From 04b95472a05d7ebfab96290e980a06282b67a992 Mon Sep 17 00:00:00 2001
From: Victor Roemer <victor@badsec.org>
Date: Thu, 27 Jul 2023 01:29:03 +0000
Subject: [PATCH 1/3] snort3_demo: Refactor run_test.sh script

This commit refactors the snort3_demo repository so that it can be executed
somewhat more portably, and ideally feels a bit more comfortable to the user.

These changes make one big assumption, namely:

 * snort and libdaq are installed to the default PREFIX directory
   (/usr/local).

   With this assumption made, the user is no longer responsible for
   specifying the install location for "snorty", i.e., `argv[1]` will
   now specify the path of tests to execute.

   NOTICE: If necessary, I will provide an override in the form of an
	   environment variable to restore specifying an alternate
	   install PREFIX.

Now argv[1] specifices the path to the "top" directory to search for,
and run tests from. The following commands are now all valid:

 * ./run_tests.sh tests/ips_options

    Runs all tests under "tests/ips_options/*"

 * ./run_tests.sh tests/ips_options/so_and_soid

    Runs the singular test under "tests/ips_options/so_and_soid/"

 * ./run_tests.sh tests/ips_options/so_and_soid/test.bats

    Identical to the previous exmaple, runs the singular test under
    "tests/ips_options/so_and_soid/"

 * ./run_tests.sh /root/alternate-path/some-private/integration-tests/

    Runs all the tests under the user specified external directory.

The last major refactor to the script is the way which tests are
"searched and exected". Previously, the run_tests.sh used `find` to
create a singular long command line argument of "directories" containing
the "tests.bat" script, passing it as an argument to a loop defined in
the same file.

The script is now chagned to use `find -exec run_one`, which is
functionally equivalent, but is now future proofed from maxing out
command line arguments, or size of a command line in the given shell.

NOTICE: Acceptance of this PR will surely result in further refactorying
        to make the environment more portable still.
---
 README.adoc | 23 ++++++++++++--------
 run_one     | 11 ++++++++++
 run_test.sh | 62 +++++++++++++++++++++++++----------------------------
 3 files changed, 54 insertions(+), 42 deletions(-)
 create mode 100755 run_one

diff --git a/README.adoc b/README.adoc
index 03d892a..9d62c17 100644
--- a/README.adoc
+++ b/README.adoc
@@ -9,20 +9,25 @@ you can find here: https://github.com/bats-core/bats-core.
 
 To execute the tests:
 
-  ./run_test.sh <snort3_installed_path>
+  ./run_test.sh
 
-run_test.sh will find *.bats files recursively from the current
-directory down and execute each test. Output is in TAPS format with
-a summary at the end.
+run_test.sh will find and expecute "test.bats" files recursively from the
+specified [path/to/tests] if provided, or recursively from the current
+directory, if no path is provided. Output is in TAPS format with a summary at
+the end.
 
-You can also execute a single test by specifying the relative path to
-the specific test.bats file, e.g.:
+You can also execute a one or more tests from an alternate directory tree by
+specifying an alternate path as the first argument file, e.g.:
 
-  ./run_test.sh <snort3_installed_path> tests/ips_actions/replace_rewrite/test.bats
+  ./run_test.sh tests/ips_actions/replace_rewrite
 
-Do this first if you require --daq-dir to run Snort 3:
+  or (path to the test.bats file)
 
-  export SNORT3_DAQ_DIR="<daq3_installed_path>"
+  ./run_test.sh tests/ips_actions/replace_rewrite/test.bats
+
+  or (some out of tree path to an externally defined test suite)
+
+  ./run_test.sh /some/other/path/tests/
 
 Dockerfiles outlining how to build Snort3 for a specific platform are included
 in the Dockerfiles folder.
diff --git a/run_one b/run_one
new file mode 100755
index 0000000..18b2840
--- /dev/null
+++ b/run_one
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+TEST_PATH="$1"
+echo "test_path: $1"
+DIRNAME=$(dirname "$TEST_PATH")
+BASENAME=$(basename "$TEST_PATH")
+
+pushd "$DIRNAME" &>/dev/null
+echo "$PWD"
+bats -t "$BASENAME"
+popd &> /dev/null
diff --git a/run_test.sh b/run_test.sh
index f92991a..af4c9b1 100755
--- a/run_test.sh
+++ b/run_test.sh
@@ -1,45 +1,44 @@
 #!/usr/bin/env bash
-#$1 -- directory where snort is installed
-if [ $# -lt 1 ] ; then
-    printf "usage: run_test.sh <snort_install_dir>"
-    exit -1
+
+# Let the user specify an alternate directory to run test from
+# This could be within the same source tree, or external.
+TOPDIR="."
+if [ -n "$1" ]
+then TOPDIR="$1"
+fi
+
+if [[ -f "$TOPDIR" ]]
+then TOPDIR=$(dirname "$TOPDIR")
 fi
 
