From 23267b2ad77d990f944fdf73b7e8a25da299938a Mon Sep 17 00:00:00 2001
From: Hendrik Baecker <andurin@process-zero.de>
Date: Thu, 20 Jun 2024 12:13:02 +0200
Subject: [PATCH] Fix: Added more connect tests for ipv6 and cidr modifier

---
 ...st_backend_elasticsearch_lucene_connect.py | 38 ++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

diff --git a/tests/test_backend_elasticsearch_lucene_connect.py b/tests/test_backend_elasticsearch_lucene_connect.py
index 53fd8fa..7efc6a5 100644
--- a/tests/test_backend_elasticsearch_lucene_connect.py
+++ b/tests/test_backend_elasticsearch_lucene_connect.py
@@ -141,6 +141,20 @@ def fixture_prepare_es_data():
             verify=False,
             auth=pytest.es_creds,
         )
+        requests.post(
+            f"{pytest.es_url}/test-index/_doc/",
+            json={"ipfield": "fe80:0000:0000:0000:0000:0000:0000:beef"},
+            timeout=120,
+            verify=False,
+            auth=pytest.es_creds,
+        )
+        requests.post(
+            f"{pytest.es_url}/test-index/_doc/",
+            json={"ipfield": "2603:1080:beef::1"},
+            timeout=120,
+            verify=False,
+            auth=pytest.es_creds,
+        )
         requests.post(
             f"{pytest.es_url}/test-index/_doc/",
             json={"ipfield": "10.5.5.5"},
@@ -461,7 +475,7 @@ def test_connect_lucene_regex_query(
         result_dsl = lucene_backend.convert(rule, output_format="dsl_lucene")[0]
         self.query_backend_hits(result_dsl, num_wanted=1)
 
-    def test_connect_lucene_cidr_query(
+    def test_connect_lucene_cidr_v4_query(
         self, prepare_es_data, lucene_backend: LuceneBackend
     ):
         rule = SigmaCollection.from_yaml(
@@ -481,6 +495,28 @@ def test_connect_lucene_cidr_query(
         result_dsl = lucene_backend.convert(rule, output_format="dsl_lucene")[0]
         self.query_backend_hits(result_dsl, num_wanted=1)
 
+    def test_connect_lucene_cidr_v6_query(
+        self, prepare_es_data, lucene_backend: LuceneBackend
+    ):
+        rule = SigmaCollection.from_yaml(
+            """
+                title: Test
+                status: test
+                logsource:
+                    category: test_category
+                    product: test_product
+                detection:
+                    sel:
+                        ipfield|cidr:
+                            - 'fe80::/10'
+                            - '2603:1080::/25'
+                    condition: sel
+            """
+        )
+
+        result_dsl = lucene_backend.convert(rule, output_format="dsl_lucene")[0]
+        self.query_backend_hits(result_dsl, num_wanted=2)
+
     def test_connect_lucene_ip_query(
         self, prepare_es_data, lucene_backend: LuceneBackend
     ):