 +71,8 @@ checks: dest_ip: 192.168.100.230 dest_port: 20 - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: app_proto: ftp-data diff --git a/tests/bug-4953/test.yaml b/tests/bug-4953/test.yaml index 761f6cea8..244950f11 100644 --- a/tests/bug-4953/test.yaml +++ b/tests/bug-4953/test.yaml @@ -3,12 +3,14 @@ args: checks: - filter: - min-version: 6 + requires: + min-version: 6 count: 3 match: event_type: fileinfo - filter: - min-version: 6 + requires: + min-version: 6 count: 1 match: event_type: fileinfo @@ -25,7 +27,8 @@ checks: fileinfo.state: CLOSED fileinfo.size: 676 - filter: - min-version: 6 + requires: + min-version: 6 count: 1 match: event_type: fileinfo diff --git a/tests/bug-5162/test.yaml b/tests/bug-5162/test.yaml index 169cd4101..82e607b42 100644 --- a/tests/bug-5162/test.yaml +++ b/tests/bug-5162/test.yaml @@ -3,7 +3,8 @@ args: checks: - filter: - min-version: 6 + requires: + min-version: 6 count: 1445 match: event_type: dcerpc diff --git a/tests/bug-5464-verdict-05/test.yaml b/tests/bug-5464-verdict-05/test.yaml index 848e6a618..6ac53586b 100644 --- a/tests/bug-5464-verdict-05/test.yaml +++ b/tests/bug-5464-verdict-05/test.yaml @@ -8,7 +8,8 @@ pcap: ../alert-max/alert-max-append-higher-priority/input.pcap checks: # Subtest 1 - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: alert @@ -16,7 +17,8 @@ checks: verdict.action: alert # Subtest 2 - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: alert @@ -24,7 +26,8 @@ checks: verdict.action: pass # Subtest 3 - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: alert @@ -32,7 +35,8 @@ checks: verdict.action: pass # Subtest 4 - filter: - min-version: 7 + requires: + min-version: 7 count: 0 match: event_type: alert diff --git a/tests/datasets-invalid-encoding/test.yaml b/tests/datasets-invalid-encoding/test.yaml index 552666382..7ee9f4a76 100644 --- a/tests/datasets-invalid-encoding/test.yaml +++ b/tests/datasets-invalid-encoding/test.yaml @@ -7,7 +7,8 @@ exit-code: 1 checks: - filter: - min-version: 8 + requires: + min-version: 8 filename: suricata.json count: 1 match: @@ -16,7 +17,8 @@ checks: engine.message.__find: "bad base64 encoding ua-seen" engine.module: "debug" - filter: - lt-version: 8 + requires: + lt-version: 8 filename: suricata.json count: 1 match: diff --git a/tests/datasets/datarep-bad-datarep-string/test.yaml b/tests/datasets/datarep-bad-datarep-string/test.yaml index e4a889010..de11bbba5 100644 --- a/tests/datasets/datarep-bad-datarep-string/test.yaml +++ b/tests/datasets/datarep-bad-datarep-string/test.yaml @@ -7,7 +7,8 @@ exit-code: 1 checks: - filter: - min-version: 8 + requires: + min-version: 8 filename: suricata.json count: 1 match: diff --git a/tests/datasets/datarep-bad-datarep-value/test.yaml b/tests/datasets/datarep-bad-datarep-value/test.yaml index 6e6f6487a..e34ec434a 100644 --- a/tests/datasets/datarep-bad-datarep-value/test.yaml +++ b/tests/datasets/datarep-bad-datarep-value/test.yaml @@ -7,7 +7,8 @@ exit-code: 1 checks: - filter: - min-version: 8 + requires: + min-version: 8 filename: suricata.json count: 1 match: diff --git a/tests/dcerpc-smb-fail/test.yaml b/tests/dcerpc-smb-fail/test.yaml index e54ec17ed..2eca2d117 100644 --- a/tests/dcerpc-smb-fail/test.yaml +++ b/tests/dcerpc-smb-fail/test.yaml @@ -5,7 +5,8 @@ args: checks: - filter: - min-version: 6 + requires: + min-version: 6 count: 1445 match: event_type: dcerpc diff --git a/tests/dcerpc/dcerpc-dce-iface-01/test.yaml b/tests/dcerpc/dcerpc-dce-iface-01/test.yaml index 99ab19ecc..714d90f4e 100644 --- a/tests/dcerpc/dcerpc-dce-iface-01/test.yaml +++ b/tests/dcerpc/dcerpc-dce-iface-01/test.yaml @@ -3,13 +3,15 @@ args: checks: - filter: - min-version: 6 + requires: + min-version: 6 count: 2 match: event_type: alert alert.signature_id: 1 - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: dcerpc diff --git a/tests/dcerpc/dcerpc-dce-iface-02/test.yaml b/tests/dcerpc/dcerpc-dce-iface-02/test.yaml index c1c010fe2..e737a6557 100644 --- a/tests/dcerpc/dcerpc-dce-iface-02/test.yaml +++ b/tests/dcerpc/dcerpc-dce-iface-02/test.yaml @@ -31,7 +31,8 @@ checks: alert.signature_id: 5 pcap_cnt: 10 - filter: - min-version: 6.0.0 + requires: + min-version: 6.0.0 count: 1 match: dcerpc.response: RESPONSE diff --git a/tests/dcerpc/dcerpc-dce-opnum/test.yaml b/tests/dcerpc/dcerpc-dce-opnum/test.yaml index a0ef0c516..f660637db 100644 --- a/tests/dcerpc/dcerpc-dce-opnum/test.yaml +++ b/tests/dcerpc/dcerpc-dce-opnum/test.yaml @@ -10,7 +10,8 @@ checks: event_type: alert alert.signature_id: 1 - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: alert diff --git a/tests/dcerpc/dcerpc-dce-stub-data/test.yaml b/tests/dcerpc/dcerpc-dce-stub-data/test.yaml index 96f5f2b7b..cd2c1cabd 100644 --- a/tests/dcerpc/dcerpc-dce-stub-data/test.yaml +++ b/tests/dcerpc/dcerpc-dce-stub-data/test.yaml @@ -5,7 +5,8 @@ args: checks: - filter: - min-version: 6.0.0 + requires: + min-version: 6.0.0 count: 2 match: event_type: dcerpc diff --git a/tests/decode-too-small/test.yaml b/tests/decode-too-small/test.yaml index 8f91f91cb..ed399d596 100644 --- a/tests/decode-too-small/test.yaml +++ b/tests/decode-too-small/test.yaml @@ -11,7 +11,8 @@ checks: alert.signature_id: 1 - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: alert diff --git a/tests/decode-unknown-2/test.yaml b/tests/decode-unknown-2/test.yaml index 31e85a66e..49c34e30f 100644 --- a/tests/decode-unknown-2/test.yaml +++ b/tests/decode-unknown-2/test.yaml @@ -14,7 +14,8 @@ checks: decoder.unknown_ethertype: 1 - filter: count: 1 - min-version: 8.0.2 + requires: + min-version: 8.0.2 match: event_type: anomaly ether.ether_type: 64439 @@ -22,8 +23,9 @@ checks: anomaly.event: decoder.ethernet.unknown_ethertype - filter: count: 1 - min-version: 8 - lt-version: 8.0.2 + requires: + min-version: 8 + lt-version: 8.0.2 match: event_type: anomaly ether.ether_type: 47099 diff --git a/tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml b/tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml index 429f8db27..939554a1c 100644 --- a/tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml +++ b/tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml @@ -12,7 +12,8 @@ checks: - filter: count: 1 - min-version: 8 + requires: + min-version: 8 match: event_type: alert alert.signature_id: 1 diff --git a/tests/dhcp-eve-extended/test.yaml b/tests/dhcp-eve-extended/test.yaml index d7607d096..e566ad6b2 100644 --- a/tests/dhcp-eve-extended/test.yaml +++ b/tests/dhcp-eve-extended/test.yaml @@ -67,19 +67,22 @@ checks: src_ip: 10.16.1.4 src_port: 68 - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: alert alert.signature_id: 1 - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: alert alert.signature_id: 2 - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: alert diff --git a/tests/dnp3/dnp3-dnp3_obj-alert/test.yaml b/tests/dnp3/dnp3-dnp3_obj-alert/test.yaml index c5d69f060..7ca81ad22 100644 --- a/tests/dnp3/dnp3-dnp3_obj-alert/test.yaml +++ b/tests/dnp3/dnp3-dnp3_obj-alert/test.yaml @@ -14,7 +14,8 @@ checks: - filter: count: 4 - min-version: 8 + requires: + min-version: 8 match: event_type: alert alert.signature_id: 1 diff --git a/tests/dns-over-http2/test.yaml b/tests/dns-over-http2/test.yaml index 457857aea..b4cb5272d 100644 --- a/tests/dns-over-http2/test.yaml +++ b/tests/dns-over-http2/test.yaml @@ -60,7 +60,8 @@ checks: app_proto: doh2 app_proto_orig: http2 - filter: - min-version: 8.0.1 + requires: + min-version: 8.0.1 count: 0 match: event_type: dns diff --git a/tests/dns-reversed-udp-1/test.yaml b/tests/dns-reversed-udp-1/test.yaml index 02c107b34..ceea13ac3 100644 --- a/tests/dns-reversed-udp-1/test.yaml +++ b/tests/dns-reversed-udp-1/test.yaml @@ -7,14 +7,14 @@ args: checks: - filter: - comment: request + # request count: 0 match: event_type: dns dns.type: query - filter: - comment: response + # response count: 1 match: event_type: dns diff --git a/tests/dns/task-7018-dns-ips-stream-rule/test.yaml