-[ -d "$SNORT3_DAQ_DIR" ] && daq_dir="--daq-dir $SNORT3_DAQ_DIR"
+# Assume user installed to the default location ("/usr/local")
+# TODO Deviation from this should pass as environment variable (`PREFIX="x/y/z" ./run_tests`).
+export PREFIX="/usr/local"
+export DAQ_DIR="$PREFIX/lib/daq:$PREFIX/lib/snort/daq:$PREFIX/lib/snort/daq/extra"
 
 # global args (add any needed here for your environment)
 args="-H -U"
 
 # setup environnement
-export snorty_path=$1
-export snort="$snorty_path/bin/snort $daq_dir $args"
-export snort2lua="$snorty_path/bin/snort2lua"
+export snort="$PREFIX/bin/snort --daq-dir $DAQ_DIR $args"
+export snort2lua="$PREFIX/bin/snort2lua"
 
-export LUA_PATH=$snorty_path/include/snort/lua/\?.lua\;\;
-export SNORT_LUA_PATH=$snorty_path/etc/snort/
+export LUA_PATH=$PREFIX/include/snort/lua/\?.lua\;\;
+export SNORT_LUA_PATH=$PREFIX/etc/snort/
 export PATH=$PATH:$(pwd)/bin
 
-if [ -d "${snorty_path}/lib64" ]; then
-    libs=${snorty_path}/lib64
-else
-    libs=${snorty_path}/lib
+# FIXIT: Figure out if libdaq install honors lib64 vs lib the same way as snort3 
+if [ -d "${PREFIX}/lib64" ]
+then LIBDIR="${PREFIX}/lib64"
+else LIBDIR="${PREFIX}/lib"
 fi
 
-export PKG_CONFIG_PATH=$libs/pkgconfig:$PKG_CONFIG_PATH
-export SNORT_DAQ_LIBS=$libs/snort/daq:$libs/snort/daq/extra
-export SNORT_PLUGINS=$libs/snort/plugins
+export PKG_CONFIG_PATH="$LIBDIR/pkgconfig:$PKG_CONFIG_PATH"
+export SNORT_PLUGINS="$LIBDIR/snort/plugins"
 
-tests=$2
-[ "$tests" ] || tests=`find . -name \*.bats`
-
-# run tests for all .bats
-for t in $tests ; do
-    printf "\n# $t:\n"
-    pushd . &>/dev/null
-    cd `dirname $t`
-    bats -t .
-    popd &> /dev/null
-    done | tee demo_result.log
+# Find will locate all the "test.bats" files under the specified TOPDIR.
+find "$TOPDIR" -name "test.bats" -type f -exec ./run_one \{} \; \
+	| tee demo_result.log
 
 # calculate stats
 pass=$(grep "^ok" -c demo_result.log)
@@ -51,9 +50,6 @@ total=$(($pass + $fail + $skip))
 printf "\n"
 printf "Total = $total, Pass = $pass, Fail = $fail, Skip = $skip\n" | tee demo_summary.log
 
-if [ $fail -ne 0 ]; then
-    exit 1;
-else
-    exit 0;
+if [ $fail -ne 0 ]
+then exit 1
 fi
-

From 5c844055f88e0b29c9e0c1ddcf700b08b9324cda Mon Sep 17 00:00:00 2001
From: Victor Roemer <victor@badsec.org>
Date: Thu, 27 Jul 2023 01:31:18 +0000
Subject: [PATCH 2/3] snort3_demo: remove alternate daq-dir specification in
 tests, run_tests searches for all daq install locations

