detect: adds transactional rules with filesize

Ticket: 7665

diff --git a/tests/detect-bidir/test.rules b/tests/detect-bidir/test.rules
index 995ad40d9289f8a5f096e3013f98bb8909cd9276..11fdb4c2a6a93bcd5fc5d1c64b3074667a57e0e4 100644 (file)
--- a/tests/detect-bidir/test.rules
+++ b/tests/detect-bidir/test.rules
@@ -8,3 +8,6 @@ alert http any any => any any (msg:"disambiguated toserver"; sid: 12; http.uri;
 alert http any any => any any (msg:"disambiguated toclient, without other toclient"; sid: 13; http.uri; content: "/download"; http.connection: to_client; content: "eep";)
 alert http any any => any any (msg:"disambiguated both sides"; sid: 14; http.connection: to_client; content: "eep"; http.connection: to_server; content: "eep";)
 alert http any any => any any (msg:"toclient, followed by http.uri implicitly toserver"; sid: 15; http.connection: to_client; content: "eep"; http.uri; content: "/download"; )
+
+alert http any any => any any (msg:"matching uri and status and file size"; sid: 16; http.uri; content: "/download"; http.stat_code; content: "200"; filesize: to_client, <100;)
+alert http any any => any any (msg:"matching uri and status and file size"; sid: 17; http.uri; content: "/download"; http.stat_code; content: "200"; filesize: to_client, >100;)

diff --git a/tests/detect-bidir/test.yaml b/tests/detect-bidir/test.yaml
index 5a56f45ec7687183fcf4f322dfca387f58c97fa1..6787859c538fcb63e909ee25179518b135199f5d 100644 (file)
--- a/tests/detect-bidir/test.yaml
+++ b/tests/detect-bidir/test.yaml
@@ -54,3 +54,13 @@ checks:
       match:
         event_type: alert
         alert.signature_id: 15
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 16
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 17