Project

General

Profile

Actions

Bug #4276

closed

If inner levels of test.yaml have any field missing, s-v considers test failed

Added by Shivani Bhardwaj about 3 years ago. Updated about 3 years ago.

Status:
Rejected
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:


Related issues 1 (0 open1 closed)

Blocks Suricata - Task #3055: Add tests for: #78 uricontent matching regressionClosedShivani BhardwajActions
Actions #1

Updated by Philippe Antoine about 3 years ago

I am not sure I understand.
Which yaml are we talking about ? test.yaml ?
Can we have the example where it works and where it fails with an inner field missing ?

Actions #2

Updated by Shivani Bhardwaj about 3 years ago

  • Subject changed from If inner levels of yaml have any field missing, s-v considers test failed to If inner levels of test.yaml have any field missing, s-v considers test failed

Philippe Antoine wrote in #note-1:

I am not sure I understand.
Which yaml are we talking about ? test.yaml ?

Yes. Sorry for being unclear.

Can we have the example where it works and where it fails with an inner field missing ?

This one is passing the tests as all the fields of alert section from eve are present here: https://github.com/OISF/suricata-verify/pull/381/files#diff-efb9bb0172a43f58d20b5e5a92f7b3694e2efd1c8c3342087a7da4e937b267dbR13

This one is failing as it misses gid and category fields from the alert section: https://github.com/inashivb/suricata-verify/commit/19fbb35e1e089375b017b551306e2c6db3d5b5c8#diff-efb9bb0172a43f58d20b5e5a92f7b3694e2efd1c8c3342087a7da4e937b267dbR13

Actions #3

Updated by Shivani Bhardwaj about 3 years ago

  • Blocks Task #3055: Add tests for: #78 uricontent matching regression added
Actions #4

Updated by Jason Ish about 3 years ago

This is somewhat by design.. If you have a match block like:

alert:
  action: allowed
  severity: 3
  signature: msg escape tests
  signature_id: 100

You are looking for equality on the whole object. If you just want to look for one value, you can use:

alert.action: allowed

Actions #5

Updated by Shivani Bhardwaj about 3 years ago

Jason Ish wrote in #note-4:

This is somewhat by design.. If you have a match block like:
[...]

You are looking for equality on the whole object. If you just want to look for one value, you can use:
[...]

Oh. Thanks, Jason!

Actions #6

Updated by Shivani Bhardwaj about 3 years ago

  • Status changed from Assigned to Rejected

It is not really an issue. It is how its designed to be. See Jason's comment above for the helpful info.

Actions

Also available in: Atom PDF