---
 tests/inspectors/stream_file/test.bats | 2 +-
 tests/inspectors/stream_user/test.bats | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/inspectors/stream_file/test.bats b/tests/inspectors/stream_file/test.bats
index f805c93..e064409 100644
--- a/tests/inspectors/stream_file/test.bats
+++ b/tests/inspectors/stream_file/test.bats
@@ -4,7 +4,7 @@ CFG="snort.lua"
 OPTION="-q -A csv"
 
 @test "Basic stream_file functional test" {
-    $snort -c $CFG --daq-dir $SNORT_DAQ_LIBS --daq file -r malware.pdf -s 8192 $OPTION > snort.out
+    $snort -c $CFG --daq file -r malware.pdf -s 8192 $OPTION > snort.out
     diff -Bb expected snort.out
 }
 
diff --git a/tests/inspectors/stream_user/test.bats b/tests/inspectors/stream_user/test.bats
index a0c0667..835590d 100644
--- a/tests/inspectors/stream_user/test.bats
+++ b/tests/inspectors/stream_user/test.bats
@@ -4,7 +4,7 @@ CFG="snort.lua"
 OPTION="-A csv -q"
 
 @test "Basic stream_user functional test" {
-    $snort -c $CFG --daq-dir $SNORT_DAQ_LIBS --daq hext -i get.hext $OPTION > snort.out
+    $snort -c $CFG --daq hext -i get.hext $OPTION > snort.out
     diff expected snort.out
 }
 

From 8884ea2515ac318649d8fea6c83ecfd267c152ab Mon Sep 17 00:00:00 2001
From: Victor Roemer <victor@badsec.org>
Date: Thu, 27 Jul 2023 01:33:34 +0000
Subject: [PATCH 3/3] snort3_demo: build so_rule 3_13 using cmake. The result
 is more portable

---
 .../so_and_soid/so_rule/.gitignore            |  3 ++
 .../so_and_soid/so_rule/CMakeLists.txt        | 39 +++++++++++++++++++
 .../ips_options/so_and_soid/so_rule/Makefile  | 16 ++++++++
 .../so_and_soid/{ => so_rule}/sid_3_13.cc     |  0
 .../so_and_soid/so_rule/sid_3_13.txt          | 17 ++++++++
 tests/ips_options/so_and_soid/test.bats       | 31 +++++++--------
 6 files changed, 89 insertions(+), 17 deletions(-)
 create mode 100644 tests/ips_options/so_and_soid/so_rule/.gitignore
 create mode 100644 tests/ips_options/so_and_soid/so_rule/CMakeLists.txt
 create mode 100644 tests/ips_options/so_and_soid/so_rule/Makefile
 rename tests/ips_options/so_and_soid/{ => so_rule}/sid_3_13.cc (100%)
 create mode 100644 tests/ips_options/so_and_soid/so_rule/sid_3_13.txt

