From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 9 Sep 2025 20:47:58 +0000 (+0200)
Subject: nfs: adds test for nfs_procedure keyword
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F2661%2Fhead;p=thirdparty%2Fsuricata-verify.git

nfs: adds test for nfs_procedure keyword

Ticket: 6723
---

diff --git a/tests/nfs3-procedure/README.md b/tests/nfs3-procedure/README.md
new file mode 100644
index 000000000..5abe73c19
--- /dev/null
+++ b/tests/nfs3-procedure/README.md
@@ -0,0 +1,7 @@
+# Test Purpose
+
+Match on NFS nfs_procedure keyword with string
+
+## PCAP
+
+reused
diff --git a/tests/nfs3-procedure/input.pcap b/tests/nfs3-procedure/input.pcap
new file mode 100644
index 000000000..b259374cb
Binary files /dev/null and b/tests/nfs3-procedure/input.pcap differ
diff --git a/tests/nfs3-procedure/test.rules b/tests/nfs3-procedure/test.rules
new file mode 100644
index 000000000..b5916f3f7
--- /dev/null
+++ b/tests/nfs3-procedure/test.rules
@@ -0,0 +1,10 @@
+# 2 matches for generic write
+alert nfs any any -> any any (flow:to_server; nfs_procedure:WRITE; sid:1;)
+# 1 for write v4
+alert nfs any any -> any any (flow:to_server; nfs_procedure:WRITE; nfs_version:3; sid:2;)
+# 1 for write v3
+alert nfs any any -> any any (flow:to_server; nfs_procedure:WRITE; nfs_version:4; sid:3;)
+# numeric value for write v3
+alert nfs any any -> any any (flow:to_server; nfs_procedure:7; nfs_version:3; sid:4;)
+# numeric value for write v4
+alert nfs any any -> any any (flow:to_server; nfs_procedure:38; nfs_version:4; sid:5;)
diff --git a/tests/nfs3-procedure/test.yaml b/tests/nfs3-procedure/test.yaml
new file mode 100644
index 000000000..fb617996c
--- /dev/null
+++ b/tests/nfs3-procedure/test.yaml
@@ -0,0 +1,44 @@
+requires:
+  min-version: 9
+
+args:
+- -k none
+- --set stream.midstream=true
+- --set app-layer.protocols.nfs.enabled=yes
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        app_proto: nfs
+        alert.signature_id: 1
+        nfs.procedure: WRITE
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        app_proto: nfs
+        alert.signature_id: 2
+        nfs.procedure: WRITE
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        app_proto: nfs
+        alert.signature_id: 3
+        nfs.procedure: WRITE
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        app_proto: nfs
+        alert.signature_id: 4
+        nfs.procedure: WRITE
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        app_proto: nfs
+        alert.signature_id: 5
+        nfs.procedure: WRITE