b/tests/dns/task-7018-dns-ips-stream-rule/test.yaml index 02d66d140..c55e3374a 100644 --- a/tests/dns/task-7018-dns-ips-stream-rule/test.yaml +++ b/tests/dns/task-7018-dns-ips-stream-rule/test.yaml @@ -32,7 +32,8 @@ checks: src_ip: 10.16.1.11 src_port: 36926 - filter: - lt-version: 8 + requires: + lt-version: 8 count: 1 match: event_type: alert @@ -55,7 +56,8 @@ checks: dns.query[0].type: query - filter: # DNS has only v3 logging for alerts in 8 - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: alert @@ -102,7 +104,8 @@ checks: dns.type: answer dns.version: 2 - filter: - lt-version: 8 + requires: + lt-version: 8 count: 1 match: event_type: alert @@ -129,7 +132,8 @@ checks: dns.answer.type: answer dns.answer.version: 2 - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: alert @@ -168,7 +172,8 @@ checks: src_port: 36926 - filter: # This check is about an undesirable behavior cf redmine ticket #7004 - lt-version: 8 + requires: + lt-version: 8 count: 1 match: event_type: alert @@ -191,7 +196,8 @@ checks: dns.query[0].tx_id: 2 - filter: # This check is about an undesirable behavior cf redmine ticket #7004 - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: alert @@ -212,7 +218,8 @@ checks: dns.queries[0].rrname: oisf.net dns.queries[0].rrtype: A - filter: - lt-version: 8 + requires: + lt-version: 8 count: 1 match: event_type: alert @@ -238,7 +245,8 @@ checks: dns.answer.type: answer dns.answer.version: 2 - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: alert @@ -290,7 +298,8 @@ checks: dns.type: answer dns.version: 2 - filter: - lt-version: 8 + requires: + lt-version: 8 count: 1 match: event_type: alert @@ -311,7 +320,8 @@ checks: dns.query[0].tx_id: 4 dns.query[0].type: query - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: alert diff --git a/tests/dns/task-7018-ids-dns-stream-rule/test.yaml b/tests/dns/task-7018-ids-dns-stream-rule/test.yaml index 7e748e4b0..4e21b4804 100644 --- a/tests/dns/task-7018-ids-dns-stream-rule/test.yaml +++ b/tests/dns/task-7018-ids-dns-stream-rule/test.yaml @@ -26,7 +26,8 @@ checks: src_ip: 10.16.1.11 src_port: 36926 - filter: - lt-version: 8 + requires: + lt-version: 8 count: 1 match: event_type: alert @@ -48,7 +49,8 @@ checks: dns.query[0].tx_id: 0 dns.query[0].type: query - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: alert @@ -94,7 +96,8 @@ checks: src_ip: 10.16.1.11 src_port: 36926 - filter: - lt-version: 8 + requires: + lt-version: 8 count: 1 match: event_type: alert @@ -121,7 +124,8 @@ checks: dns.answer.type: answer dns.answer.version: 2 - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: alert diff --git a/tests/dns/v2/dns-invalid-opcode/test.yaml b/tests/dns/v2/dns-invalid-opcode/test.yaml index cdd407c8e..5a6eaafca 100644 --- a/tests/dns/v2/dns-invalid-opcode/test.yaml +++ b/tests/dns/v2/dns-invalid-opcode/test.yaml @@ -40,7 +40,8 @@ checks: # Generated checks below. - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: alert.action: allowed @@ -77,7 +78,8 @@ checks: tx_id: 0 - filter: - lt-version: 8 + requires: + lt-version: 8 count: 1 match: alert.action: allowed diff --git a/tests/dropped-flow-applayer-event-logged-dcerpc/test.yaml b/tests/dropped-flow-applayer-event-logged-dcerpc/test.yaml index 6f2e5a5c8..6846bcf3a 100644 --- a/tests/dropped-flow-applayer-event-logged-dcerpc/test.yaml +++ b/tests/dropped-flow-applayer-event-logged-dcerpc/test.yaml @@ -7,7 +7,8 @@ args: checks: - filter: - min-version: 8.0.4 + requires: + min-version: 8.0.4 count: 0 match: pcap_cnt: 2 @@ -17,30 +18,35 @@ checks: match: event_type: alert - filter: - min-version: 8.0.4 + requires: + min-version: 8.0.4 count: 0 match: pcap_cnt: 2 event_type: smb - filter: - min-version: 8.0.4 + requires: + min-version: 8.0.4 count: 20 match: event_type: drop - filter: - lt-version: 8.0 + requires: + lt-version: 8.0 count: 1 match: pcap_cnt: 2 event_type: alert - filter: - lt-version: 8.0 + requires: + lt-version: 8.0 count: 1 match: pcap_cnt: 2 event_type: smb - filter: - lt-version: 8.0 + requires: + lt-version: 8.0 count: 19 match: event_type: drop diff --git a/tests/dropped-flow-applayer-event-logged-http/test.yaml b/tests/dropped-flow-applayer-event-logged-http/test.yaml index 27ca8e160..a637cc902 100644 --- a/tests/dropped-flow-applayer-event-logged-http/test.yaml +++ b/tests/dropped-flow-applayer-event-logged-http/test.yaml @@ -7,24 +7,28 @@ args: checks: - filter: - min-version: 8.0.4 + requires: + min-version: 8.0.4 count: 0 match: event_type: http pcap_cnt: 2 - filter: - min-version: 8.0.4 + requires: + min-version: 8.0.4 count: 2 match: event_type: drop - filter: - lt-version: 8.0 + requires: + lt-version: 8.0 count: 1 match: event_type: http pcap_cnt: 2 - filter: - lt-version: 8.0 + requires: + lt-version: 8.0 count: 1 match: event_type: drop diff --git a/tests/dropped-flow-applayer-event-logged-smb/test.yaml b/tests/dropped-flow-applayer-event-logged-smb/test.yaml index 7013e7c33..cc761bdc2 100644 --- a/tests/dropped-flow-applayer-event-logged-smb/test.yaml +++ b/tests/dropped-flow-applayer-event-logged-smb/test.yaml @@ -12,34 +12,40 @@ checks: match: event_type: alert - filter: - min-version: 8.0.4 + requires: + min-version: 8.0.4 count: 0 match: event_type: alert pcap_cnt: 2 - filter: - min-version: 8.0.4 + requires: + min-version: 8.0.4 count: 0 match: event_type: smb - filter: - min-version: 8.0.4 + requires: + min-version: 8.0.4 count: 54 match: event_type: drop - filter: - lt-version: 8.0 + requires: + lt-version: 8.0 count: 1 match: event_type: alert pcap_cnt: 2 - filter: - lt-version: 8.0 + requires: + lt-version: 8.0 count: 1 match: event_type: smb - filter: - lt-version: 8.0 + requires: + lt-version: 8.0 count: 53 match: event_type: drop diff --git a/tests/enip-keywords/test.yaml b/tests/enip-keywords/test.yaml index d114df964..d8957e199 100644 --- a/tests/enip-keywords/test.yaml +++ b/tests/enip-keywords/test.yaml @@ -8,14 +8,16 @@ args: checks: - filter: - lt-version: 8 + requires: + lt-version: 8 count: 41 match: event_type: alert alert.signature_id: 1 - filter: # version 8 also works on responses - min-version: 8 + requires: + min-version: 8 count: 81 match: event_type: alert diff --git a/tests/eve-flow-vlan-02/test.yaml b/tests/eve-flow-vlan-02/test.yaml index ec3e92633..f00dbf7eb 100644 --- a/tests/eve-flow-vlan-02/test.yaml +++ b/tests/eve-flow-vlan-02/test.yaml @@ -3,21 +3,21 @@ requires: checks: - filter: - comment: single vlan + # single vlan count: 1 match: event_type: flow vlan: [6] - filter: - comment: double-tagged vlan + # double-tagged vlan count: 1 match: event_type: flow vlan: [1, 10] - filter: - comment: triple-tagged vlan + # triple-tagged vlan count: 1 match: event_type: flow diff --git a/tests/eve-flow-vlan/test.yaml b/tests/eve-flow-vlan/test.yaml index 441e13b23..44c3cff5d 100644 --- a/tests/eve-flow-vlan/test.yaml +++ b/tests/eve-flow-vlan/test.yaml @@ -1,13 +1,13 @@ checks: - filter: - comment: single vlan + # single vlan count: 1 match: event_type: flow vlan: [6] - filter: - comment: double-tagged vlan + # double-tagged vlan count: 1 match: event_type: flow diff --git a/tests/eve-payload-07-http-gap/test.yaml b/tests/eve-payload-07-http-gap/test.yaml index 6fcc83ed4..fcd0c8521 100644 --- a/tests/eve-payload-07-http-gap/test.yaml +++ b/tests/eve-payload-07-http-gap/test.yaml @@ -14,7 +14,8 @@ checks: alert.signature_id: 1 - filter: count: 1 - min-version: 8 + requires: + min-version: 8 match: event_type: alert alert.signature_id: 1 @@ -28,7 +29,8 @@ checks: payload_printable: "GET /1 HTTP/1.0\r\nUser-Agent: Mozilla\r\n\r\n" - filter: count: 1 - min-version: 8 + requires: + min-version: 8 match: event_type: alert alert.signature_id: 1 @@ -42,7 +44,8 @@ checks: payload_printable: "GET /1 HTTP/1.0\r\nUser-Agent: Mozilla\r\n\r\nGET /2 HTTP/1.0\r\nUser-Agent: Mozilla\r\n\r\n" - filter: count: 1 - min-version: 8 + requires: + min-version: 8 match: event_type: alert alert.signature_id: 1 @@ -56,7 +59,8 @@ checks: payload_printable: "GET /1 HTTP/1.0\r\nUser-Agent: Mozilla\r\n\r\nGET /2 HTTP/1.0\r\nUser-Agent: Mozilla\r\n\r\nGET /3 HTTP/1.0\r\nUser-Agent: Mozilla\r\n\r\n" - filter: count: 1 - min-version: 8 + requires: + min-version: 8 match: event_type: alert alert.signature_id: 2 @@ -76,7 +80,8 @@ checks: payload_printable: "HTTP/1.0 200 OK\r\nDate: Mon, 31 Aug 2009 20:25:50 GMT\r\nServer: Apache\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length: 12\r\n\r\n[127 bytes missing]AAAAAAAAAAAAAAAAAAAAAAAAAAAA" - filter: count: 1 - min-version: 8 + requires: + min-version: 8 match: event_type: alert alert.signature_id: 4 diff --git a/tests/exception-policy-applayer-02/test.yaml b/tests/exception-policy-applayer-02/test.yaml index 529bc6d41..5aa7cf85e 100644 --- a/tests/exception-policy-applayer-02/test.yaml +++ b/tests/exception-policy-applayer-02/test.yaml @@ -43,7 +43,8 @@ checks: event_type: flow flow.action: drop - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: stats @@ -51,7 +52,8 @@ checks: stats.app_layer.error.tls.exception_policy.drop_packet: 0 stats.exception_policy.app_layer.error.pass_packet: 1 - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: flow diff --git a/tests/exception-policy-default-02/test.yaml b/tests/exception-policy-default-02/test.yaml index b785004cc..2d23cb651 100644 --- a/tests/exception-policy-default-02/test.yaml +++ b/tests/exception-policy-default-02/test.yaml @@ -13,7 +13,8 @@ checks: match: event_type: http - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: flow diff --git a/tests/exception-policy-default-03/test.yaml b/tests/exception-policy-default-03/test.yaml index 1442b1c76..4d6ce5495 100644 --- a/tests/exception-policy-default-03/test.yaml +++ b/tests/exception-policy-default-03/test.yaml @@ -6,18 +6,21 @@ args: checks: - filter: - min-version: 7 + requires: + min-version: 7 count: 0 match: event_type: alert - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: drop drop.reason: stream midstream - filter: - min-version: 7 + requires: + min-version: 7 count: 9 match: event_type: drop @@ -27,7 +30,8 @@ checks: event_type: flow flow.state: bypassed - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: flow @@ -37,22 +41,25 @@ checks: match: event_type: http - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: flow flow.exception_policy[0].target: "stream_midstream" flow.exception_policy[0].policy: "drop_flow" - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: stats stats.exception_policy.tcp.midstream.drop_flow: 1 # in Suricata 7, the exception policy stats counters can be disabled - filter: - min-version: 7.0.12 - lt-version: 8 + requires: + min-version: 7.0.12 + lt-version: 8 count: 1 match: event_type: stats diff --git a/tests/exception-policy-default-04/test.yaml b/tests/exception-policy-default-04/test.yaml index 88e6d4b72..019aa6bbf 100644 --- a/tests/exception-policy-default-04/test.yaml +++ b/tests/exception-policy-default-04/test.yaml @@ -24,7 +24,8 @@ checks: match: event_type: http - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: flow diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-01/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-01/test.yaml index 07b26450c..2ccb67029 100644 --- a/tests/exception-policy-master-switch/exception-policy-master-switch-01/test.yaml +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-01/test.yaml @@ -36,14 +36,16 @@ checks: match: event_type: http - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: flow flow.exception_policy[0].target: "stream_midstream" flow.exception_policy[0].policy: "drop_flow" - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: stats diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-02/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-02/test.yaml index 7862ac471..6642bb04c 100644 --- a/tests/exception-policy-master-switch/exception-policy-master-switch-02/test.yaml +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-02/test.yaml @@ -26,7 +26,8 @@ checks: match: event_type: http - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: flow diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-03/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-03/test.yaml index 8d141f353..9916f59fe 100644 --- a/tests/exception-policy-master-switch/exception-policy-master-switch-03/test.yaml +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-03/test.yaml @@ -26,7 +26,8 @@ checks: match: event_type: http - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: flow diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-04/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-04/test.yaml index 33155089d..8b5a7eb62 100644 --- a/tests/exception-policy-master-switch/exception-policy-master-switch-04/test.yaml +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-04/test.yaml @@ -27,14 +27,16 @@ checks: match: event_type: http - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: flow flow.exception_policy[0].target: "stream_midstream" flow.exception_policy[0].policy: "pass_flow" - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: stats diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-05/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-05/test.yaml index ffa0bf886..c84041b1e 100644 --- a/tests/exception-policy-master-switch/exception-policy-master-switch-05/test.yaml +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-05/test.yaml @@ -21,7 +21,8 @@ checks: match: event_type: http - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: flow diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-06/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-06/test.yaml index 9a5ad4221..088a9cca5 100644 --- a/tests/exception-policy-master-switch/exception-policy-master-switch-06/test.yaml +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-06/test.yaml @@ -37,14 +37,16 @@ checks: log_level: Warning engine.module: exception-policy - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: flow flow.exception_policy[0].target: "stream_midstream" flow.exception_policy[0].policy: "ignore" - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: stats diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-07/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-07/test.yaml index 4c753838a..6a1d4eb13 100644 --- a/tests/exception-policy-master-switch/exception-policy-master-switch-07/test.yaml +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-07/test.yaml @@ -37,14 +37,16 @@ checks: log_level: Warning engine.module: exception-policy - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: flow flow.exception_policy[0].target: "stream_midstream" flow.exception_policy[0].policy: "ignore" - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: stats diff --git a/tests/exception-policy-midstream-01/test.yaml b/tests/exception-policy-midstream-01/test.yaml index f820a2cc4..e266a22d9 100644 --- a/tests/exception-policy-midstream-01/test.yaml +++ b/tests/exception-policy-midstream-01/test.yaml @@ -19,13 +19,15 @@ checks: match: event_type: http - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: stats stats.exception_policy.tcp.midstream.pass_flow: 9 - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: flow diff --git a/tests/exception-policy-midstream-02/test.yaml b/tests/exception-policy-midstream-02/test.yaml index b0f4867eb..6a808836e 100644 --- a/tests/exception-policy-midstream-02/test.yaml +++ b/tests/exception-policy-midstream-02/test.yaml @@ -25,19 +25,22 @@ checks: match: event_type: anomaly - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: stats stats.ips.drop_reason.stream_midstream: 1 - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: stats stats.exception_policy.tcp.midstream.drop_flow: 1 - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: flow diff --git a/tests/exception-policy-midstream-03/test.yaml b/tests/exception-policy-midstream-03/test.yaml index a46f0fc83..b50801202 100644 --- a/tests/exception-policy-midstream-03/test.yaml +++ b/tests/exception-policy-midstream-03/test.yaml @@ -25,7 +25,8 @@ checks: event_type: http dest_port: 80 - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: flow diff --git a/tests/exception-policy-midstream-04/test.yaml b/tests/exception-policy-midstream-04/test.yaml index 42a60bdcc..3950f9221 100644 --- a/tests/exception-policy-midstream-04/test.yaml +++ b/tests/exception-policy-midstream-04/test.yaml @@ -20,13 +20,15 @@ checks: match: event_type: http - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: stats stats.exception_policy.tcp.midstream.pass_flow: 2 - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: flow diff --git a/tests/exception-policy-midstream-05/test.yaml b/tests/exception-policy-midstream-05/test.yaml index 8b1be07a4..a2d982c7b 100644 --- a/tests/exception-policy-midstream-05/test.yaml +++ b/tests/exception-policy-midstream-05/test.yaml @@ -19,13 +19,15 @@ checks: match: event_type: http - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: stats stats.exception_policy.tcp.midstream.bypass: 1 - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: flow diff --git a/tests/exception-policy-midstream-06/test.yaml b/tests/exception-policy-midstream-06/test.yaml index 8a7f74dba..77212a1c6 100644 --- a/tests/exception-policy-midstream-06/test.yaml +++ b/tests/exception-policy-midstream-06/test.yaml @@ -17,13 +17,15 @@ checks: event_type: flow flow.action: drop - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: stats stats.exception_policy.tcp.midstream.drop_flow: 1 - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: flow diff --git a/tests/exception-policy-midstream-07/test.yaml b/tests/exception-policy-midstream-07/test.yaml index 67af543aa..c9411cc06 100644 --- a/tests/exception-policy-midstream-07/test.yaml +++ b/tests/exception-policy-midstream-07/test.yaml @@ -19,7 +19,8 @@ checks: match: event_type: smb - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: flow diff --git a/tests/exception-policy-reject-action-01/test.yaml b/tests/exception-policy-reject-action-01/test.yaml index 46711fa78..e7154ae5b 100644 --- a/tests/exception-policy-reject-action-01/test.yaml +++ b/tests/exception-policy-reject-action-01/test.yaml @@ -19,14 +19,16 @@ checks: event_type: flow flow.action: drop - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: flow flow.exception_policy[0].target: "stream_midstream" flow.exception_policy[0].policy: "reject" - filter: - min-version: 7.0.12 + requires: + min-version: 7.0.12 count: 1 match: event_type: stats diff --git a/tests/filestore-alert-log/test.yaml b/tests/filestore-alert-log/test.yaml index 3d70633e0..34a01834d 100644 --- a/tests/filestore-alert-log/test.yaml +++ b/tests/filestore-alert-log/test.yaml @@ -10,7 +10,8 @@ checks: args: test -e filestore/e0/e092858d5bd66ab33085a966ee4ac0bf0edf6eab8d8b1e66432ee600e904bb4f - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: alert diff --git a/tests/ftp-epsv/test.yaml b/tests/ftp-epsv/test.yaml index c6c1342d6..e8532a509 100644 --- a/tests/ftp-epsv/test.yaml +++ b/tests/ftp-epsv/test.yaml @@ -7,7 +7,8 @@ checks: ftp.command: "EPSV" ftp.dynamic_port: 58612 - filter: - min-version: 8 + requires: + min-version: 8 count: 0 match: event_type: anomaly diff --git a/tests/ftp/ftp-too-long-command/test.yaml b/tests/ftp/ftp-too-long-command/test.yaml index 4ce3111b0..2cd0d842e 100644 --- a/tests/ftp/ftp-too-long-command/test.yaml +++ b/tests/ftp/ftp-too-long-command/test.yaml @@ -21,7 +21,8 @@ checks: # Look for anomaly event. - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: anomaly @@ -29,14 +30,16 @@ checks: # Look for app-layer alert. - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: alert alert.signature_id: 2232000 # Alert has app-layer details. - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: alert diff --git a/tests/ftp/ftp-too-long-response/test.yaml b/tests/ftp/ftp-too-long-response/test.yaml index 8df38a9be..c43d347ae 100644 --- a/tests/ftp/ftp-too-long-response/test.yaml +++ b/tests/ftp/ftp-too-long-response/test.yaml @@ -16,7 +16,8 @@ checks: # Look for anomaly event. - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: anomaly @@ -24,7 +25,8 @@ checks: # Look for app-layer alert. - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: alert diff --git a/tests/http-gap-simple-frames/test.yaml b/tests/http-gap-simple-frames/test.yaml index 17eff6759..0d6dacdb8 100644 --- a/tests/http-gap-simple-frames/test.yaml +++ b/tests/http-gap-simple-frames/test.yaml @@ -71,7 +71,8 @@ checks: frame.direction: toserver frame.tx_id: 0 - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: alert diff --git a/tests/http-not09/test.yaml b/tests/http-not09/test.yaml index d429013dc..929ae5e84 100644 --- a/tests/http-not09/test.yaml +++ b/tests/http-not09/test.yaml @@ -8,13 +8,15 @@ checks: event_type: http http.http_user_agent: myscript - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: anomaly anomaly.event: REQUEST_LINE_MISSING_PROTOCOL - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: alert diff --git a/tests/http-xff-eve-forward-extra-data/test.yaml b/tests/http-xff-eve-forward-extra-data/test.yaml index 0f31e6163..709f0a3c8 100644 --- a/tests/http-xff-eve-forward-extra-data/test.yaml +++ b/tests/http-xff-eve-forward-extra-data/test.yaml @@ -5,7 +5,8 @@ args: checks: - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: alert.xff: 10.2.2.2 diff --git a/tests/http-xff-eve-reverse-extra-data/test.yaml b/tests/http-xff-eve-reverse-extra-data/test.yaml index 1169c6931..b6a714af9 100644 --- a/tests/http-xff-eve-reverse-extra-data/test.yaml +++ b/tests/http-xff-eve-reverse-extra-data/test.yaml @@ -5,7 +5,8 @@ args: checks: - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: alert.xff: 10.3.3.3 diff --git a/tests/http2-errorcode/test.yaml b/tests/http2-errorcode/test.yaml index 447888fd5..b0cb1b98d 100644 --- a/tests/http2-errorcode/test.yaml +++ b/tests/http2-errorcode/test.yaml @@ -13,7 +13,8 @@ checks: alert.signature_id: 1 http.http2.request.error_code: INTERNALERROR - filter: - min-version: 9 + requires: + min-version: 9 count: 2 match: event_type: alert diff --git a/tests/http2-upgrade/test.yaml b/tests/http2-upgrade/test.yaml index 5899b7e98..5e963de4b 100644 --- a/tests/http2-upgrade/test.yaml +++ b/tests/http2-upgrade/test.yaml @@ -28,7 +28,8 @@ checks: http.http2.request.settings[2].settings_id: "SETTINGSENABLEPUSH" http.http2.request.settings[2].settings_value: 0 - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: http diff --git a/tests/ikev2-weak-dh/test.yaml b/tests/ikev2-weak-dh/test.yaml index c6fc0fcd6..c0bd0139e 100644 --- a/tests/ikev2-weak-dh/test.yaml +++ b/tests/ikev2-weak-dh/test.yaml @@ -13,7 +13,8 @@ checks: # from suricata version >=7 the event_type for ikev2 is ike - filter: count: 1 - min-version: 7 + requires: + min-version: 7 match: event_type: ike ike.version_major: 2 diff --git a/tests/krb5-kerberoasting/test.yaml b/tests/krb5-kerberoasting/test.yaml index b7f1284a7..62f06d854 100644 --- a/tests/krb5-kerberoasting/test.yaml +++ b/tests/krb5-kerberoasting/test.yaml @@ -22,7 +22,8 @@ checks: event_type: alert alert.signature_id: 1 - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: alert diff --git a/tests/krb5-request-frag-log/test.yaml b/tests/krb5-request-frag-log/test.yaml index 390498663..dd8a0d49c 100644 --- a/tests/krb5-request-frag-log/test.yaml +++ b/tests/krb5-request-frag-log/test.yaml @@ -13,7 +13,7 @@ checks: event_type: alert alert.signature_id: 2 - filter: - comment: authentication service (AS) response + # authentication service (AS) response count: 1 match: event_type: krb5 @@ -23,7 +23,7 @@ checks: krb5.sname: krbtgt/dom.test.lo.com - filter: - comment: ticket granting service (TGS) reponse + # ticket granting service (TGS) reponse count: 1 match: event_type: krb5 diff --git a/tests/nfs3-01/test.yaml b/tests/nfs3-01/test.yaml index b96970b84..7c21d9ef2 100644 --- a/tests/nfs3-01/test.yaml +++ b/tests/nfs3-01/test.yaml @@ -11137,7 +11137,8 @@ checks: src_ip: 139.25.22.2 src_port: 3296 - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: app_proto: failed @@ -11199,7 +11200,8 @@ checks: src_ip: 139.25.22.2 src_port: 3298 - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: app_proto: failed @@ -11261,7 +11263,8 @@ checks: src_ip: 139.25.22.2 src_port: 722 - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: app_proto: failed @@ -11323,7 +11326,8 @@ checks: src_ip: 139.25.22.2 src_port: 1022 - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: app_proto: nfs @@ -11385,7 +11389,8 @@ checks: src_ip: 139.25.22.2 src_port: 3295 - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: app_proto: failed @@ -11447,7 +11452,8 @@ checks: src_ip: 139.25.22.2 src_port: 3299 - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: app_proto: failed @@ -11509,7 +11515,8 @@ checks: src_ip: 139.25.22.2 src_port: 3297 - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: app_proto: failed @@ -11571,7 +11578,8 @@ checks: src_ip: 139.25.22.2 src_port: 706 - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: app_proto: failed diff --git a/tests/output-eve-tftp-01/test.yaml b/tests/output-eve-tftp-01/test.yaml index bbdeb82e6..648b784b8 100644 --- a/tests/output-eve-tftp-01/test.yaml +++ b/tests/output-eve-tftp-01/test.yaml @@ -11,7 +11,8 @@ checks: match: event_type: alert - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: alert diff --git a/tests/pgsql/pgsql-pwd-output-disabled/test.yaml b/tests/pgsql/pgsql-pwd-output-disabled/test.yaml index 3ea41e6b1..b5e28b2df 100644 --- a/tests/pgsql/pgsql-pwd-output-disabled/test.yaml +++ b/tests/pgsql/pgsql-pwd-output-disabled/test.yaml @@ -64,7 +64,8 @@ checks: src_port: 41662 # check to ensure there's no empty request (Bug #7647) - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: dest_ip: 192.168.1.74 diff --git a/tests/rfb-protocol-3.3/test.yaml b/tests/rfb-protocol-3.3/test.yaml index 6220b8c31..93ebc4eb9 100644 --- a/tests/rfb-protocol-3.3/test.yaml +++ b/tests/rfb-protocol-3.3/test.yaml @@ -7,7 +7,8 @@ checks: app_proto: rfb - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: rfb diff --git a/tests/rules/ftpbounce/test.yaml b/tests/rules/ftpbounce/test.yaml index f87641ea1..dad634d27 100644 --- a/tests/rules/ftpbounce/test.yaml +++ b/tests/rules/ftpbounce/test.yaml @@ -7,7 +7,8 @@ args: checks: - filter: - lt-version: 8 + requires: + lt-version: 8 filename: rules.json count: 1 match: @@ -16,7 +17,8 @@ checks: engines[0].direction: "toserver" engines[0].matches[0].name: "ftpbounce" - filter: - min-version: 8 + requires: + min-version: 8 filename: rules.json count: 1 match: diff --git a/tests/rules/icmp_id/test.yaml b/tests/rules/icmp_id/test.yaml index 7b412fd39..897be37b8 100644 --- a/tests/rules/icmp_id/test.yaml +++ b/tests/rules/icmp_id/test.yaml @@ -7,7 +7,8 @@ args: checks: - filter: - lt-version: 9.0 + requires: + lt-version: 9.0 filename: rules.json count: 1 match: @@ -15,7 +16,8 @@ checks: lists.packet.matches[0].name: "icmp_id" lists.packet.matches[0].id.number: 2 - filter: - min-version: 9.0 + requires: + min-version: 9.0 filename: rules.json count: 1 match: diff --git a/tests/rules/tcp-seq-keyword/test.yaml b/tests/rules/tcp-seq-keyword/test.yaml index a6423dd10..8481891e3 100644 --- a/tests/rules/tcp-seq-keyword/test.yaml +++ b/tests/rules/tcp-seq-keyword/test.yaml @@ -7,7 +7,8 @@ args: checks: - filter: - lt-version: 9.0 + requires: + lt-version: 9.0 filename: rules.json count: 1 match: @@ -15,14 +16,16 @@ checks: lists.packet.matches[0].name: "tcp.seq" lists.packet.matches[0].seq.number: 624 - filter: - lt-version: 9.0 + requires: + lt-version: 9.0 filename: rules.json count: 1 match: id: 2 lists.packet.matches[0].seq.number: 723833 - filter: - min-version: 9.0 + requires: + min-version: 9.0 filename: rules.json count: 1 match: @@ -30,7 +33,8 @@ checks: lists.packet.matches[0].name: "tcp.seq" lists.packet.matches[0].seq.equal: 624 - filter: - min-version: 9.0 + requires: + min-version: 9.0 filename: rules.json count: 1 match: diff --git a/tests/rules/tcp_ack/test.yaml b/tests/rules/tcp_ack/test.yaml index 4bb1178e9..187e2e71f 100644 --- a/tests/rules/tcp_ack/test.yaml +++ b/tests/rules/tcp_ack/test.yaml @@ -7,7 +7,8 @@ args: checks: - filter: - lt-version: 9.0 + requires: + lt-version: 9.0 filename: rules.json count: 1 match: @@ -15,14 +16,16 @@ checks: lists.packet.matches[0].name: "tcp.ack" lists.packet.matches[0].ack.number: 782 - filter: - lt-version: 9.0 + requires: + lt-version: 9.0 filename: rules.json count: 1 match: id: 2 lists.packet.matches[0].ack.number: 15 - filter: - lt-version: 9.0 + requires: + lt-version: 9.0 filename: rules.json count: 1 match: @@ -30,7 +33,8 @@ checks: lists.packet.matches[0].name: "tcp.ack" lists.packet.matches[0].ack.number: 437528 - filter: - min-version: 9.0 + requires: + min-version: 9.0 filename: rules.json count: 1 match: @@ -38,14 +42,16 @@ checks: lists.packet.matches[0].name: "tcp.ack" lists.packet.matches[0].ack.equal: 782 - filter: - min-version: 9.0 + requires: + min-version: 9.0 filename: rules.json count: 1 match: id: 2 lists.packet.matches[0].ack.equal: 15 - filter: - min-version: 9.0 + requires: + min-version: 9.0 filename: rules.json count: 1 match: diff --git a/tests/rules/tcp_window/test.yaml b/tests/rules/tcp_window/test.yaml index 9582d63af..0ee8c9283 100644 --- a/tests/rules/tcp_window/test.yaml +++ b/tests/rules/tcp_window/test.yaml @@ -7,7 +7,8 @@ args: checks: - filter: - lt-version: 9.0 + requires: + lt-version: 9.0 filename: rules.json count: 1 match: @@ -16,7 +17,8 @@ checks: lists.packet.matches[0].window.size: 30336 lists.packet.matches[0].window.negated: false - filter: - lt-version: 9.0 + requires: + lt-version: 9.0 filename: rules.json count: 1 match: @@ -26,7 +28,8 @@ checks: lists.packet.matches[0].window.negated: true - filter: - min-version: 9.0 + requires: + min-version: 9.0 filename: rules.json count: 1 match: @@ -34,7 +37,8 @@ checks: lists.packet.matches[0].name: "tcp.window" lists.packet.matches[0].window.equal: 30336 - filter: - min-version: 9.0 + requires: + min-version: 9.0 filename: rules.json count: 1 match: diff --git a/tests/sip-pattern-matching/test.yaml b/tests/sip-pattern-matching/test.yaml index 2d5874db1..d2f3569f6 100644 --- a/tests/sip-pattern-matching/test.yaml +++ b/tests/sip-pattern-matching/test.yaml @@ -1,6 +1,7 @@ checks: - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: sip @@ -9,7 +10,8 @@ checks: sip.version: "SIP/2.0" sip.request_line: "REGISTER sip:sip.cybercity.dk SIP/2.0" - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: sip diff --git a/tests/sip-tcp-method/test.yaml b/tests/sip-tcp-method/test.yaml index 3b21824d5..92f969fd8 100644 --- a/tests/sip-tcp-method/test.yaml +++ b/tests/sip-tcp-method/test.yaml @@ -9,18 +9,21 @@ pcap: sip-tcp.pcap checks: - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: alert - filter: - min-version: 8 + requires: + min-version: 8 count: 2 match: proto: TCP event_type: sip - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: stats diff --git a/tests/sip-tcp-pattern-matching/test.yaml b/tests/sip-tcp-pattern-matching/test.yaml index 2a42e507e..fc041278c 100644 --- a/tests/sip-tcp-pattern-matching/test.yaml +++ b/tests/sip-tcp-pattern-matching/test.yaml @@ -6,7 +6,8 @@ args: checks: - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: proto: TCP @@ -16,7 +17,8 @@ checks: sip.version: "SIP/2.0" sip.request_line: "REGISTER sip:sip.cybercity.dk SIP/2.0" - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: proto: TCP @@ -26,7 +28,8 @@ checks: sip.reason: "Unauthorized" sip.response_line: "SIP/2.0 401 Unauthorized" - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: stats diff --git a/tests/sip-tcp-protocol/test.yaml b/tests/sip-tcp-protocol/test.yaml index 3bdbe3f9b..f257d7d9f 100644 --- a/tests/sip-tcp-protocol/test.yaml +++ b/tests/sip-tcp-protocol/test.yaml @@ -9,30 +9,35 @@ pcap: ../sip-tcp-method/sip-tcp.pcap checks: - filter: - min-version: 8 + requires: + min-version: 8 count: 2 match: event_type: alert - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: alert alert.signature_id: 1 - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: alert alert.signature_id: 2 - filter: - min-version: 8 + requires: + min-version: 8 count: 2 match: proto: TCP event_type: sip - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: stats diff --git a/tests/sip-tcp-request-line/test.yaml b/tests/sip-tcp-request-line/test.yaml index b87dd3275..4a4cfa90d 100755 --- a/tests/sip-tcp-request-line/test.yaml +++ b/tests/sip-tcp-request-line/test.yaml @@ -9,18 +9,21 @@ pcap: ../sip-tcp-method/sip-tcp.pcap checks: - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: alert - filter: - min-version: 8 + requires: + min-version: 8 count: 2 match: proto: TCP event_type: sip - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: stats diff --git a/tests/sip-tcp-response-line/test.yaml b/tests/sip-tcp-response-line/test.yaml index b87dd3275..4a4cfa90d 100755 --- a/tests/sip-tcp-response-line/test.yaml +++ b/tests/sip-tcp-response-line/test.yaml @@ -9,18 +9,21 @@ pcap: ../sip-tcp-method/sip-tcp.pcap checks: - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: alert - filter: - min-version: 8 + requires: + min-version: 8 count: 2 match: proto: TCP event_type: sip - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: stats diff --git a/tests/sip-tcp-stat-code/test.yaml b/tests/sip-tcp-stat-code/test.yaml index b87dd3275..4a4cfa90d 100644 --- a/tests/sip-tcp-stat-code/test.yaml +++ b/tests/sip-tcp-stat-code/test.yaml @@ -9,18 +9,21 @@ pcap: ../sip-tcp-method/sip-tcp.pcap checks: - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: alert - filter: - min-version: 8 + requires: + min-version: 8 count: 2 match: proto: TCP event_type: sip - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: stats diff --git a/tests/sip-tcp-stat-msg/test.yaml b/tests/sip-tcp-stat-msg/test.yaml index b87dd3275..4a4cfa90d 100644 --- a/tests/sip-tcp-stat-msg/test.yaml +++ b/tests/sip-tcp-stat-msg/test.yaml @@ -9,18 +9,21 @@ pcap: ../sip-tcp-method/sip-tcp.pcap checks: - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: alert - filter: - min-version: 8 + requires: + min-version: 8 count: 2 match: proto: TCP event_type: sip - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: stats diff --git a/tests/sip-tcp-uri/test.yaml b/tests/sip-tcp-uri/test.yaml index a9802dbe9..028473ae7 100755 --- a/tests/sip-tcp-uri/test.yaml +++ b/tests/sip-tcp-uri/test.yaml @@ -9,18 +9,21 @@ pcap: ../sip-tcp-method/sip-tcp.pcap checks: - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: alert - filter: - min-version: 8 + requires: + min-version: 8 count: 2 match: proto: TCP event_type: sip - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: stats diff --git a/tests/smb-eicar-file/test.yaml b/tests/smb-eicar-file/test.yaml index 2fd081d75..87ff07ff8 100644 --- a/tests/smb-eicar-file/test.yaml +++ b/tests/smb-eicar-file/test.yaml @@ -12,7 +12,8 @@ checks: # Check for something in the files array, which is an array of # fileinfo objects. - filter: - min-version: 6.0.0 + requires: + min-version: 6.0.0 count: 1 match: event_type: alert diff --git a/tests/smb2-07/test.yaml b/tests/smb2-07/test.yaml index 6c834c9eb..d0836945e 100644 --- a/tests/smb2-07/test.yaml +++ b/tests/smb2-07/test.yaml @@ -6,12 +6,14 @@ args: checks: - filter: # additional event for file deletion - min-version: 7 + requires: + min-version: 7 count: 60 match: event_type: smb - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: smb diff --git a/tests/smtp-eve/test.yaml b/tests/smtp-eve/test.yaml index 9f9c852f8..67ec8d729 100644 --- a/tests/smtp-eve/test.yaml +++ b/tests/smtp-eve/test.yaml @@ -113,7 +113,8 @@ checks: tcp.tcp_flags_tc: 1b tcp.tcp_flags_ts: 1b - filter: - min-version: 8 + requires: + min-version: 8 count: 0 match: event_type: anomaly diff --git a/tests/smtp-tls-protodetect/test.yaml b/tests/smtp-tls-protodetect/test.yaml index cc5d93281..07c520b68 100644 --- a/tests/smtp-tls-protodetect/test.yaml +++ b/tests/smtp-tls-protodetect/test.yaml @@ -7,21 +7,24 @@ args: checks: - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: flow app_proto: tls app_proto_tc: smtp - filter: - version: 7 + requires: + version: 7 count: 1 match: event_type: flow app_proto: tls # no smtp probin parser in 7 - filter: - version: 7 + requires: + version: 7 count: 1 match: event_type: anomaly diff --git a/tests/snmp-v3-encrypted/test.yaml b/tests/snmp-v3-encrypted/test.yaml index 7c1c858fd..3ac0c4c3a 100644 --- a/tests/snmp-v3-encrypted/test.yaml +++ b/tests/snmp-v3-encrypted/test.yaml @@ -23,7 +23,8 @@ checks: snmp.pdu_type: encrypted snmp.version: 3 - filter: - min-version: 7 + requires: + min-version: 7 count: 8 match: event_type: alert diff --git a/tests/stream-async/http/stream-async-6063-srv-01/test.yaml b/tests/stream-async/http/stream-async-6063-srv-01/test.yaml index 988f3f2f2..1527756d0 100644 --- a/tests/stream-async/http/stream-async-6063-srv-01/test.yaml +++ b/tests/stream-async/http/stream-async-6063-srv-01/test.yaml @@ -34,7 +34,8 @@ checks: anomaly.event: UNABLE_TO_MATCH_RESPONSE_TO_REQUEST anomaly.layer: proto_parser - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: flow @@ -62,7 +63,8 @@ checks: tcp.ts_max_regions: 1 tcp.tc_max_regions: 1 - filter: - lt-version: 8 + requires: + lt-version: 8 count: 1 match: event_type: flow diff --git a/tests/stream-async/http/stream-async-6063-srv-02/test.yaml b/tests/stream-async/http/stream-async-6063-srv-02/test.yaml index e67e054f8..ccccfe3eb 100644 --- a/tests/stream-async/http/stream-async-6063-srv-02/test.yaml +++ b/tests/stream-async/http/stream-async-6063-srv-02/test.yaml @@ -36,7 +36,8 @@ checks: anomaly.event: UNABLE_TO_MATCH_RESPONSE_TO_REQUEST anomaly.layer: proto_parser - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: flow @@ -64,7 +65,8 @@ checks: tcp.ts_max_regions: 1 tcp.tc_max_regions: 1 - filter: - lt-version: 8 + requires: + lt-version: 8 count: 1 match: event_type: flow diff --git a/tests/stream-depth-reached-event/test.yaml b/tests/stream-depth-reached-event/test.yaml index 4d8ae5af5..c78185c7b 100644 --- a/tests/stream-depth-reached-event/test.yaml +++ b/tests/stream-depth-reached-event/test.yaml @@ -20,7 +20,8 @@ checks: alert.signature_id: 2210062 - filter: - min-version: 8 + requires: + min-version: 8 count: 2 match: event_type: alert diff --git a/tests/tcp-fastopen-10-syn-data-ignore/test.yaml b/tests/tcp-fastopen-10-syn-data-ignore/test.yaml index 8a45ac6b5..2cc1810bf 100644 --- a/tests/tcp-fastopen-10-syn-data-ignore/test.yaml +++ b/tests/tcp-fastopen-10-syn-data-ignore/test.yaml @@ -39,28 +39,32 @@ checks: direction: "to_server" stream_tcp.session.state: "syn_sent" - filter: - lt-version: 8.0.3 + requires: + lt-version: 8.0.3 count: 1 match: event_type: tls tls.sni: "icloud.com" tls.version: "UNDETERMINED" - filter: - lt-version: 8.0.3 + requires: + lt-version: 8.0.3 count: 1 match: event_type: tls tls.sni: "icloud.com" tls.version: "TLS 1.3" - filter: - min-version: 8.0.3 + requires: + min-version: 8.0.3 count: 0 match: event_type: tls tls.sni: "icloud.com" tls.version: "UNDETERMINED" - filter: - min-version: 8.0.3 + requires: + min-version: 8.0.3 count: 2 match: event_type: tls diff --git a/tests/test-bad-byte-extract-rule-1/test.yaml b/tests/test-bad-byte-extract-rule-1/test.yaml index 6f81d8b3d..6bd863a30 100644 --- a/tests/test-bad-byte-extract-rule-1/test.yaml +++ b/tests/test-bad-byte-extract-rule-1/test.yaml @@ -11,7 +11,8 @@ checks: engine.message: "unknown byte_ keyword var seen in depth - d." - filter: - min-version: 7 + requires: + min-version: 7 count: 3 match: event_type: engine diff --git a/tests/test-bad-byte-extract-rule-2/test.yaml b/tests/test-bad-byte-extract-rule-2/test.yaml index 1cd138054..e0e6fd01f 100644 --- a/tests/test-bad-byte-extract-rule-2/test.yaml +++ b/tests/test-bad-byte-extract-rule-2/test.yaml @@ -11,7 +11,8 @@ checks: engine.message: "invalid value for depth: -5." - filter: - min-version: 7 + requires: + min-version: 7 count: 3 match: event_type: engine diff --git a/tests/test-bad-content-quotes-rule-1/test.yaml b/tests/test-bad-content-quotes-rule-1/test.yaml index a488ac1f8..621c8fdb0 100644 --- a/tests/test-bad-content-quotes-rule-1/test.yaml +++ b/tests/test-bad-content-quotes-rule-1/test.yaml @@ -11,7 +11,8 @@ checks: engine.message: "Invalid unescaped double quote within content section." - filter: - min-version: 7 + requires: + min-version: 7 count: 3 match: event_type: engine diff --git a/tests/test-bad-depth-depth-rule-1/test.yaml b/tests/test-bad-depth-depth-rule-1/test.yaml index 6330080ed..3dca2d0b5 100644 --- a/tests/test-bad-depth-depth-rule-1/test.yaml +++ b/tests/test-bad-depth-depth-rule-1/test.yaml @@ -11,7 +11,8 @@ checks: engine.message: "can't use multiple depths for the same content." - filter: - min-version: 7 + requires: + min-version: 7 count: 3 match: event_type: engine diff --git a/tests/test-bad-depth-distance-rule-1/test.yaml b/tests/test-bad-depth-distance-rule-1/test.yaml index 9b4a96d28..4fc0e33fd 100644 --- a/tests/test-bad-depth-distance-rule-1/test.yaml +++ b/tests/test-bad-depth-distance-rule-1/test.yaml @@ -11,7 +11,8 @@ checks: engine.message: "can't use a relative keyword like within/distance with a absolute relative keyword like depth/offset for the same content." - filter: - min-version: 7 + requires: + min-version: 7 count: 3 match: event_type: engine diff --git a/tests/test-bad-depth-distance-rule-2/test.yaml b/tests/test-bad-depth-distance-rule-2/test.yaml index 9b4a96d28..4fc0e33fd 100644 --- a/tests/test-bad-depth-distance-rule-2/test.yaml +++ b/tests/test-bad-depth-distance-rule-2/test.yaml @@ -11,7 +11,8 @@ checks: engine.message: "can't use a relative keyword like within/distance with a absolute relative keyword like depth/offset for the same content." - filter: - min-version: 7 + requires: + min-version: 7 count: 3 match: event_type: engine diff --git a/tests/test-bad-depth-rule-1/test.yaml b/tests/test-bad-depth-rule-1/test.yaml index b3251a367..0b33cbba9 100644 --- a/tests/test-bad-depth-rule-1/test.yaml +++ b/tests/test-bad-depth-rule-1/test.yaml @@ -11,7 +11,8 @@ checks: engine.message: "depth needs preceding content, uricontent option, http_client_body, http_server_body, http_header option, http_raw_header option, http_method option, http_cookie, http_raw_uri, http_stat_msg, http_stat_code, http_user_agent, http_host, http_raw_host or file_data/dce_stub_data sticky buffer options." - filter: - min-version: 7 + requires: + min-version: 7 count: 3 match: event_type: engine diff --git a/tests/test-bad-depth-within-rule-1/test.yaml b/tests/test-bad-depth-within-rule-1/test.yaml index 9b4a96d28..4fc0e33fd 100644 --- a/tests/test-bad-depth-within-rule-1/test.yaml +++ b/tests/test-bad-depth-within-rule-1/test.yaml @@ -11,7 +11,8 @@ checks: engine.message: "can't use a relative keyword like within/distance with a absolute relative keyword like depth/offset for the same content." - filter: - min-version: 7 + requires: + min-version: 7 count: 3 match: event_type: engine diff --git a/tests/test-bad-depth-within-rule-2/test.yaml b/tests/test-bad-depth-within-rule-2/test.yaml index b3251a367..0b33cbba9 100644 --- a/tests/test-bad-depth-within-rule-2/test.yaml +++ b/tests/test-bad-depth-within-rule-2/test.yaml @@ -11,7 +11,8 @@ checks: engine.message: "depth needs preceding content, uricontent option, http_client_body, http_server_body, http_header option, http_raw_header option, http_method option, http_cookie, http_raw_uri, http_stat_msg, http_stat_code, http_user_agent, http_host, http_raw_host or file_data/dce_stub_data sticky buffer options." - filter: - min-version: 7 + requires: + min-version: 7 count: 3 match: event_type: engine diff --git a/tests/test-bad-hex-rule-1/test.yaml b/tests/test-bad-hex-rule-1/test.yaml index ad93ec1fe..97f65ac42 100644 --- a/tests/test-bad-hex-rule-1/test.yaml +++ b/tests/test-bad-hex-rule-1/test.yaml @@ -14,14 +14,16 @@ checks: engine.message: "Invalid hex code in content - |l0 01 01|, hex l. Invalidating signature." - filter: - min-version: 7 + requires: + min-version: 7 count: 4 match: event_type: engine engine.module: detect - filter: - min-version: 7.0 + requires: + min-version: 7.0 count: 1 match: event_type: engine diff --git a/tests/test-bad-hex-rule-2/test.yaml b/tests/test-bad-hex-rule-2/test.yaml index cf7983cc9..263b76676 100644 --- a/tests/test-bad-hex-rule-2/test.yaml +++ b/tests/test-bad-hex-rule-2/test.yaml @@ -11,7 +11,8 @@ checks: engine.message: "Invalid hex code in content - |01 10 0j|, hex j. Invalidating signature." - filter: - min-version: 7 + requires: + min-version: 7 count: 3 match: event_type: engine diff --git a/tests/test-bad-hex-rule-3/test.yaml b/tests/test-bad-hex-rule-3/test.yaml index 74c45a325..22cfe6cad 100644 --- a/tests/test-bad-hex-rule-3/test.yaml +++ b/tests/test-bad-hex-rule-3/test.yaml @@ -11,7 +11,8 @@ checks: engine.message: "Invalid hex code assembly in content - |1. Invalidating signature." - filter: - min-version: 7 + requires: + min-version: 7 count: 3 match: event_type: engine diff --git a/tests/test-bad-http-host-rule-1/test.yaml b/tests/test-bad-http-host-rule-1/test.yaml index e14fc2dea..0e9282ef6 100644 --- a/tests/test-bad-http-host-rule-1/test.yaml +++ b/tests/test-bad-http-host-rule-1/test.yaml @@ -5,13 +5,15 @@ checks: # check that we have the following entries in eve.json # match 1 specific rule load failure reason - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: engine engine.message: "rule 1111: A pattern with uppercase characters detected for http.host. The hostname buffer is normalized to lowercase, please specify a lowercase pattern." - filter: - min-version: 7 + requires: + min-version: 7 count: 3 match: event_type: engine diff --git a/tests/test-bad-http-host-rule-2/test.yaml b/tests/test-bad-http-host-rule-2/test.yaml index 9d4c7197d..e20b6ad50 100644 --- a/tests/test-bad-http-host-rule-2/test.yaml +++ b/tests/test-bad-http-host-rule-2/test.yaml @@ -5,13 +5,15 @@ checks: # check that we have the following entries in eve.json # match 1 specific rule load failure reason - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: engine engine.message: "rule 123: http.host keyword specified along with \"nocase\". The hostname buffer is normalized to lowercase, specifying nocase is redundant." - filter: - min-version: 7 + requires: + min-version: 7 count: 3 match: event_type: engine diff --git a/tests/test-bad-negate-fast-pattern-rule-1/test.yaml b/tests/test-bad-negate-fast-pattern-rule-1/test.yaml index d1635bb28..116f7f4c8 100644 --- a/tests/test-bad-negate-fast-pattern-rule-1/test.yaml +++ b/tests/test-bad-negate-fast-pattern-rule-1/test.yaml @@ -11,7 +11,8 @@ checks: engine.message: "can't have a relative negated keyword set along with 'fast_pattern'." - filter: - min-version: 7 + requires: + min-version: 7 count: 3 match: event_type: engine diff --git a/tests/test-bad-offset-distance-rule-1/test.yaml b/tests/test-bad-offset-distance-rule-1/test.yaml index 9b4a96d28..4fc0e33fd 100644 --- a/tests/test-bad-offset-distance-rule-1/test.yaml +++ b/tests/test-bad-offset-distance-rule-1/test.yaml @@ -11,7 +11,8 @@ checks: engine.message: "can't use a relative keyword like within/distance with a absolute relative keyword like depth/offset for the same content." - filter: - min-version: 7 + requires: + min-version: 7 count: 3 match: event_type: engine diff --git a/tests/test-bad-offset-offset-rule-1/test.yaml b/tests/test-bad-offset-offset-rule-1/test.yaml index b9a42b521..fa380d579 100644 --- a/tests/test-bad-offset-offset-rule-1/test.yaml +++ b/tests/test-bad-offset-offset-rule-1/test.yaml @@ -11,7 +11,8 @@ checks: engine.message: "can't use multiple offsets