tests: add mix of byte_extract tests

diff --git a/tests/byte-extract-01/README.md b/tests/byte-extract-01/README.md
new file mode 100644 (file)
index 0000000..4a8763f
--- /dev/null
+++ b/tests/byte-extract-01/README.md
@@ -0,0 +1,4 @@
+# test byte_extract cases
+
+This test covers different byte_extract cases. The rules and the pcap are taken
+from https://redmine.openinfosecfoundation.org/issues/3047

diff --git a/tests/byte-extract-01/input.pcap b/tests/byte-extract-01/input.pcap
new file mode 100644 (file)
index 0000000..274449d
Binary files /dev/null and b/tests/byte-extract-01/input.pcap differ

diff --git a/tests/byte-extract-01/test.rules b/tests/byte-extract-01/test.rules
new file mode 100644 (file)
index 0000000..c24f031
--- /dev/null
+++ b/tests/byte-extract-01/test.rules
@@ -0,0 +1,10 @@
+alert tcp-pkt any any -> any any (msg:"byte extract test 1"; byte_extract:2,0,two1,string,dec; content:"|33 34|"; offset:0; depth:two1; sid:1; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 2"; byte_extract:1,2,two2,string,dec; content:"|33 34|"; offset:8; depth:two2; sid:2; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 3"; byte_extract:1,2,two3,string,dec; byte_extract:1,5,eight,string,dec; content:"|33 34|"; offset:eight; depth:two3; sid:3; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 4"; byte_extract:1,3,sixd1,string,dec; content:"|31 30|"; content:"|33 34|"; distance:sixd1; sid:4; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 5"; byte_extract:1,2,twow,string,dec; byte_extract:1,3,sixd2,string,dec; content:"|31 30|"; content:"|33 34|"; distance:sixd2; within:twow; sid: 5; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 6"; content:"|31 30|"; byte_extract:1,6,three1,relative,string,dec; content:"|36 10|"; offset:three1; depth:2; sid:6; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 7"; byte_extract:1,2,dectwo1,string,dec; content:"|32|"; offset:dectwo1; depth:1; sid:7; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 8"; byte_extract:1,2,dectwo2,string,dec; content:"|32|"; offset:dectwo2; sid:8; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 9"; byte_extract:1,4,hexten; byte_extract:1,0,decone,string,dec; content:"|66|"; offset:hexten; depth:decone; sid:9; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 10"; byte_extract:1,4,two4; content:"|31|"; depth:1; content:"|2e|"; distance:two4; within:1; sid:10; rev:1;)

diff --git a/tests/byte-extract-01/test.yaml b/tests/byte-extract-01/test.yaml
new file mode 100644 (file)
index 0000000..e0f207b
--- /dev/null
+++ b/tests/byte-extract-01/test.yaml
@@ -0,0 +1,58 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 5
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 6
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 7
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 9
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 10