From 21bf388098651f41fafc1b7a35d52225b2700048 Mon Sep 17 00:00:00 2001
From: Andreas Herz <andi@geekosphere.org>
Date: Thu, 10 Oct 2019 22:02:56 +0200
Subject: [PATCH] tests: test that triggers a rule with established though 3whs
 missing

---
 tests/alert-no-3whs-established/no-3whs.pcap | Bin 0 -> 316 bytes
 tests/alert-no-3whs-established/test.rules   |   1 +
 tests/alert-no-3whs-established/test.yaml    |  11 +++++++++++
 3 files changed, 12 insertions(+)
 create mode 100644 tests/alert-no-3whs-established/no-3whs.pcap
 create mode 100644 tests/alert-no-3whs-established/test.rules
 create mode 100644 tests/alert-no-3whs-established/test.yaml

diff --git a/tests/alert-no-3whs-established/no-3whs.pcap b/tests/alert-no-3whs-established/no-3whs.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..6a1a2bece0b924a21b4580be95294251fc6767d2
GIT binary patch
literal 316
zc-p&ic+)~A1{MYw;8$m0U<A_sNB2g{JY;9E0kUlvPyq*nD+7bx-%Sh*4s7+J^*{|E
z%-PMd$8^UeR_%35_60~VG068bF!(x#ID6QG%(8sW&R_=AYlh7%jS?9Lpjjt2!pvgX
l!`Tfo2c#kZ=(x*T5EoU?<)WI4wgJt;<01{Pi<aVZ5da}$JIDY4

literal 0
Hc-jL100001

diff --git a/tests/alert-no-3whs-established/test.rules b/tests/alert-no-3whs-established/test.rules
new file mode 100644
index 000000000..823a42128
--- /dev/null
+++ b/tests/alert-no-3whs-established/test.rules
@@ -0,0 +1 @@
+alert tcp 127.0.0.1 any -> 127.0.0.1 1212 ( msg:"RULE:to_server,established #1"; content:"MATCH?"; flow:to_server,established; priority:3; sid:13371340;)
diff --git a/tests/alert-no-3whs-established/test.yaml b/tests/alert-no-3whs-established/test.yaml
new file mode 100644
index 000000000..961a6e578
--- /dev/null
+++ b/tests/alert-no-3whs-established/test.yaml
@@ -0,0 +1,11 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+    min-version: 6.0.0
+
+checks:
+    - filter:
+        count: 0
+        match:
+            event_type: alert
+            alert.signature_id: 13371340
-- 
2.47.2