detect: add test for ldap.responses.dn keyword

Ticket: #7471

diff --git a/tests/detect-ldap-dn/README.md b/tests/detect-ldap-dn/README.md
index 127a77ed65b7836eee7a35755fb5e7d10f8280ea..a9e1763246f38b78d8ad9003d8c9cebe0e208542 100644 (file)
--- a/tests/detect-ldap-dn/README.md
+++ b/tests/detect-ldap-dn/README.md
@@ -1,4 +1,5 @@
-Test ldap.request.dn keyword.
+Test ldap.request.dn and
+ldap.responses.dn keywords.
 
 PCAP from ../ldap-search/ldap.pcap
 

diff --git a/tests/detect-ldap-dn/test.rules b/tests/detect-ldap-dn/test.rules
index 5554354fdb2642c9cb0d634adabde3832128d131..056c5b58acd7cf36265690a0a610639e34987d95 100644 (file)
--- a/tests/detect-ldap-dn/test.rules
+++ b/tests/detect-ldap-dn/test.rules
@@ -1 +1,2 @@
 alert ldap any any -> any any (msg:"Test ldap request dn"; ldap.request.dn; content:"dc=example,dc=com"; startswith; endswith; sid:1;)
+alert ldap any any -> any any (msg:"Test ldap responses dn"; ldap.responses.dn; content:"dc=example,dc=com"; startswith; endswith; sid:2;)
\ No newline at end of file

diff --git a/tests/detect-ldap-dn/test.yaml b/tests/detect-ldap-dn/test.yaml
index c649f474b902b78641b39923d96846d542454f64..8bddd264af1ed30e00c16e149f3543054ebcd743 100644 (file)
--- a/tests/detect-ldap-dn/test.yaml
+++ b/tests/detect-ldap-dn/test.yaml
@@ -15,3 +15,11 @@ checks:
         ldap.request.operation: search_request
         ldap.request.search_request.base_object: dc=example,dc=com
         alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 6
+        ldap.responses[0].operation: search_result_entry
+        ldap.responses[0].search_result_entry.base_object: dc=example,dc=com
+        alert.signature_id: 2