--- /dev/null
+alert tcp any any -> any any (content:"one"; content:"1"; prefilter; sid:1;)
+alert tcp any any -> any any (uricontent:"one"; uricontent:"1"; prefilter; sid:2;)
+alert tcp any any -> any any (content:"one"; http_uri; content:"1"; prefilter; http_uri; sid:3;)
+alert tcp any any -> any any (http.uri; content:"one"; content:"1"; prefilter; sid:4;)
+
+# test prefilter keyword for file_data
+alert tcp any any -> any 25 (msg:"VIRUS INBOUND bad file attachment"; flow:to_server,established; content:"content-disposition|3a| attachment|3b|"; nocase; content:".zip|22|"; nocase; within:128; file_data; content:".pdf.exe"; prefilter; within:64; sid:10; rev:1;)
+# test prefilter keyword for file.data
+alert tcp any any -> any 25 (msg:"VIRUS INBOUND bad file attachment"; flow:to_server,established; content:"content-disposition|3a| attachment|3b|"; nocase; content:".zip|22|"; nocase; within:128; file.data; content:".pdf.exe"; prefilter; within:64; sid:11; rev:1;)
+
+alert tcp any any -> any any (flow:established,to_server; stream_size:server,<,1111; prefilter; content: "EICAR"; sid:20;)
--- /dev/null
+requires:
+ min-version: 8.0.0
+ pcap: false
+
+args:
+ - --engine-analysis
+
+checks:
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 1
+ mpm.buffer: "payload"
+ mpm.pattern: "1"
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 2
+ mpm.buffer: "http_uri"
+ mpm.pattern: "1"
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 3
+ mpm.buffer: "http_uri"
+ mpm.pattern: "1"
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 4
+ mpm.buffer: "http_uri"
+ mpm.pattern: "1"
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 10
+ mpm.buffer: "file_data"
+ mpm.pattern: ".pdf.exe"
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 11
+ mpm.buffer: "file_data"
+ mpm.pattern: ".pdf.exe"
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 20
+ prefilter.buffer: "packet"
+ prefilter.name: "stream_size"
projects / thirdparty / suricata-verify.git / commitdiff
