diff --git a/run.py b/run.py index ad8f30570..ea25cbe00 100755 --- a/run.py +++ b/run.py @@ -339,12 +339,20 @@ def check_requires(requires, suricata_config: SuricataConfig, test_dir=None): raise UnsatisfiedRequirementError( "requires at least version {}".format(min_version)) elif key == "lt-version": + if "gt-version" in requires: + if not Version().is_lt(parse_suricata_version(requires["gt-version"]), parse_suricata_version(requires["lt-version"])): + raise ImpossibleRequirementError( + "test has both lt-version {} and gt-version {}".format(requires["lt-version"], requires["gt-version"])) lt_version = requires["lt-version"] if not is_version_compatible(version=lt_version, suri_version=suri_version, expr="lt"): raise UnsatisfiedRequirementError( "for version less than {}".format(lt_version)) elif key == "gt-version": + if "lt-version" in requires: + if not Version().is_lt(parse_suricata_version(requires["gt-version"]), parse_suricata_version(requires["lt-version"])): + raise ImpossibleRequirementError( + "test has both lt-version {} and gt-version {}".format(requires["lt-version"], requires["gt-version"])) gt_version = requires["gt-version"] if not is_version_compatible(version=gt_version, suri_version=suri_version, expr="gt"): diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/test.yaml b/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/test.yaml index fca1e5794..baba4e26d 100644 --- a/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/test.yaml +++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/test.yaml @@ -9,9 +9,6 @@ pcap: ../alert-max-append-higher-priority/input.pcap checks: # Sub-test 1 - filter: - requires: - lt-version: 8.0.4 - gt-version: 8.0.4 count: 1 match: event_type: alert @@ -21,9 +18,6 @@ checks: verdict.action: drop # Sub-test 2 - filter: - requires: - lt-version: 8.0.4 - gt-version: 8.0.4 count: 1 match: event_type: alert @@ -84,9 +78,6 @@ checks: alert.signature_id: 5 # Sub-test 8 - filter: - requires: - lt-version: 8.0.4 - gt-version: 8.0.4 count: 1 match: event_type: drop diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/test.yaml b/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/test.yaml index 5dd50fc63..d6c7416cb 100644 --- a/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/test.yaml +++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/test.yaml @@ -7,18 +7,12 @@ args: checks: # Subtest 1 - filter: - requires: - lt-version: 8.0.4 - gt-version: 8.0.4 count: 0 match: event_type: alert alert.signature_id: 1 # Subtest 2 - filter: - requires: - lt-version: 8.0.4 - gt-version: 8.0.4 count: 1 match: event_type: alert @@ -28,9 +22,6 @@ checks: verdict.action: drop # Subtest 3 - filter: - requires: - lt-version: 8.0.4 - gt-version: 8.0.4 count: 1 match: event_type: alert @@ -41,18 +32,12 @@ checks: # Subtest 4 # Matches, but not enough space in packet alert queue - filter: - requires: - lt-version: 8.0.4 - gt-version: 8.0.4 count: 0 match: event_type: alert alert.signature_id: 4 # Subtest 5 - filter: - requires: - lt-version: 8.0.4 - gt-version: 8.0.4 count: 1 match: event_type: alert @@ -63,18 +48,12 @@ checks: # Subtest 6 # Matches, but not enough space in packet alert queue - filter: - requires: - lt-version: 8.0.4 - gt-version: 8.0.4 count: 0 match: event_type: alert alert.signature_id: 6 # Subtest 7 - filter: - requires: - lt-version: 8.0.4 - gt-version: 8.0.4 count: 1 match: event_type: drop @@ -82,9 +61,6 @@ checks: drop.reason: rules # Subtest 8 - filter: - requires: - lt-version: 8.0.4 - gt-version: 8.0.4 count: 1 match: event_type: drop @@ -92,18 +68,12 @@ checks: drop.reason: "flow drop" # Subtest 9 - filter: - requires: - lt-version: 8.0.4 - gt-version: 8.0.4 count: 1 match: event_type: flow flow.action: "drop" # Subtest 10 - filter: - requires: - lt-version: 8.0.4 - gt-version: 8.0.4 count: 1 match: event_type: stats diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/test.yaml b/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/test.yaml index 