for the same content." - filter: - min-version: 7 + requires: + min-version: 7 count: 3 match: event_type: engine diff --git a/tests/test-bad-offset-within-rule-1/test.yaml b/tests/test-bad-offset-within-rule-1/test.yaml index 9b4a96d28..4fc0e33fd 100644 --- a/tests/test-bad-offset-within-rule-1/test.yaml +++ b/tests/test-bad-offset-within-rule-1/test.yaml @@ -11,7 +11,8 @@ checks: engine.message: "can't use a relative keyword like within/distance with a absolute relative keyword like depth/offset for the same content." - filter: - min-version: 7 + requires: + min-version: 7 count: 3 match: event_type: engine diff --git a/tests/test-bad-quotation-marks-rule-1/test.yaml b/tests/test-bad-quotation-marks-rule-1/test.yaml index 89431d2bf..4345a2901 100644 --- a/tests/test-bad-quotation-marks-rule-1/test.yaml +++ b/tests/test-bad-quotation-marks-rule-1/test.yaml @@ -11,7 +11,8 @@ checks: engine.message: "invalid formatting to content keyword: value must be double quoted 'content'" - filter: - min-version: 7 + requires: + min-version: 7 count: 3 match: event_type: engine diff --git a/tests/test-bad-relative-keyword-fast-pattern-rule-1/test.yaml b/tests/test-bad-relative-keyword-fast-pattern-rule-1/test.yaml index a418796e7..2ae5c8ce1 100644 --- a/tests/test-bad-relative-keyword-fast-pattern-rule-1/test.yaml +++ b/tests/test-bad-relative-keyword-fast-pattern-rule-1/test.yaml @@ -11,7 +11,8 @@ checks: engine.message: "can't have a relative keyword set along with 'fast_pattern:only;'." - filter: - min-version: 7 + requires: + min-version: 7 count: 3 match: event_type: engine diff --git a/tests/test-bad-semicolon-rule-1/test.yaml b/tests/test-bad-semicolon-rule-1/test.yaml index 626ec0508..753073cf9 100644 --- a/tests/test-bad-semicolon-rule-1/test.yaml +++ b/tests/test-bad-semicolon-rule-1/test.yaml @@ -11,7 +11,8 @@ checks: engine.message: "bad option value formatting (possible missing semicolon) for keyword content: '\"AA\" depth:20'" - filter: - min-version: 7 + requires: + min-version: 7 count: 3 match: event_type: engine diff --git a/tests/test-bad-semicolon-rule-2/test.yaml b/tests/test-bad-semicolon-rule-2/test.yaml index 4d3f662fb..6c0cb8160 100644 --- a/tests/test-bad-semicolon-rule-2/test.yaml +++ b/tests/test-bad-semicolon-rule-2/test.yaml @@ -11,7 +11,8 @@ checks: engine.message: "unknown rule keyword ''." - filter: - min-version: 7 + requires: + min-version: 7 count: 3 match: event_type: engine diff --git a/tests/test-bad-within-within-rule-1/test.yaml b/tests/test-bad-within-within-rule-1/test.yaml index 8eb0e64bb..844948002 100644 --- a/tests/test-bad-within-within-rule-1/test.yaml +++ b/tests/test-bad-within-within-rule-1/test.yaml @@ -11,7 +11,8 @@ checks: engine.message: "can't use multiple withins for the same content." - filter: - min-version: 7 + requires: + min-version: 7 count: 3 match: event_type: engine diff --git a/tests/tls/tls-eve-custom-fields/test.yaml b/tests/tls/tls-eve-custom-fields/test.yaml index 2f9148cc7..e5b25b926 100644 --- a/tests/tls/tls-eve-custom-fields/test.yaml +++ b/tests/tls/tls-eve-custom-fields/test.yaml @@ -5,7 +5,8 @@ pcap: ../tls-store-02/tls-client-auth.pcap checks: - filter: - min-version: 8 + requires: + min-version: 8 count: 1 match: event_type: tls @@ -22,7 +23,8 @@ checks: tls.client.notbefore: '2018-04-14T20:55:27' tls.client.notafter: '2018-05-14T20:55:27' - filter: - min-version: 7.0.8 + requires: + min-version: 7.0.8 count: 1 match: event_type: tls diff --git a/tests/util-action-tests/util-action-01/test.yaml b/tests/util-action-tests/util-action-01/test.yaml index 806208841..9631f7eed 100644 --- a/tests/util-action-tests/util-action-01/test.yaml +++ b/tests/util-action-tests/util-action-01/test.yaml @@ -6,7 +6,8 @@ args: checks: - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: flow diff --git a/tests/util-action-tests/util-action-02/test.yaml b/tests/util-action-tests/util-action-02/test.yaml index f8bd99bdc..7439b827e 100644 --- a/tests/util-action-tests/util-action-02/test.yaml +++ b/tests/util-action-tests/util-action-02/test.yaml @@ -6,7 +6,8 @@ args: checks: - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: flow diff --git a/tests/util-action-tests/util-action-05/test.yaml b/tests/util-action-tests/util-action-05/test.yaml index 9c534f5cf..d5301a2ad 100644 --- a/tests/util-action-tests/util-action-05/test.yaml +++ b/tests/util-action-tests/util-action-05/test.yaml @@ -4,7 +4,8 @@ args: checks: - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: flow diff --git a/tests/util-action-tests/util-action-09/test.yaml b/tests/util-action-tests/util-action-09/test.yaml index 4fe8650e2..be4079469 100644 --- a/tests/util-action-tests/util-action-09/test.yaml +++ b/tests/util-action-tests/util-action-09/test.yaml @@ -6,7 +6,8 @@ args: checks: - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: flow diff --git a/tests/util-action-tests/util-action-10/test.yaml b/tests/util-action-tests/util-action-10/test.yaml index 9c534f5cf..d5301a2ad 100644 --- a/tests/util-action-tests/util-action-10/test.yaml +++ b/tests/util-action-tests/util-action-10/test.yaml @@ -4,7 +4,8 @@ args: checks: - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: flow diff --git a/tests/util-action-tests/util-action-11/test.yaml b/tests/util-action-tests/util-action-11/test.yaml index 865057391..f955f19a2 100644 --- a/tests/util-action-tests/util-action-11/test.yaml +++ b/tests/util-action-tests/util-action-11/test.yaml @@ -6,7 +6,8 @@ args: checks: - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: flow diff --git a/tests/util-action-tests/util-action-12/test.yaml b/tests/util-action-tests/util-action-12/test.yaml index 3c00d2a42..f950905d0 100644 --- a/tests/util-action-tests/util-action-12/test.yaml +++ b/tests/util-action-tests/util-action-12/test.yaml @@ -4,7 +4,8 @@ args: checks: - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: flow diff --git a/tests/util-action-tests/util-action-14/test.yaml b/tests/util-action-tests/util-action-14/test.yaml index 2ee5556a5..f4dd8d1b0 100644 --- a/tests/util-action-tests/util-action-14/test.yaml +++ b/tests/util-action-tests/util-action-14/test.yaml @@ -6,7 +6,8 @@ args: checks: - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: flow diff --git a/tests/util-action-tests/util-action-15/test.yaml b/tests/util-action-tests/util-action-15/test.yaml index 50e156d67..4f9d91b5f 100644 --- a/tests/util-action-tests/util-action-15/test.yaml +++ b/tests/util-action-tests/util-action-15/test.yaml @@ -6,7 +6,8 @@ args: checks: - filter: - min-version: 7 + requires: + min-version: 7 count: 1 match: event_type: flow diff --git a/tests/vxlan-decoder-03/test.yaml b/tests/vxlan-decoder-03/test.yaml index fbf41ff69..9bc38924e 100644 --- a/tests/vxlan-decoder-03/test.yaml +++ b/tests/vxlan-decoder-03/test.yaml @@ -3,7 +3,8 @@ args: checks: - filter: - min-version: 8 + requires: + min-version: 8 count: 14 match: event_type: flow @@ -11,7 +12,8 @@ checks: flow.pkts_toclient: 0 flow.bytes_toclient: 0 - filter: - min-version: 8 + requires: + min-version: 8 count: 2 match: event_type: flow @@ -20,7 +22,8 @@ checks: flow.pkts_toclient: 0 flow.bytes_toclient: 0 - filter: - lt-version: 8 + requires: + lt-version: 8 count: 13 match: event_type: flow From 113ae1e7854e716684586cb4968d09e542720558 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Fri, 27 Feb 2026 16:27:51 -0600 Subject: [PATCH 3/3] misc: fail on unknown keys in file-compare check --- run.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/run.py b/run.py index 563f2ec9a..ad8f30570 100755 --- a/run.py +++ b/run.py @@ -461,6 +461,9 @@ def rule_is_version_compatible(rulefile, suri_version): class FileCompareCheck: def __init__(self, config, directory, cwd): + for key in config: + if key not in ["requires", "filename", "expected"]: + raise Exception("Unexpected key in file-compare check: {}".format(key)) self.config = config self.directory = directory self.cwd = cwd