From: Daniel Olatunji <danielolatunji20@outlook.com>
Date: Wed, 31 Jan 2024 15:37:54 +0000 (+0100)
Subject: tests: add rule to check for tcp/ack
X-Git-Tag: suricata-6.0.19~19
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F1749%2Fhead;p=thirdparty%2Fsuricata-verify.git

tests: add rule to check for tcp/ack

Related to
Issue: 6354
---

diff --git a/tests/rules/tcp_ack/README.md b/tests/rules/tcp_ack/README.md
new file mode 100644
index 000000000..051dbbed2
--- /dev/null
+++ b/tests/rules/tcp_ack/README.md
@@ -0,0 +1,2 @@
+## Description
+Rule test for tcp-ack keyword engine-analysis output; includes the test.yaml and test.rules files.
\ No newline at end of file
diff --git a/tests/rules/tcp_ack/test.rules b/tests/rules/tcp_ack/test.rules
new file mode 100644
index 000000000..c6212635a
--- /dev/null
+++ b/tests/rules/tcp_ack/test.rules
@@ -0,0 +1,3 @@
+alert tcp any any -> any any (msg:"Testing ack"; ack:782; sid:1;)
+alert tcp any any -> any any (msg:"Testing ack"; ack:15; sid:2;)
+alert tcp any any -> any any (msg:"Testing ack"; ack:437528; sid:3;)
\ No newline at end of file
diff --git a/tests/rules/tcp_ack/test.yaml b/tests/rules/tcp_ack/test.yaml
new file mode 100644
index 000000000..806629d66
--- /dev/null
+++ b/tests/rules/tcp_ack/test.yaml
@@ -0,0 +1,28 @@
+requires:
+    min-version: 8.0
+    pcap: false
+
+args:
+    - --engine-analysis
+
+checks:
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 1
+      lists.packet.matches[0].name: "tcp.ack"
+      lists.packet.matches[0].ack.number: 782
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 2
+      lists.packet.matches[0].ack.number: 15
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 3
+      lists.packet.matches[0].name: "tcp.ack"
+      lists.packet.matches[0].ack.number: 437528
\ No newline at end of file