From bcfd24903218e16d7cda213d7042e95fadf03fd7 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Fri, 21 Jun 2019 14:39:25 +0200
Subject: [PATCH] tests: add tests for udp.hdr and tcp.hdr

---
 tests/tcp-hdr-keyword/input.pcap   | Bin 0 -> 106 bytes
 tests/tcp-hdr-keyword/test.rules   |   1 +
 tests/tcp-hdr-keyword/test.yaml    |  12 ++++++++++++
 tests/tcp-hdr-keyword/writepcap.py |  10 ++++++++++
 tests/udp-hdr-keyword/input.pcap   | Bin 0 -> 86 bytes
 tests/udp-hdr-keyword/test.rules   |   1 +
 tests/udp-hdr-keyword/test.yaml    |  12 ++++++++++++
 tests/udp-hdr-keyword/writepcap.py |  10 ++++++++++
 8 files changed, 46 insertions(+)
 create mode 100644 tests/tcp-hdr-keyword/input.pcap
 create mode 100644 tests/tcp-hdr-keyword/test.rules
 create mode 100644 tests/tcp-hdr-keyword/test.yaml
 create mode 100755 tests/tcp-hdr-keyword/writepcap.py
 create mode 100644 tests/udp-hdr-keyword/input.pcap
 create mode 100644 tests/udp-hdr-keyword/test.rules
 create mode 100644 tests/udp-hdr-keyword/test.yaml
 create mode 100755 tests/udp-hdr-keyword/writepcap.py

diff --git a/tests/tcp-hdr-keyword/input.pcap b/tests/tcp-hdr-keyword/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a6372def68ef962c62e3c6adedef0d5f1e58b4bd
GIT binary patch
literal 106
zc-p&ic+)~A1{MYw`2U}Qfe}dOn{&om+A%OVF+lKtFkoP0VrF4&WME+9U~pw%FaRla
hVA~~kU<CssSYCu70A^AFlLEuS(?HXhSQt2fd;l<27Wn`G

literal 0
Hc-jL100001

diff --git a/tests/tcp-hdr-keyword/test.rules b/tests/tcp-hdr-keyword/test.rules
new file mode 100644
index 000000000..a1aa40a19
--- /dev/null
+++ b/tests/tcp-hdr-keyword/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (tcp.mss:<536; sid:1234; rev:5;)
diff --git a/tests/tcp-hdr-keyword/test.yaml b/tests/tcp-hdr-keyword/test.yaml
new file mode 100644
index 000000000..b658eca6f
--- /dev/null
+++ b/tests/tcp-hdr-keyword/test.yaml
@@ -0,0 +1,12 @@
+requires:
+  min-version: 5.0.0
+  features:
+    - HAVE_LIBJANSSON
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1234 
+
diff --git a/tests/tcp-hdr-keyword/writepcap.py b/tests/tcp-hdr-keyword/writepcap.py
new file mode 100755
index 000000000..27d1089d2
--- /dev/null
+++ b/tests/tcp-hdr-keyword/writepcap.py
@@ -0,0 +1,10 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='255.255.255.255', src='192.168.0.1')/TCP(dport=80,flags="S",options=[("NOP",None),("MSS", 8)])
+
+wrpcap('input.pcap', pkts)
diff --git a/tests/udp-hdr-keyword/input.pcap b/tests/udp-hdr-keyword/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..e35b3fbcfb000932b64f439250d5070648a18740
GIT binary patch
literal 86
zc-p&ic+)~A1{MYw`2U}Qfe}bw_Tq}=V`F8|1G4qN;vm4l$i&RT+Q`7b#=+pqz#s!s
W>L9pF{lE$aMzFjoLjVJZ-39=4v=#LL

literal 0
Hc-jL100001

diff --git a/tests/udp-hdr-keyword/test.rules b/tests/udp-hdr-keyword/test.rules
new file mode 100644
index 000000000..6079eb8a1
--- /dev/null
+++ b/tests/udp-hdr-keyword/test.rules
@@ -0,0 +1 @@
+alert udp any any -> any any (udp.hdr; content:"|00 08|"; offset:4; depth:2; sid:1234;)
diff --git a/tests/udp-hdr-keyword/test.yaml b/tests/udp-hdr-keyword/test.yaml
new file mode 100644
index 000000000..b658eca6f
--- /dev/null
+++ b/tests/udp-hdr-keyword/test.yaml
@@ -0,0 +1,12 @@
+requires:
+  min-version: 5.0.0
+  features:
+    - HAVE_LIBJANSSON
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1234 
+
diff --git a/tests/udp-hdr-keyword/writepcap.py b/tests/udp-hdr-keyword/writepcap.py
new file mode 100755
index 000000000..b03b8f78d
--- /dev/null
+++ b/tests/udp-hdr-keyword/writepcap.py
@@ -0,0 +1,10 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='255.255.255.255', src='192.168.0.1')/UDP(dport=80)
+
+wrpcap('input.pcap', pkts)
-- 
2.47.2