Haleema Khan wrote in #note-2:
Hello mentors,
I looked at the test files and all the tests in this file are already in FAIL/PASS APIs.
Do they need a suricata-verify conversion? Just asking to understand the difference as I see a lot of signatures in a lot of tests within this file but then the whole file has tests in FAIL/PASS APIs. Does the presence of a signature make this a candidate for s-v test conversion or there are more attributes needed?
I do remember the description given to me by Shivani of a good candidate for suricata verify test but the tests in this file have 700+ lines of code and 2-3 are actually lengthy ones.
I remember you asking about something similar elsewhere, but I'll answer here, for future reference for other folks, as well:
usually, a good candidate for a conversion from unittest into a suricata-verify test will have things such as:
- Packet variables;
- Flow initialization.
Unit tests with that characteristic, especially lengthy and convoluted ones are likely to be better tested and represented as SV tests.
That said, looking at these tests, I think that `DetectFastPatternTest14` would be a good candidate for conversion. Even though it doesn't have that many
lines, it tests something that would be better tested if we actually had the engine running and analyzing the packet buffer against the given rules.
I am not so sure about the other cases - nor about how would we create a suricata verify test to check if the fast pattern is behaving as expected. Maybe comparing rule performance output...