[Feature proposal] Allow for a "should not trigger" test type

[Res260]

Currently, the tests for a detection are tests that PASS if the log is found using the provided detection' search. This is great to test that the rule matches when it's supposed to match, but it cannot test the exclusions to a rule.

Proposal: Introduce the concept of test "types": "should trigger" and "should not trigger".

The behavior is very simple:

• For a should trigger test: If the detection' search finds a log, the test PASSES. Else it FAILS.
• For a should not trigger test: If the detection' search finds a log, the test FAILS. Else it PASSES.

I can work on this feature and contribute it to upstream. If this is not something you want, we'll keep it in our private fork.

[2xyo]

Totally agree with @Res260 This is definitely necessary to test that exclusions are being taken into account correctly.

[2xyo]

@pyth0n1c would you be open to a pull request that implements this feature. If so, do you have any recommendations or preferences on how it should be implemented?

[Res260]

@2xyo I added the feature to my private fork, but could not contribute upstream because of other features that were never merged into upstream ( #318 #327 ).

The change is kind of easy to do, here are screenshots of my diffs: