flow/pkts: add rules w new syntax

diff --git a/tests/detect-flow-pkts/README.md b/tests/detect-flow-pkts/README.md
index 6691a2c40f48b3ee04c31433a53df1fb2625d071..2d9c1360259ed9f86b6297518188c5ad2083a495 100644 (file)
--- a/tests/detect-flow-pkts/README.md
+++ b/tests/detect-flow-pkts/README.md
@@ -1,7 +1,7 @@
 Test
 ====
 
-Test `flow.pkts_toclient` and alike (bytes, server) keywords
+Test `flow.pkts:toclient`.. and alike (bytes, server) keywords
 
 PCAP
 ====

diff --git a/tests/detect-flow-pkts/test.rules b/tests/detect-flow-pkts/test.rules
index d808c07d990f8e997898607e7f96909af0722a03..5aaa2bbd3716b54aa211464753482fe97e7a5a23 100644 (file)
--- a/tests/detect-flow-pkts/test.rules
+++ b/tests/detect-flow-pkts/test.rules
@@ -1 +1,2 @@
-alert ip any any -> any any (msg:"Flow has 10 packets"; flow.pkts_toclient:10; flow.pkts_toserver:10; flow.bytes_toserver:<3000; flow.bytes_toclient:>8000; sid:1;)
+alert ip any any -> any any (msg:"Flow has 10 packets"; flow.pkts:toclient,=10; flow.pkts:toserver,=10; flow.bytes:toserver,<3000; flow.bytes:toclient,>8000; sid:1;)
+alert ip any any -> any any (msg:"Flow has 10 packets (old syntax)"; flow.pkts_toclient:10; flow.pkts_toserver:10; flow.bytes_toserver:<3000; flow.bytes_toclient:>8000; sid:2;)

diff --git a/tests/detect-flow-pkts/test.yaml b/tests/detect-flow-pkts/test.yaml
index 440484ffce13835cbb9e43590124bd2c08eb1c53..7bb601c119b6572cb5a1dad8b7f24a8990415c90 100644 (file)
--- a/tests/detect-flow-pkts/test.yaml
+++ b/tests/detect-flow-pkts/test.yaml
@@ -12,3 +12,8 @@ checks:
     match:
       event_type: alert
       alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2