From: Andreas Herz <andi@geekosphere.org>
Date: Thu, 10 Oct 2019 20:02:56 +0000 (+0200)
Subject: tests: test that triggers a rule with established though 3whs missing
X-Git-Tag: suricata-6.0.4~264
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F291%2Fhead;p=thirdparty%2Fsuricata-verify.git

tests: test that triggers a rule with established though 3whs missing
---

diff --git a/tests/alert-no-3whs-established/no-3whs.pcap b/tests/alert-no-3whs-established/no-3whs.pcap
new file mode 100644
index 000000000..6a1a2bece
Binary files /dev/null and b/tests/alert-no-3whs-established/no-3whs.pcap differ
diff --git a/tests/alert-no-3whs-established/test.rules b/tests/alert-no-3whs-established/test.rules
new file mode 100644
index 000000000..823a42128
--- /dev/null
+++ b/tests/alert-no-3whs-established/test.rules
@@ -0,0 +1 @@
+alert tcp 127.0.0.1 any -> 127.0.0.1 1212 ( msg:"RULE:to_server,established #1"; content:"MATCH?"; flow:to_server,established; priority:3; sid:13371340;)
diff --git a/tests/alert-no-3whs-established/test.yaml b/tests/alert-no-3whs-established/test.yaml
new file mode 100644
index 000000000..961a6e578
--- /dev/null
+++ b/tests/alert-no-3whs-established/test.yaml
@@ -0,0 +1,11 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+    min-version: 6.0.0
+
+checks:
+    - filter:
+        count: 0
+        match:
+            event_type: alert
+            alert.signature_id: 13371340