--- /dev/null
+alert tcp any any -> any any (msg:"Testing mss"; tcp.mss:50; sid:1;)
+alert tcp any any -> any any (msg:"Testing mss"; tcp.mss:>123; sid:2;)
+alert tcp any any -> any any (msg:"Testing mss"; tcp.mss:<536; sid:3;)
+alert tcp any any -> any any (msg:"Testing mss"; tcp.mss:123-456; sid:4;)
+alert tcp any any -> any any (msg:"Testing mss"; tcp.mss:>=439; sid:5;)
+alert tcp any any -> any any (msg:"Testing mss"; tcp.mss:<=70; sid:6;)
+alert tcp any any -> any any (msg:"Testing mss"; tcp.mss:!1000; sid:7;)
+alert tcp any any -> any any (msg:"Testing mss"; tcp.mss:!=953; sid:8;)
+alert tcp any any -> any any (msg:"Testing mss"; tcp.mss:!123-456; sid:9;)
+alert tcp any any -> any any (msg:"Testing mss"; tcp.mss:&0xF=4; sid:10;)
--- /dev/null
+requires:
+ min-version: 8
+ pcap: false
+
+args:
+ - --engine-analysis
+
+checks:
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 1
+ lists.packet.matches[0].name: "tcp.mss"
+ lists.packet.matches[0].tcp_mss.equal: 50
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 2
+ lists.packet.matches[0].name: "tcp.mss"
+ lists.packet.matches[0].tcp_mss.gt: 123
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 3
+ lists.packet.matches[0].name: "tcp.mss"
+ lists.packet.matches[0].tcp_mss.lt: 536
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 4
+ lists.packet.matches[0].name: "tcp.mss"
+ lists.packet.matches[0].tcp_mss.range.min: 123
+ lists.packet.matches[0].tcp_mss.range.max: 456
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 5
+ lists.packet.matches[0].name: "tcp.mss"
+ lists.packet.matches[0].tcp_mss.gte: 439
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 6
+ lists.packet.matches[0].name: "tcp.mss"
+ lists.packet.matches[0].tcp_mss.lte: 70
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 7
+ lists.packet.matches[0].name: "tcp.mss"
+ lists.packet.matches[0].tcp_mss.diff: 1000
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 8
+ lists.packet.matches[0].name: "tcp.mss"
+ lists.packet.matches[0].tcp_mss.diff: 953
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 9
+ lists.packet.matches[0].name: "tcp.mss"
+ lists.packet.matches[0].tcp_mss.negated_range.min: 123
+ lists.packet.matches[0].tcp_mss.negated_range.max: 456
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 10
+ lists.packet.matches[0].name: "tcp.mss"
+ lists.packet.matches[0].tcp_mss.bitmask.mask: 15
+ lists.packet.matches[0].tcp_mss.bitmask.value: 4