From 68693d2098093a9641098b77dfb78eb4f6076d92 Mon Sep 17 00:00:00 2001
From: Lukas Rist <glaslos@gmail.com>
Date: Sat, 8 Jul 2023 19:18:30 +0200
Subject: [PATCH] added filter tests

---
 src/__tests__/dsl.test.ts | 46 +++++++++++++++++++++++++++++++++++++--
 src/util.ts               | 28 +++++++++++++++++++++++-
 2 files changed, 71 insertions(+), 3 deletions(-)

diff --git a/src/__tests__/dsl.test.ts b/src/__tests__/dsl.test.ts
index 9abb4a3..7dd2f3a 100644
--- a/src/__tests__/dsl.test.ts
+++ b/src/__tests__/dsl.test.ts
@@ -1,14 +1,17 @@
 import { describe, expect, test } from '@jest/globals';
 import { parseDSL, productions } from '../dsl';
+import { filterEvent } from '../eventFilter';
+import { generateTestEvent } from '../util';
 
 describe('parseDSL', () => {
     test('parses AND query', () => {
-        let sx = parseDSL('tcp.port eq 23 and tcp.port eq 445');
+        let sx = parseDSL('tcp.port eq 23 and ip.src eq 1.1.1.1');
         expect(sx.lexErrors).toHaveLength(0);
         expect(sx.parseErrors).toHaveLength(0);
 
         // console.log(JSON.stringify(sx, null, 2));
         expect(sx.toString()).toBeTruthy();
+        expect(filterEvent(generateTestEvent(23, '123', '1.1.1.1'), sx.cst)).toBeTruthy();
     });
 
     test('parses ip.src ==', () => {
@@ -18,6 +21,7 @@ describe('parseDSL', () => {
         expect(sx.parseErrors).toHaveLength(0);
         // console.log(JSON.stringify(sx, null, 2));
         expect(sx.toString()).toBeTruthy();
+        expect(filterEvent(generateTestEvent(445, '123', '192.168.1.1'), sx.cst)).toBeTruthy();
     });
 
     test('parses single query with "ne port"', () => {
@@ -26,13 +30,17 @@ describe('parseDSL', () => {
         expect(sx.parseErrors).toHaveLength(0);
         // console.log(JSON.stringify(sx, null, 2));
         expect(sx.toString()).toBeTruthy();
+        expect(filterEvent(generateTestEvent(445, '', '192.168.1.1'), sx.cst)).toBeTruthy();
     });
 
-    test('parses single query with "== port"', () => {
+    test('parses single query with "ne port"', () => {
         let sx = parseDSL('udp.port ne 8080');
         expect(sx.lexErrors).toHaveLength(0);
         expect(sx.parseErrors).toHaveLength(0);
         expect(sx.toString()).toBeTruthy();
+        expect(
+            filterEvent(generateTestEvent(445, '', '192.168.1.1', '', 'Rule: UDP'), sx.cst),
+        ).toBeTruthy();
     });
 
     test('returns lexer error', () => {
@@ -57,5 +65,39 @@ describe('parseDSL', () => {
         let sx = parseDSL('payload contains "something"');
         expect(sx.lexErrors).toHaveLength(0);
         expect(sx.parseErrors).toHaveLength(0);
+        let payload = Buffer.from('something').toString('base64');
+        expect(
+            filterEvent(generateTestEvent(445, '123', '192.168.1.1', payload), sx.cst),
+        ).toBeTruthy();
+    });
+
+    test('parsing payload ne', () => {
+        let sx = parseDSL('not payload contains "banana"');
+        expect(sx.lexErrors).toHaveLength(0);
+        expect(sx.parseErrors).toHaveLength(0);
+        let payload = Buffer.from('something').toString('base64');
+        expect(
+            filterEvent(generateTestEvent(445, '123', '192.168.1.1', payload), sx.cst),
+        ).toBeTruthy();
+    });
+
+    test('payload contains and tcp.port', () => {
+        let sx = parseDSL('payload contains "something" and tcp.port == 445');
+        expect(sx.lexErrors).toHaveLength(0);
+        expect(sx.parseErrors).toHaveLength(0);
+        let payload = Buffer.from('something').toString('base64');
+        expect(
+            filterEvent(generateTestEvent(445, '123', '192.168.1.1', payload), sx.cst),
+        ).toBeTruthy();
+    });
+
+    test('parsing payload ne and tcp.port eq', () => {
+        let sx = parseDSL('not payload contains "banana" and tcp.port != 445');
+        expect(sx.lexErrors).toHaveLength(0);
+        expect(sx.parseErrors).toHaveLength(0);
+        let payload = Buffer.from('something').toString('base64');
+        expect(
+            filterEvent(generateTestEvent(445, '123', '192.168.1.1', payload), sx.cst),
+        ).toBeTruthy();
     });
 });
diff --git a/src/util.ts b/src/util.ts
index 8974717..9ec57c8 100644
--- a/src/util.ts
+++ b/src/util.ts
@@ -26,7 +26,7 @@ const ports = [80, 443, 22, 8080, 65345];
 const handlers = ['http', 'rdp', '', null];
 
 /**
- * Generates a random event used for UI testing.
+ * Generates a random event used for UI testing
  * @returns test event
  */
 export function generateRandomTestEvent(): Event {
@@ -44,3 +44,29 @@ export function generateRandomTestEvent(): Event {
         decoded: { test: 123 },
     };
 }
+
+/**
+ * Generates an event used for testing
+ * @returns test event
+ */
+export function generateTestEvent(
+    dport: number,
+    sport?: string,
+    sip?: string,
+    payload?: string,
+    rule: string = 'Rule: TCP',
+): Event {
+    return {
+        handler: handlers[Math.floor(Math.random() * handlers.length)],
+        connKey: [2, 2],
+        dstPort: dport,
+        rule: rule,
+        scanner: 'censys',
+        sensorID: 'sensorID',
+        srcHost: sip,
+        srcPort: sport,
+        timestamp: now().toString(),
+        payload: payload,
+        decoded: { paload: 'test' },
+    };
+}