3e57e7c4e..c71bd2ccd 100644 --- a/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/test.yaml +++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/test.yaml @@ -7,9 +7,6 @@ args: checks: # Sub-test 1 - filter: - requires: - lt-version: 8.0.4 - gt-version: 8.0.4 count: 1 match: event_type: alert @@ -18,9 +15,6 @@ checks: verdict.action: drop # Sub-test 2 - filter: - requires: - lt-version: 8.0.4 - gt-version: 8.0.4 count: 1 match: event_type: alert @@ -57,8 +51,6 @@ checks: - filter: requires: min-version: 8.0.4 - lt-version: 8.0.4 - gt-version: 8.0.4 count: 1 match: event_type: drop diff --git a/tests/bug-7851-01/README.md b/tests/bug-7851-01/README.md new file mode 100644 index 000000000..ab6eb9018 --- /dev/null +++ b/tests/bug-7851-01/README.md @@ -0,0 +1,3 @@ +https://redmine.openinfosecfoundation.org/issues/7851 + +PCAP generated based on the example traffic in the ticket. diff --git a/tests/bug-7851-01/connect.fs b/tests/bug-7851-01/connect.fs new file mode 100644 index 000000000..ec944dcfa --- /dev/null +++ b/tests/bug-7851-01/connect.fs @@ -0,0 +1,3 @@ +flow default tcp 192.168.0.233:44123 > google.com:80 (tcp.initialize;); +default > (content:"CONNECT / HTTP/1.1\x0d\x0aMp-Country: US\x0d\x0aMp-BuildVersion: 136\x0d\x0aMp-Roaming: 0\x0d\x0aMp-VersionRelease: 4.3\x0d\x0aMp-Operator: android\x0d\x0aMp-SdkId: 18\x0d\x0aMp-NetworkType: 3\x0d\x0a\x0d\x0a";); +default < (content:"HTTP/1.1 200 OK\x0d\x0a\x0d\x0a";); diff --git a/tests/bug-7851-01/connect.pcap b/tests/bug-7851-01/connect.pcap new file mode 100644 index 000000000..8d85b1c61 Binary files /dev/null and b/tests/bug-7851-01/connect.pcap differ diff --git a/tests/bug-7851-01/test.rules b/tests/bug-7851-01/test.rules new file mode 100644 index 000000000..6cf2d4193 --- /dev/null +++ b/tests/bug-7851-01/test.rules @@ -0,0 +1,6 @@ +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Suspicious short host value - pcre and bsize"; flow:established,to_server; http.host; bsize:<3; pcre:"/^.{1,2}$/"; classtype:bad-unknown; sid:1; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Suspicious short host value - bsize"; flow:established,to_server; http.host; bsize:<3; classtype:bad-unknown; sid:2; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Suspicious short host value - pcre"; flow:established,to_server; http.host; pcre:"/^.{1,2}$/"; classtype:bad-unknown; sid:3; rev:1;) + diff --git a/tests/bug-7851-01/test.yaml b/tests/bug-7851-01/test.yaml new file mode 100644 index 000000000..e8603aee2 --- /dev/null +++ b/tests/bug-7851-01/test.yaml @@ -0,0 +1,11 @@ +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: http + http.http_method: CONNECT + http.url: / diff --git a/tests/detect-ftp/ftp-active-dynamic_port-01/test.yaml b/tests/detect-ftp/ftp-active-dynamic_port-01/test.yaml index 435d03d59..4483e09c7 100644 --- a/tests/detect-ftp/ftp-active-dynamic_port-01/test.yaml +++ b/tests/detect-ftp/ftp-active-dynamic_port-01/test.yaml @@ -1,7 +1,7 @@ pcap: ../../bug-3519/input.pcap requires: - version: 8 + min-version: 8 checks: diff --git a/tests/detect-ftp/ftp-active-dynamic_port-02/test.yaml b/tests/detect-ftp/ftp-active-dynamic_port-02/test.yaml index a3fe08054..aa0ef90ac 100644 --- a/tests/detect-ftp/ftp-active-dynamic_port-02/test.yaml +++ b/tests/detect-ftp/ftp-active-dynamic_port-02/test.yaml @@ -1,7 +1,7 @@ pcap: ftp-active-dynamic_port.pcap requires: - version: 8 + min-version: 8 args: - -k none diff --git a/tests/detect-ftp/ftp-command-01/test.yaml b/tests/detect-ftp/ftp-command-01/test.yaml index b5fd8058b..7a83d704b 100644 --- a/tests/detect-ftp/ftp-command-01/test.yaml +++ b/tests/detect-ftp/ftp-command-01/test.yaml @@ -1,7 +1,7 @@ pcap: ../../bug-3519/input.pcap requires: - version: 8 + min-version: 8 checks: diff --git a/tests/detect-ftp/ftp-command-02/test.yaml b/tests/detect-ftp/ftp-command-02/test.yaml index 688161dd2..aef13e30a 100644 --- a/tests/detect-ftp/ftp-command-02/test.yaml +++ b/tests/detect-ftp/ftp-command-02/test.yaml @@ -1,7 +1,7 @@ pcap: ../../bug-3519/input.pcap requires: - version: 8 + min-version: 8 exit-code: 1 diff --git a/tests/detect-ftp/ftp-mode-01/test.yaml b/tests/detect-ftp/ftp-mode-01/test.yaml index 191fb7443..b63bb9e9a 100644 --- a/tests/detect-ftp/ftp-mode-01/test.yaml +++ b/tests/detect-ftp/ftp-mode-01/test.yaml @@ -1,5 +1,5 @@ requires: - version: 8 + min-version: 8 pcap: ../../bug-3519/input.pcap diff --git a/tests/detect-ftp/ftp-mode-02/test.yaml b/tests/detect-ftp/ftp-mode-02/test.yaml index 0583a7998..a4cc88afc 100644 --- a/tests/detect-ftp/ftp-mode-02/test.yaml +++ b/tests/detect-ftp/ftp-mode-02/test.yaml @@ -1,5 +1,5 @@ requires: - version: 8 + min-version: 8 pcap: ../../ftp-epsv/input.pcap diff --git a/tests/detect-ftp/ftp-mode-03/test.yaml b/tests/detect-ftp/ftp-mode-03/test.yaml index af5086ddf..3a61f3003 100644 --- a/tests/detect-ftp/ftp-mode-03/test.yaml +++ b/tests/detect-ftp/ftp-mode-03/test.yaml @@ -1,5 +1,5 @@ requires: - version: 8 + min-version: 8 pcap: false exit-code: 1 diff --git a/tests/detect-ftp/ftp-passive-dynamic_port-01/test.yaml b/tests/detect-ftp/ftp-passive-dynamic_port-01/test.yaml index e6d25b2f5..575ecfbc5 100644 --- a/tests/detect-ftp/ftp-passive-dynamic_port-01/test.yaml +++ b/tests/detect-ftp/ftp-passive-dynamic_port-01/test.yaml @@ -1,7 +1,7 @@ pcap: ../../ftp-epsv/input.pcap requires: - version: 8 + min-version: 8 checks: diff --git a/tests/detect-ftp/ftp-passive-dynamic_port-02/test.yaml b/tests/detect-ftp/ftp-passive-dynamic_port-02/test.yaml index 85ccf5924..6c69c9c72 100644 --- a/tests/detect-ftp/ftp-passive-dynamic_port-02/test.yaml +++ b/tests/detect-ftp/ftp-passive-dynamic_port-02/test.yaml @@ -1,7 +1,7 @@ pcap: ftp-passive-dynamic_port.pcap requires: - version: 8 + min-version: 8 checks: diff --git a/tests/detect-ftp/ftp-reply-received-01/test.yaml b/tests/detect-ftp/ftp-reply-received-01/test.yaml index 999d8a54c..61d3fed97 100644 --- a/tests/detect-ftp/ftp-reply-received-01/test.yaml +++ b/tests/detect-ftp/ftp-reply-received-01/test.yaml @@ -1,5 +1,5 @@ requires: - version: 8 + min-version: 8 pcap: ../../bug-3519/input.pcap diff --git a/tests/detect-ftp/ftp-reply-received-02/test.yaml b/tests/detect-ftp/ftp-reply-received-02/test.yaml index fac9dc4c7..873605928 100644 --- a/tests/detect-ftp/ftp-reply-received-02/test.yaml +++ b/tests/detect-ftp/ftp-reply-received-02/test.yaml @@ -1,5 +1,5 @@ requires: - version: 8 + min-version: 8 pcap: ../../ftp/ftp-too-long-response/ftp-too-long-response.pcap diff --git a/tests/detect-ftp/ftp-reply-received-03/test.yaml b/tests/detect-ftp/ftp-reply-received-03/test.yaml index 56efdc15c..c5515291c 100644 --- a/tests/detect-ftp/ftp-reply-received-03/test.yaml +++ b/tests/detect-ftp/ftp-reply-received-03/test.yaml @@ -1,5 +1,5 @@ requires: - version: 8 + min-version: 8 pcap: false exit-code: 1 diff --git a/tests/pop3-auth-01/test.yaml b/tests/pop3-auth-01/test.yaml index 06c0cedb0..b7a1e0f6a 100644 --- a/tests/pop3-auth-01/test.yaml +++ b/tests/pop3-auth-01/test.yaml @@ -1,5 +1,5 @@ requires: - version: 8 + min-version: 8 args: - -k none diff --git a/tests/udp-5379/udp-hlen-invalid-non-strict/test.yaml b/tests/udp-5379/udp-hlen-invalid-non-strict/test.yaml index 853741c04..198f94f99 100644 --- a/tests/udp-5379/udp-hlen-invalid-non-strict/test.yaml +++ b/tests/udp-5379/udp-hlen-invalid-non-strict/test.yaml @@ -10,8 +10,6 @@ command: | checks: - shell: - requires: - version: 7 args: |- grep "Warning: detect: decode-event keyword no longer supports event \"decoder.udp.hlen_invalid\"" suricata.log | wc -l expect: 1 diff --git a/tests/udp-5379/udp-hlen-invalid-strict/test.yaml b/tests/udp-5379/udp-hlen-invalid-strict/test.yaml index a1634a3b3..28749fe11 100644 --- a/tests/udp-5379/udp-hlen-invalid-strict/test.yaml +++ b/tests/udp-5379/udp-hlen-invalid-strict/test.yaml @@ -9,8 +9,6 @@ command: | checks: - shell: - requires: - version: 7 args: |- grep "Error: detect: decode-event keyword no longer supports event \"decoder.udp.hlen_invalid\"" suricata.log | wc -l expect: 1