OISF · jasonish · Jan 27, 2025
diff --git a/tests/lua/lua-base64/README.md b/tests/lua/lua-base64/README.md
@@ -0,0 +1,5 @@
+Test Lua base64 library.
+
+```
+local base64 = require("suricata.base64")
+```
diff --git a/tests/lua/lua-base64/output.lua b/tests/lua/lua-base64/output.lua
@@ -0,0 +1,43 @@
+-- Test that "suricata.base64" can be used from a Lua output
+-- script. More thourough testing of base64 in rule.lua.
+
+local base64 = require("suricata.base64")
+
+local expected_base64 = "d3d3LnN1cmljYXRhLWlkcy5vcmc="
+
+filename = "results.log"
+
+function init (args)
+   local needs = {}
+   needs["protocol"] = "dns"
+   return needs
+end
+
+function setup (args)
+   SCLogNotice("lua: setup()")
+   file = assert(io.open(SCLogPath() .. "/" .. filename, "w"))
+end
+
+function log(args)
+   queries = DnsGetQueries()
+   if queries ~= nil then
+      for n, t in pairs(queries) do
+
+         if base64.encode(t["rrname"]) == expected_base64 then
+            msg = "OK"
+         else
+            msg = "FAIL"
+         end
+
+	 write(msg)
+      end
+   end
+end
+
+function deinit(args)
+   file:close(file)
+end
+
+function write(msg)
+   file:write(msg .. "\n")
+end
diff --git a/tests/lua/lua-base64/rule.lua b/tests/lua/lua-base64/rule.lua
@@ -0,0 +1,70 @@
+local base64 = require("suricata.base64")
+
+local rrname = "www.suricata-ids.org"
+local expected_base64 = "d3d3LnN1cmljYXRhLWlkcy5vcmc="
+local expected_base64_nopad = "d3d3LnN1cmljYXRhLWlkcy5vcmc"
+
+local input_base64_with_spaces = "d3 d3 Ln N1 cm lj YX Rh LW lk cy 5v cm c="
+
+function init (args)
+   local needs = {}
+   needs["dns.rrname"] = tostring(true)
+   return needs
+end
+
+function match(args)
+   rrname = tostring(args["dns.rrname"])
+
+   encoded = base64.encode(rrname)
+   if encoded ~= expected_base64 then
+      print("base64.encode failed")
+      return 0
+   end
+
+   decoded = base64.decode(encoded)
+   if decoded ~= rrname then
+      print("base64.decode failed")
+      return 0
+   end
+
+   decoded = base64.decode_padopt(encoded)
+   if decoded ~= rrname then
+      print("base64.decode failed")
+      return 0
+   end
+
+   encoded = base64.encode_nopad(rrname)
+   if encoded ~= expected_base64_nopad then
+      print("base64.encode_nopad failed")
+      return 0
+   end
+
+   decoded = base64.decode_nopad(encoded)
+   if decoded ~= rrname then
+      print("base64.decode failed")
+      return 0
+   end
+
+   decoded = base64.decode_padopt(encoded)
+   if decoded ~= rrname then
+      print("base64.decode failed")
+      return 0
+   end
+
+   -- RFC 2045 allows spaces.
+   decoded = base64.decode_rfc2045(input_base64_with_spaces)
+   if decoded ~= rrname then
+      print("base64.decode_rfc2045 failed")
+      return 0
+   end
+
+   -- RFC 4648 does not allow spaces
+   decoded = base64.decode_rfc4648(input_base64_with_spaces)
+   if decoded ~= "w" then
+      print("base64.decode_rfc2045 failed")
+      return 0
+   end
+
+   return 1
+end
+
diff --git a/tests/lua/lua-base64/suricata.yaml b/tests/lua/lua-base64/suricata.yaml
@@ -0,0 +1,18 @@
+%YAML 1.1
+---
+
+outputs:
+
+  # Extensible Event Format (nicknamed EVE) event log in JSON format
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+
+  - lua:
+      enabled: yes
+      scripts-dir: .
+      scripts:
+        - output.lua
diff --git a/tests/lua/lua-base64/test.rules b/tests/lua/lua-base64/test.rules
@@ -0,0 +1,3 @@
+alert dns any any -> any any (msg:"TEST DNS LUA dns.rrname"; \
+      dns.query.name; content: "www.suricata-ids.org"; \
+      lua:rule.lua; sid:1; rev:1;)
diff --git a/tests/lua/lua-base64/test.yaml b/tests/lua/lua-base64/test.yaml
@@ -0,0 +1,18 @@
+pcap: ../../cond-log-dns-dig/input.pcap
+
+requires:
+  min-version: 8
+
+args:
+  - --set security.lua.allow-rules=true
+  - --set default-rule-path=.
+
+checks:
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 1
+
+  - shell:
+      args: grep "OK" results.log | wc -l
+      expect: 2