-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tests: add keyword check to requires test #2133
Conversation
@@ -14,4 +14,4 @@ alert udp any any -> any any (vxlan_vni:10; requires: version >= 10; sid:2;) | |||
alert http any any => any any (requires: version >= 10; sid:3;) | |||
alert tcp any any -> any any (frame:smtp.not_supported; requires: version >= 10; sid:4;) | |||
|
|||
alert asdf any any -> any any (requires: version >= 6, foo bar; sid:102; rev:1;) | |||
alert asdf any any -> any any (requires: version >= 6; foo: bar; sid:102; rev:1;) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we change this existing test ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We want the test to fail parsing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
More details. In master, requires: version >= 6, foo bar
is considered as all requirements met. So this rule fails out as asdf
is unknown. With the PR, this rule is considered without requirements met, so the asdf
is never parsed. This is to test somewhat of an edge case documented in ticket https://redmine.openinfosecfoundation.org/issues/6710, which I've added to the README now as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But in the new version foo: bar;
is totally unused then, right ?
And it would still be good to test requires: version >= 6, foo bar;
somehow, right ?
f682882
to
575c0f0
Compare
575c0f0
to
1397a58
Compare
Only for 8.0 for now. requires-fail: With the change to unknown requires statements treated as not meeting requirements, update the rule to use an unknown keyword to make it fail out. This is to test an edge case from ticket #6710. Ticket: #7403
1397a58
to
35ea6c1
Compare
@@ -14,4 +14,4 @@ alert udp any any -> any any (vxlan_vni:10; requires: version >= 10; sid:2;) | |||
alert http any any => any any (requires: version >= 10; sid:3;) | |||
alert tcp any any -> any any (frame:smtp.not_supported; requires: version >= 10; sid:4;) | |||
|
|||
alert asdf any any -> any any (requires: version >= 6, foo bar; sid:102; rev:1;) | |||
alert asdf any any -> any any (requires: version >= 6; foo: bar; sid:102; rev:1;) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is the failure here not due to alert asdf...
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
apparently yes as discussed above
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah yes, maybe one day I will learn to read. Thanks Philippe.
Merged in #2158, thanks! |
Only for 8.0 for now.
requires-fail: With the change to unknown requires statements treated as
not meeting requirements, update the rule to use an unknown keyword to
make it fail out.
Ticket: #7403