rules/bidir: adds engine-analysis tests

author Philippe Antoine <pantoine@oisf.net>

Tue, 8 Oct 2024 08:14:18 +0000 (10:14 +0200)

committer Victor Julien <victor@inliniac.net>

Sat, 29 Mar 2025 21:14:02 +0000 (22:14 +0100)
author Philippe Antoine <pantoine@oisf.net>
Tue, 8 Oct 2024 08:14:18 +0000 (10:14 +0200)
committer Victor Julien <victor@inliniac.net>
Sat, 29 Mar 2025 21:14:02 +0000 (22:14 +0100)
diff --git a/tests/rules/detect-bidir-http-rule/README.md b/tests/rules/detect-bidir-http-rule/README.md

new file mode 100644 (file)

index 0000000..eaa073a
--- /dev/null
+++ b/tests/rules/detect-bidir-http-rule/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test bidirection rule with HTTP analysis
+
+# Ticket
+
+https://redmine.openinfosecfoundation.org/issues/5665
diff --git a/tests/rules/detect-bidir-http-rule/test.rules b/tests/rules/detect-bidir-http-rule/test.rules

new file mode 100644 (file)

index 0000000..a3fe123
--- /dev/null
+++ b/tests/rules/detect-bidir-http-rule/test.rules
@@ -0,0 +1 @@
+alert http1 any any => any any (msg:"matching both uri and status"; sid: 1; http.uri; content: "/download"; http.stat_code; content: "200";)
+\ No newline at end of file
diff --git a/tests/rules/detect-bidir-http-rule/test.yaml b/tests/rules/detect-bidir-http-rule/test.yaml

new file mode 100644 (file)

index 0000000..4eaae0e
--- /dev/null
+++ b/tests/rules/detect-bidir-http-rule/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  min-version: 8
+  pcap: false
+
+args:
+ - --engine-analysis
+
+checks:
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 1
+      engines[0].name: "http_uri"
+      engines[0].direction: "toserver"
+      engines[0].app_proto: "http"
+      engines[1].name: "http_stat_code"
+      engines[1].direction: "toclient"
+      engines[1].app_proto: "http"
+      mpm.buffer: "http_uri"
diff --git a/tests/rules/detect-bidir-ja3-rule/README.md b/tests/rules/detect-bidir-ja3-rule/README.md

new file mode 100644 (file)

index 0000000..3239640
--- /dev/null
+++ b/tests/rules/detect-bidir-ja3-rule/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test bidirection rule with TLS ja3 analysis
+
+# Ticket
+
+https://redmine.openinfosecfoundation.org/issues/5665
diff --git a/tests/rules/detect-bidir-ja3-rule/test.rules b/tests/rules/detect-bidir-ja3-rule/test.rules

new file mode 100644 (file)

index 0000000..7488fec
--- /dev/null
+++ b/tests/rules/detect-bidir-ja3-rule/test.rules
@@ -0,0 +1 @@
+alert tls any any => any any (msg:"bidir ja3"; ja3s.hash; content:"5d79edf64e03689ff559a54e9d9487bc"; ja3.string; content:"771,49196-49200"; sid:1;)
diff --git a/tests/rules/detect-bidir-ja3-rule/test.yaml b/tests/rules/detect-bidir-ja3-rule/test.yaml

new file mode 100644 (file)

index 0000000..6819190
--- /dev/null
+++ b/tests/rules/detect-bidir-ja3-rule/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  min-version: 8
+  pcap: false
+
+args:
+ - --engine-analysis
+
+checks:
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 1
+      engines[0].name: "ja3.string"
+      engines[0].direction: "toserver"
+      engines[0].app_proto: "tls"
+      engines[1].name: "ja3s.hash"
+      engines[1].direction: "toclient"
+      engines[1].app_proto: "tls"
+      mpm.buffer: "ja3.string"
author	Philippe Antoine <pantoine@oisf.net>
	Tue, 8 Oct 2024 08:14:18 +0000 (10:14 +0200)
committer	Victor Julien <victor@inliniac.net>
	Sat, 29 Mar 2025 21:14:02 +0000 (22:14 +0100)
tests/rules/detect-bidir-http-rule/README.md	[new file with mode: 0644]	patch \| blob
tests/rules/detect-bidir-http-rule/test.rules	[new file with mode: 0644]	patch \| blob
tests/rules/detect-bidir-http-rule/test.yaml	[new file with mode: 0644]	patch \| blob
tests/rules/detect-bidir-ja3-rule/README.md	[new file with mode: 0644]	patch \| blob
tests/rules/detect-bidir-ja3-rule/test.rules	[new file with mode: 0644]	patch \| blob
tests/rules/detect-bidir-ja3-rule/test.yaml	[new file with mode: 0644]	patch \| blob