diff options
Diffstat (limited to 'tests/analysis/scan/functions.py')
| -rw-r--r-- | tests/analysis/scan/functions.py | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/tests/analysis/scan/functions.py b/tests/analysis/scan/functions.py index 96f029f..6aca957 100644 --- a/tests/analysis/scan/functions.py +++ b/tests/analysis/scan/functions.py @@ -9,6 +9,41 @@ class TestRostFunctions(RostTestClass): # Core # ==== + def testSetCounter(self): + """Count quantities and set sizes.""" + + rule = ''' +rule test { + + condition: + count("ABC") == 3 + and count("AB", "C") == count("ABC") + +} +''' + + self.check_rule_success(rule) + + + cnt = MemoryContent(b'\x01\x02\x02\x03\x03\x03') + + rule = ''' +rule test { + + bytes: + $int_01 = "\x01" + $int_02 = "\x02" + $int_3 = "\x03" + + condition: + count($int_0*, $int_3) == #int_* + +} +''' + + self.check_rule_success(rule, cnt) + + def testDatasize(self): """Handle the size of the provided data.""" @@ -33,6 +68,32 @@ rule test { self.check_rule_success(rule, cnt) + def testMaxCommon(self): + """Count the largest quantity of same items in a set.""" + + cnt = MemoryContent(b'') + + cases = [ + [ '1', 1 ], + [ '1, 2, 3', 1 ], + [ '1, 2, 1, 3, 1', 3 ], + [ '1, "a", 2, 3, "a"', 2 ], + ] + + for c, q in cases: + + rule = ''' +rule test { + + condition: + maxcommon(%s) == %u + +} +''' % (c, q) + + self.check_rule_success(rule, cnt) + + # Modules # ======= @@ -108,6 +169,7 @@ rule test { self.check_rule_success(rule) + rule = ''' rule test { @@ -119,6 +181,7 @@ rule test { self.check_rule_success(rule) + rule = ''' rule test { @@ -134,6 +197,19 @@ rule test { self.check_rule_success(rule) + rule = r''' +rule test { + + condition: + "A\x00B\x00C\x00D\x00" endswith string.wide("CD") + and "A\x00B\x00C\x00D\x00" contains string.wide("BC") + +} +''' + + self.check_rule_success(rule) + + def testTime(self): """Check current time.""" @@ -150,6 +226,7 @@ rule test { self.check_rule_success(rule) + rule = ''' rule test { |