diff --git a/tests/ips_options/so_and_soid/so_rule/.gitignore b/tests/ips_options/so_and_soid/so_rule/.gitignore
new file mode 100644
index 0000000..4804527
--- /dev/null
+++ b/tests/ips_options/so_and_soid/so_rule/.gitignore
@@ -0,0 +1,3 @@
+build/
+install/
+sid_3_13.h
diff --git a/tests/ips_options/so_and_soid/so_rule/CMakeLists.txt b/tests/ips_options/so_and_soid/so_rule/CMakeLists.txt
new file mode 100644
index 0000000..24d5972
--- /dev/null
+++ b/tests/ips_options/so_and_soid/so_rule/CMakeLists.txt
@@ -0,0 +1,39 @@
+cmake_minimum_required ( VERSION 3.4.3 )
+project (sorule_id_3_13 C CXX)
+
+set (CMAKE_CXX_STANDARD 14)
+set (CMAKE_CXX_STANDARD_REQUIRED ON)
+set (CMAKE_CXX_EXTENSIONS OFF)
+
+include ( FindPkgConfig )
+pkg_search_module ( SNORT3 REQUIRED snort>=3 )
+
+add_library (
+    so_rule
+    MODULE
+    sid_3_13.cc
+    sid_3_13.h
+)
+
+target_compile_options (
+    so_rule
+    PRIVATE
+        -fno-rtti
+)
+
+set_target_properties (
+    so_rule
+    PROPERTIES
+        PREFIX ""
+)
+
+target_include_directories (
+    so_rule PUBLIC
+    ${SNORT3_INCLUDE_DIRS}
+)
+
+install (
+    TARGETS so_rule
+    LIBRARY
+    DESTINATION "${CMAKE_SOURCE_DIR}/install"
+)
diff --git a/tests/ips_options/so_and_soid/so_rule/Makefile b/tests/ips_options/so_and_soid/so_rule/Makefile
new file mode 100644
index 0000000..d7ff170
--- /dev/null
+++ b/tests/ips_options/so_and_soid/so_rule/Makefile
@@ -0,0 +1,16 @@
+.PHONY: build sid_3-13.h install clean
+
+build: sid_3_13.h
+	cmake -B build/ -G Ninja .
+	cmake --build build/
+
+sid_3_13.h: sid_3_13.txt
+	snort --rule-to-text < sid_3_13.txt > sid_3_13.h
+
+install:
+	cmake --install build/
+
+clean:
+	rm sid_3_13.h
+	rm -rf build/
+	rm -rf install/
diff --git a/tests/ips_options/so_and_soid/sid_3_13.cc b/tests/ips_options/so_and_soid/so_rule/sid_3_13.cc
similarity index 100%
rename from tests/ips_options/so_and_soid/sid_3_13.cc
rename to tests/ips_options/so_and_soid/so_rule/sid_3_13.cc
diff --git a/tests/ips_options/so_and_soid/so_rule/sid_3_13.txt b/tests/ips_options/so_and_soid/so_rule/sid_3_13.txt
new file mode 100644
index 0000000..c93625c
--- /dev/null
+++ b/tests/ips_options/so_and_soid/so_rule/sid_3_13.txt
@@ -0,0 +1,17 @@
+alert http
+(
+    msg:"Too much Cheez Whiz is bad mkay.";
+    flow:to_server,established;
+    http_uri; content:"crazy";
+    http_uri:query; content:"withThe=CheezWhiz";
+    http_uri:query; content:"cans=";
+    service:http;
+    reference:url,http://www.kraftbrands.com/cheezwhiz/;
+    classtype:misc-activity;
+    gid:3;
+    sid:13;
+    rev:1;
+    soid:3_13_1;
+    so:cans 7;
+)
+
diff --git a/tests/ips_options/so_and_soid/test.bats b/tests/ips_options/so_and_soid/test.bats
index dd209ed..a0f310c 100644
--- a/tests/ips_options/so_and_soid/test.bats
+++ b/tests/ips_options/so_and_soid/test.bats
@@ -5,35 +5,32 @@ base=sid_3_13
 pcap="cheez.pcap"
 cfg="snort.lua"
 
-gcc_opts="-std=c++14 -Wall -g -ggdb -O0"
-stub_opts="--warn-all --plugin-path ."
+stub_opts="--warn-all --plugin-path so_rule/install"
 run_opts="-q -A csv"
 
 setup()
 {
-    CXX=g++
-
-    if [[ "$OSTYPE" == "freebsd"* ]]; then
-        CXX='clang++'
-    elif [[ "$OSTYPE" == "linux-musl"* ]]; then
-        gcc_opts="-std=c++14 -Wall -g -ggdb -O0"
-    fi
-
-    local cppflags="$(pkg-config --cflags snort) $(pkg-config --variable=DAQ_CPPFLAGS snort)"
-
-    $snort --rule-to-text < $base.txt > $base.h
-    ${CXX} -c $gcc_opts $cppflags -fPIC -o $base.o $base.cc
-    ${CXX} -shared -o $base.so $base.o
+    pushd so_rule/
+    make sid_3_13.h build install
+    popd
+    ls -alh so_rule/install
 }
 
 @test "SO and SOID - 3:13" {
+    echo $snort $stub_opts --dump-dynamic-rules > stub.rule
     $snort $stub_opts --dump-dynamic-rules > stub.rule
+
+    echo $snort $stub_opts -c $cfg -R stub.rule -r $pcap $run_opts &> snort.out
     $snort $stub_opts -c $cfg -R stub.rule -r $pcap $run_opts &> snort.out
+
+    cat snort.out
     cat stub.rule snort.out | diff expected -
 }
 
 teardown()
 {
-    rm -f snort.out *.z *.o *.so stub.rule *.h
+    pushd so_rule/
+    make clean
+    popd
+    rm -f snort.out stub.rule
 }
-