From 546fd6f540d15e9d16a913e49860bf0511ffcce4 Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Mon, 13 Jan 2025 08:49:50 -0500
Subject: [PATCH] test/entropy: Basic entropy keyword test

This commit adds a basic test of the entropy keyword.
---
 tests/entropy/entropy-01/README.md  |   1 +
 tests/entropy/entropy-01/input.pcap | Bin 0 -> 1397 bytes
 tests/entropy/entropy-01/test.rules |   4 ++++
 tests/entropy/entropy-01/test.yaml  |   9 +++++++++
 4 files changed, 14 insertions(+)
 create mode 100644 tests/entropy/entropy-01/README.md
 create mode 100644 tests/entropy/entropy-01/input.pcap
 create mode 100644 tests/entropy/entropy-01/test.rules
 create mode 100644 tests/entropy/entropy-01/test.yaml

diff --git a/tests/entropy/entropy-01/README.md b/tests/entropy/entropy-01/README.md
new file mode 100644
index 000000000..c1924f917
--- /dev/null
+++ b/tests/entropy/entropy-01/README.md
@@ -0,0 +1 @@
+This test checks the entropy keyword with a comparison against HTTP file data.
diff --git a/tests/entropy/entropy-01/input.pcap b/tests/entropy/entropy-01/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c84b2df7002156fe463a8b3f2d3cfa87a414bbab
GIT binary patch
literal 1397
zcmaKs&u`O66vxMDmlg|4g%fa^!)jG%Ydb%hHfhpLlhU90VG@_Nr~<jpBr$R9G@dje
z5~#4ZRqxeymjeP6;09D&5K^^!<c1L9$7!_`kji1%KY%dfP(;%%BR|RW{N^+BzVD5n
z{dNDk1GIyk(P#j`kV)I2?Q|l{f-rff1`eILinbh^tM%YOCpZOwhj|kMD+fmYU>D9i
z*oDZin+JjPh`aDF4PJ3Ta1R6EX#Zh@X>03bn05yxzWj#RWHq@>A^;%}I`GR1rBN!7
zHV^Xn(>9@gTsh+F%oDOrBs4;8qeNeX1p(rxw&#r9%$9w|ddnF<66y!3ivj;Ur_1P|
ztfz$aCrO@KD~s7+-cnZR_`a;847m3Ifbml@6tXo#6MnWt8J`K}Q8AOn=CmH3T(SzN
z9J8#l>Y0wu3)LQXSe1;t$H*6)u1fSwExwo*deXkp<kZ~UOgt-%E-e;D)hL#e=_Nxi
zr<T1VJ<)-1Jn0fWLZT4E*_`Y~$^Oh_N|UB$wdkNYorvY7$h;c-X);wk8$2Bzzo2I(
z#*&pe#SJH9SrVMQlVe9z6&0}`VpPRK4j1%ZrC8K8Rl%BR2vzFoskV9x`p{BP<bAy-
zg_HK%;0~xSsu<a_l0|-qjJ}yvFETiG!nDW^l}d%L)iQ-jhR0@+V<V<vAeC<8hpKK`
zh+}6gRO%baB7=m-%$la_iqOxCuzOZB(q_eiaT$7faR|;PX1$&vSX%bGeY|)Ajw3a1
z3NFzplE(?hv=YjgRe^rwSdOI?-69qBl44TZ({J5tztMi%{;#FqK0M;|OHx-y{q>Dz
zUtC*f!4pEDwuka~ZQZ6U>`OV?QSX)j*pVK(L=h&YIW~n#%c$gslW~MoTEVUjY&v&~
z6lsb?bi+iUz9=%XIOm6hUOUY8$rp=6`LDI)*ii)&$5=`0g{}cOr5I#emm9jAey7{-
z6ybPG-Vw-mn+2;REoysGyS(<ho!a{D)EZZ8fsS?5f4oI59_^N4jt%6Hl18QB0M@XM
zhUJ`QLGswMfY5XXgfBrPe9=r_B+Dj{uA5{ke3_FF%A>_A-}&y<eix#@pIf`Hqkf6U
zjTcfEX#9Piq+}1u8ov8o)_a?Eb6?hB!aDaY>l|VIe^Y_xPi(bCvlm3O%e1LpJp|x0
DdZ&`u

literal 0
HcmV?d00001

diff --git a/tests/entropy/entropy-01/test.rules b/tests/entropy/entropy-01/test.rules
new file mode 100644
index 000000000..700c010cf
--- /dev/null
+++ b/tests/entropy/entropy-01/test.rules
@@ -0,0 +1,4 @@
+alert http any any -> any any (msg:"entropy simple test"; \
+    file.data; \
+    entropy: value 4, oper >=; \
+    sid:1;)
diff --git a/tests/entropy/entropy-01/test.yaml b/tests/entropy/entropy-01/test.yaml
new file mode 100644
index 000000000..f97be7b6b
--- /dev/null
+++ b/tests/entropy/entropy-01/test.yaml
@@ -0,0 +1,9 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1