]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 30440e7)
flow/pkt: add test for either dir 2228/head
authorShivani Bhardwaj <shivanib134@gmail.com>
Fri, 23 Aug 2024 07:06:50 +0000 (12:36 +0530)
committerVictor Julien <victor@inliniac.net>
Fri, 10 Jan 2025 21:32:40 +0000 (22:32 +0100)
tests/detect-flow-pkts-either/README.md [new file with mode: 0644] patch | blob
tests/detect-flow-pkts-either/test.rules [new file with mode: 0644] patch | blob
tests/detect-flow-pkts-either/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/detect-flow-pkts-either/README.md b/tests/detect-flow-pkts-either/README.md
new file mode 100644 (file)
index 0000000..89bdf91
--- /dev/null
+++ b/tests/detect-flow-pkts-either/README.md
@@ -0,0 +1,13 @@
+Test
+====
+
+Test `flow.pkts:either`.. and `flow.bytes:either`.. keywords
+
+PCAP
+====
+
+From existing s-v test.
+
+Related tickets
+==============
+https://redmine.openinfosecfoundation.org/issues/5646
diff --git a/tests/detect-flow-pkts-either/test.rules b/tests/detect-flow-pkts-either/test.rules
new file mode 100644 (file)
index 0000000..95b6300
--- /dev/null
+++ b/tests/detect-flow-pkts-either/test.rules
@@ -0,0 +1,5 @@
+alert ip any any -> any any (msg:"Flow has more than 3000 bytes and 10 pkts in either direction";flow.pkts:either,=10;flow.bytes:either,>3000; sid:1;)
+alert ip any any -> any any (msg:"Flow has 10 pkts in toserver direction";flow.pkts:toserver,=10;prefilter;sid:2;)
+alert ip any any -> any any (msg:"Flow has 10 pkts in toclient direction";flow.pkts:toclient,=10;sid:3;)
+alert ip any any -> any any (msg:"Flow has more than 3000 bytes in toserver direction";flow.bytes:toserver,>3000;sid:4;)
+alert ip any any -> any any (msg:"Flow has more than 3000 bytes in toclient direction";flow.bytes:toclient,>3000; threshold: type backoff, track by_flow, count 2, multiplier 10; sid:5;)
diff --git a/tests/detect-flow-pkts-either/test.yaml b/tests/detect-flow-pkts-either/test.yaml
new file mode 100644 (file)
index 0000000..634b6a0
--- /dev/null
+++ b/tests/detect-flow-pkts-either/test.yaml
@@ -0,0 +1,38 @@
+requires:
+  min-version: 8
+
+pcap: ../decode-teredo-01/input.pcap
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 1
+
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 2
+
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 4
+
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 5
Mirror of https://github.com/OISF/suricata-verify.git