From: Philippe Antoine <pantoine@oisf.net>
Date: Fri, 3 Oct 2025 14:03:28 +0000 (+0200)
Subject: detect/files: add nfs test over udp only
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ea27245340dc98975b4b56cdb7d30b2001677958;p=thirdparty%2Fsuricata-verify.git

detect/files: add nfs test over udp only

Ticket: 7973
---

diff --git a/tests/nfs-udp-only/README.md b/tests/nfs-udp-only/README.md
new file mode 100644
index 000000000..c15a5e4ab
--- /dev/null
+++ b/tests/nfs-udp-only/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test nfs on UDP only
+
+## PCAP
+
+Reused
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/7973
diff --git a/tests/nfs-udp-only/suricata.yaml b/tests/nfs-udp-only/suricata.yaml
new file mode 100644
index 000000000..135b0be77
--- /dev/null
+++ b/tests/nfs-udp-only/suricata.yaml
@@ -0,0 +1,46 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      ethernet: true
+      metadata: true
+      community-id: true
+      community-id-seed: 1234
+      types:
+        - alert:
+            payload: yes             # enable dumping payload in Base64
+            payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+            payload-printable: yes   # enable dumping payload in printable (lossy) format
+            packet: yes              # enable dumping of packet (without stream segments)
+            metadata: yes            # enable inclusion of app layer metadata with alert. Default yes
+            tagged-packets: yes
+        - anomaly:
+            enabled: yes
+            types:
+              decode: yes
+              stream: yes
+              applayer: yes
+            packethdr: yes
+        - files:
+            force-magic: yes
+            force-hash: [md5, sha1, sha256]
+        - nfs
+        - flow
+        - netflow
+  - alert-debug:
+      enabled: yes
+      filename: alert-debug.log
+      append: yes
+      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
+
+app-layer:
+  protocols:
+    nfs:
+      udp:
+        enabled: yes
+      tcp:
+        enabled: no
diff --git a/tests/nfs-udp-only/test.rules b/tests/nfs-udp-only/test.rules
new file mode 100644
index 000000000..2d54ae4c5
--- /dev/null
+++ b/tests/nfs-udp-only/test.rules
@@ -0,0 +1 @@
+alert nfs any any -> any any (msg:"FILE store in NFS"; filestore; sid:1; rev:1;)
diff --git a/tests/nfs-udp-only/test.yaml b/tests/nfs-udp-only/test.yaml
new file mode 100644
index 000000000..b3ca4adef
--- /dev/null
+++ b/tests/nfs-udp-only/test.yaml
@@ -0,0 +1,12 @@
+requires:
+  min-version: 9
+
+pcap: ../issue-3277-nfsv2-filestore/nfsv2.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        app_proto: nfs
+        alert.signature_id: 1