From fc55a721db3ec5435d88075de414559ba55bf1a2 Mon Sep 17 00:00:00 2001
From: Olusegun Fajobi <segzyfaj1@gmail.com>
Date: Mon, 27 Oct 2025 15:13:10 +0100
Subject: [PATCH] tests: add rule check for ttl keyword

Related to
Issue: #6310
---
 tests/rules/time_to_live/test.rules |  1 +
 tests/rules/time_to_live/test.yaml  | 16 ++++++++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 tests/rules/time_to_live/test.rules
 create mode 100644 tests/rules/time_to_live/test.yaml

diff --git a/tests/rules/time_to_live/test.rules b/tests/rules/time_to_live/test.rules
new file mode 100644
index 000000000..7b172c185
--- /dev/null
+++ b/tests/rules/time_to_live/test.rules
@@ -0,0 +1 @@
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"IP Packet With TTL 0"; ttl:0; classtype:misc-activity; sid:1; rev:1;)
diff --git a/tests/rules/time_to_live/test.yaml b/tests/rules/time_to_live/test.yaml
new file mode 100644
index 000000000..02f03da13
--- /dev/null
+++ b/tests/rules/time_to_live/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  min-version: 9.0.0
+  pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 1
+        lists.packet.matches[0].name: "ttl"
+        lists.packet.matches[0].ttl.equal: 0
+        
\ No newline at end of file
-- 
2.47.3