From b01edd7e431a5f038b1e22b932a288f41de5fe35 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Mon, 12 Aug 2024 10:18:04 +0200
Subject: [PATCH] detect/datasets: adds test for unset operation

Ticket: 7195
---
 tests/datasets-10-unset/README.md          |  20 ++++++++++++++++++++
 tests/datasets-10-unset/expected/after.csv |   1 +
 tests/datasets-10-unset/test.rules         |   2 ++
 tests/datasets-10-unset/test.yaml          |  21 +++++++++++++++++++++
 tests/datasets-10-unset/unset.pcap         | Bin 0 -> 4779 bytes
 5 files changed, 44 insertions(+)
 create mode 100644 tests/datasets-10-unset/README.md
 create mode 100644 tests/datasets-10-unset/expected/after.csv
 create mode 100644 tests/datasets-10-unset/test.rules
 create mode 100644 tests/datasets-10-unset/test.yaml
 create mode 100644 tests/datasets-10-unset/unset.pcap

diff --git a/tests/datasets-10-unset/README.md b/tests/datasets-10-unset/README.md
new file mode 100644
index 000000000..79dba685b
--- /dev/null
+++ b/tests/datasets-10-unset/README.md
@@ -0,0 +1,20 @@
+Test Description
+================
+
+This test demonstrates the unset operation for datasets.
+
+PCAP
+====
+
+Running as server `python3 -m http.server 8001`
+And as clients
+```
+curl -A "useragent1" http://127.0.0.1:8001/toto
+curl -A "useragent2" http://127.0.0.1:8001/toto
+curl -A "useragent1" http://127.0.0.1:8001/tata
+```
+
+Related tickets
+===============
+
+https://redmine.openinfosecfoundation.org/issues/7195
diff --git a/tests/datasets-10-unset/expected/after.csv b/tests/datasets-10-unset/expected/after.csv
new file mode 100644
index 000000000..778bdbf4f
--- /dev/null
+++ b/tests/datasets-10-unset/expected/after.csv
@@ -0,0 +1 @@
+dXNlcmFnZW50Mg==
diff --git a/tests/datasets-10-unset/test.rules b/tests/datasets-10-unset/test.rules
new file mode 100644
index 000000000..378bdbb8a
--- /dev/null
+++ b/tests/datasets-10-unset/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any (http.uri; content: "/toto"; http.user_agent; dataset:set,ua-seen,type string,save after.csv; sid:1;)
+alert http any any -> any any (http.uri; content: "/tata"; http.user_agent; dataset:unset,ua-seen,type string,save after.csv; sid:2;)
diff --git a/tests/datasets-10-unset/test.yaml b/tests/datasets-10-unset/test.yaml
new file mode 100644
index 000000000..8f9603bff
--- /dev/null
+++ b/tests/datasets-10-unset/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 7
+
+args:
+  - --data-dir=${OUTPUT_DIR} -k none --runmode single
+
+checks:
+# 2 sets and 1 unset alerts
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - file-compare:
+      filename: after.csv
+      expected: expected/after.csv
diff --git a/tests/datasets-10-unset/unset.pcap b/tests/datasets-10-unset/unset.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c637e59fdc5cad609d71bc54ce15b6887a440cf5
GIT binary patch
literal 4779
zcmeH~UuYav6vk(hrQ035v=v%XX~;DXBEjtJzqaXi8@o2K6&np^1M1uC=4N+gGqc^f
zTN_(xq(rG8#X=v7fiw?-AePYhXrEfa2gMgH36=&|5Up)#EEKBJc+Sk+-J4|M&SLV`
zO)gC4&iwM7@0>Yj=ZCA8r<x?MRQp)Rg)bfsU%KOydSC-r6RciII)J|iHb~MbN%G*T
zOtd9;4F*-%mZqB)7azsoTJQ6-p62Ea9?wSkUi|ZE-17nenSZ-rwk0bQ_dDL11#Wu!
z$(78{l(|{ta;ERDPwImIfy>qjDjapDfjc+0rR9%D&w_YcAM#M!W)~b=+Z<{WIb0KR
zUI5M+(1Od>Gyb1?T0qa}Qay)yQ$%4p)5+mfs$U5Q!vXoQZm>8BNA?6m@Dq-Ag+g$4
z(4eKxWR_~MSB7I158-?=lc7a8*P(O-<baIAUT-YG83^zeH%bgJdCw;;KybM10Pidh
zP%vs{tOYnfTLE&89af0MLNW4UzCeklGcv4~wV{AKKugDHDNY9RBgFzWFAW8Elm1bb
z(={a;3`c^|fZU@p3fGji=SXBP8K6ZH2}NQgyf+>T$D<K)s4o?e59*pmGc2!bagr(M
z1~pGH@TfC2T7>%<J<gOI8!7C|<kXTu+5R#c?(C{vc7$qKmWz{UbQd>r7!3HpBbm!G
zz;oK!fD`ASQf9_>wA@;Jd#M45r+Z#Kn0lkX7c$&;q+3p)22xP9?EZGDwRg(|K8YMv
zhpa>M&k@R0!gaQrLhUQfZI)*R+TB|!=_OL4Mp4%cnoz8>7Eh@G6KQ>DRAA@AEAE6-
z=4~dtXm4lqA+Qb7mQadIw)?1IK=s9!r8BtvI!hm72t8heh*c{+SP7lv6`kesT9%Bc
zER&-KVL3{&`D0WggRi|*V<i+ze!|RMw^`o?q{U?;n7Q9^;vCfXZ@j*-q3}j<sv*wF
z3UGdL;@oJIv(=gNmkW;dyq&B-xqa#M+!o>aj~(^bZ|IY4$p>0w5*}^GhF-q#@>{rv
z%@>*PxnP2}$%jvzZU*i}r-okm=EhOva^^?CteZzm=SARpA>L|3M-K8(+j$opTbmcP
zi5#v8Io|`PZbKLK2o0U<`JW9vvZA4*u-_XCa6v2#F~E7l@1~(+649syv7vL$x;OOQ
z>(tQE$OmA6%Zgh76Rv=f)y}~)jGSiXcQY8!$Sd4PJ{Y)>j|an=4hBq%57Od3z2lo8
zz14;;rgx_cj@3}cH<{_(TKfXU(~ElcxZqT*h63d_9#~D!K%*RCz=&}fE;x2v0f_5Q
zr#@1KxIW$?*B>xbZOIQeZ@jwNfC=?{`Yj(Y$o$C#6SPgW-d2AE?lq?Y^R@S@PmqfP
z2ARJCvu-_DI<EouI>cKYFu?f^dC0lzf@5pDj@m>HFeZ?NoM)br>kk-Fk1$|tJrmY|
zQQ`aH8oe=~uzet`o>8>`{oBOC5CeR3r|f3HU=qP7;0SLFoU`5oCKg_&0fR=Cz<_#2
zR?H0hx3%6*p9LeU1BPc9Iqw3;#hV8hnLf*n<O7Bq`FOyr>43qsjJZg!^_*mGnrRUR
y15XQb-gm*Nl}Y9%lu30^iDh!8G0yyIoPQeS2m?mcv%R%``P=@?gFoAy`pCcaP6KxU

literal 0
HcmV?d00001