summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
Diffstat (limited to 'tests')
-rw-r--r--tests/analysis/scan/matches.py2
-rw-r--r--tests/analysis/scan/scanning_hex.py84
-rw-r--r--tests/analysis/scan/scanning_str.py20
3 files changed, 53 insertions, 53 deletions
diff --git a/tests/analysis/scan/matches.py b/tests/analysis/scan/matches.py
index 0d7556e..768531b 100644
--- a/tests/analysis/scan/matches.py
+++ b/tests/analysis/scan/matches.py
@@ -14,7 +14,7 @@ class TestRostMatchs(RostTestClass):
rule = '''
rule test {
- strings:
+ bytes:
$a = "aaa"
$b = "bbb"
diff --git a/tests/analysis/scan/scanning_hex.py b/tests/analysis/scan/scanning_hex.py
index 32979c8..442057b 100644
--- a/tests/analysis/scan/scanning_hex.py
+++ b/tests/analysis/scan/scanning_hex.py
@@ -14,7 +14,7 @@ class TestRostScanningBinary(RostTestClass):
rule = '''
rule test {
- strings:
+ bytes:
$a = { 41 }
condition:
@@ -31,7 +31,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { 62 }
condition:
@@ -48,7 +48,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { 66 }
condition:
@@ -65,7 +65,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { ?1 }
condition:
@@ -82,7 +82,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { ?2 }
condition:
@@ -99,7 +99,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { ?6 }
condition:
@@ -119,7 +119,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { ~41 }
condition:
@@ -136,7 +136,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { ~62 }
condition:
@@ -153,7 +153,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { ~66 }
condition:
@@ -170,7 +170,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { ~?1 }
condition:
@@ -187,7 +187,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { ~?2 }
condition:
@@ -204,7 +204,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { ~?6 }
condition:
@@ -224,7 +224,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { 41 62 63 }
condition:
@@ -241,7 +241,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { 2d 41 62 63 }
condition:
@@ -261,7 +261,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { ?1 6? ?3 }
condition:
@@ -281,7 +281,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { 41 6? ?3 }
condition:
@@ -298,7 +298,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { 4? 62 ?3 }
condition:
@@ -315,7 +315,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { 4? ?2 63 }
condition:
@@ -332,7 +332,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { 4? ?2 ?3 }
condition:
@@ -349,7 +349,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { 2d 4? ?2 63 }
condition:
@@ -366,7 +366,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { 2d 4? 62 ?3 2d }
condition:
@@ -383,7 +383,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { 2? 41 6? 63 ?d }
condition:
@@ -403,7 +403,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { 33 ?? 41 ?? 63 ?? 34 }
condition:
@@ -420,7 +420,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { ?? 33 ?? 41 ?? 63 ?? 34 ?? }
condition:
@@ -437,7 +437,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { ?? 33 [1-5] 63 ?? 34 ?? }
condition:
@@ -454,7 +454,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { [3-4] 41 ?? 63 ?? 34 ?? }
condition:
@@ -471,7 +471,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { ?? 33 ?? 41 ?? 63 [3-] }
condition:
@@ -491,7 +491,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { ?3 ?? 4? ?? 6? ?? ?4 }
condition:
@@ -508,7 +508,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { ?? ?3 ?? 4? ?? 6? ?? ?4 ?? }
condition:
@@ -525,7 +525,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { ?? ?3 [1-5] ?3 ?? ?4 ?? }
condition:
@@ -542,7 +542,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { [3-4] ?1 ?? ?3 ?? ?4 ?? }
condition:
@@ -559,7 +559,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { ?? 3? ?? 4? ?? 6? [3-] }
condition:
@@ -579,7 +579,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { 41 62 ( 63 | 64 | 65 ) }
condition:
@@ -596,7 +596,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { ( 41 | f2 | f3 ) 62 63 }
condition:
@@ -613,7 +613,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { 41 ( 61 | 62 | 63 ) 63 }
condition:
@@ -630,7 +630,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { ( 41 62 63 | 42 62 63 | 43 62 63 ) }
condition:
@@ -643,14 +643,14 @@ rule test {
def testPipedMaskedHexPatterns(self):
- """Look for several patterns at once with piped definition."""
+ """Look for several patterns at once with piped and masked definition."""
cnt = MemoryContent(b'123-Abc-456')
rule = '''
rule test {
- strings:
+ bytes:
$a = { 4? 6? ( ?3 | ?4 | ?5 ) }
condition:
@@ -667,11 +667,11 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { ( ?1 | ?2 | ?3 ) 6? 6? }
condition:
- console.log("COUNTER: ", #a) and #a == 1 and @a[0] == 4 and !a[0] == 3
+ #a == 1 and @a[0] == 4 and !a[0] == 3
}
'''
@@ -684,7 +684,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { 4? ( ?1 | ?2 | ?3 ) 6? }
condition:
@@ -701,7 +701,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = { ( 4? ?2 ?3 | 4? 6? 6? | ?3 6? ?3 ) }
condition:
diff --git a/tests/analysis/scan/scanning_str.py b/tests/analysis/scan/scanning_str.py
index ff36ca3..75427a7 100644
--- a/tests/analysis/scan/scanning_str.py
+++ b/tests/analysis/scan/scanning_str.py
@@ -14,7 +14,7 @@ class TestRostScanningStrings(RostTestClass):
rule = '''
rule test {
- strings:
+ bytes:
$a = "Abc"
condition:
@@ -34,7 +34,7 @@ rule test {
rule = r'''
rule test {
- strings:
+ bytes:
$a = "\a\b\t\n\v\f\r\e\"\\\xff"
condition:
@@ -51,7 +51,7 @@ rule test {
rule = r'''
rule test {
- strings:
+ bytes:
$a = "\a\b\t\n--123--\v\f\r\e\"\\\xff"
condition:
@@ -71,7 +71,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = "ABC" hex
condition:
@@ -88,7 +88,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = "ABC" plain
condition:
@@ -105,7 +105,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = "ABC" rev
condition:
@@ -123,7 +123,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = "DEF" fullword
$b = "123" fullword
@@ -141,7 +141,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = "DEF" fullword
$b = "123" fullword
@@ -159,7 +159,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = "DEF" fullword
$b = "123" fullword
@@ -180,7 +180,7 @@ rule test {
rule = '''
rule test {
- strings:
+ bytes:
$a = "Abc" nocase
$b = "ABC123DEF456GHI" nocase
$z = "z0z1z2z3z4z5z6z7z8z9" nocase