tests: add rule to check for tcp/ack

Related to
Issue: 6354

diff --git a/tests/rules/tcp_ack/README.md b/tests/rules/tcp_ack/README.md
new file mode 100644 (file)
index 0000000..051dbbe
--- /dev/null
+++ b/tests/rules/tcp_ack/README.md
@@ -0,0 +1,2 @@
+## Description
+Rule test for tcp-ack keyword engine-analysis output; includes the test.yaml and test.rules files.
\ No newline at end of file

diff --git a/tests/rules/tcp_ack/test.rules b/tests/rules/tcp_ack/test.rules
new file mode 100644 (file)
index 0000000..c621263
--- /dev/null
+++ b/tests/rules/tcp_ack/test.rules
@@ -0,0 +1,3 @@
+alert tcp any any -> any any (msg:"Testing ack"; ack:782; sid:1;)
+alert tcp any any -> any any (msg:"Testing ack"; ack:15; sid:2;)
+alert tcp any any -> any any (msg:"Testing ack"; ack:437528; sid:3;)
\ No newline at end of file

diff --git a/tests/rules/tcp_ack/test.yaml b/tests/rules/tcp_ack/test.yaml
new file mode 100644 (file)
index 0000000..806629d
--- /dev/null
+++ b/tests/rules/tcp_ack/test.yaml
@@ -0,0 +1,28 @@
+requires:
+    min-version: 8.0
+    pcap: false
+
+args:
+    - --engine-analysis
+
+checks:
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 1
+      lists.packet.matches[0].name: "tcp.ack"
+      lists.packet.matches[0].ack.number: 782
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 2
+      lists.packet.matches[0].ack.number: 15
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 3
+      lists.packet.matches[0].name: "tcp.ack"
+      lists.packet.matches[0].ack.number: 437528
\ No newline at end of file