tests: add tests for ntlmssp keywords

diff --git a/tests/smb2-08-rule/README.md b/tests/smb2-08-rule/README.md
new file mode 100644 (file)
index 0000000..a96a278
--- /dev/null
+++ b/tests/smb2-08-rule/README.md
@@ -0,0 +1,4 @@
+PCAP
+====
+
+Pcap found in Zeek/Bro git repo.

diff --git a/tests/smb2-08-rule/smb2.pcap b/tests/smb2-08-rule/smb2.pcap
new file mode 100644 (file)
index 0000000..49c7116
Binary files /dev/null and b/tests/smb2-08-rule/smb2.pcap differ

diff --git a/tests/smb2-08-rule/test.rules b/tests/smb2-08-rule/test.rules
new file mode 100644 (file)
index 0000000..0b6f57b
--- /dev/null
+++ b/tests/smb2-08-rule/test.rules
@@ -0,0 +1,3 @@
+alert smb any any -> any any (msg:"user"; smb.ntlmssp_user; content:"Administrator"; sid:1;)
+alert smb any any -> any any (msg:"user"; smb.ntlmssp_domain; content:"CONTOSO"; sid:2;)
+alert smb any any -> any any (msg:"user"; smb.ntlmssp_user; content:"root"; sid:3;)

diff --git a/tests/smb2-08-rule/test.yaml b/tests/smb2-08-rule/test.yaml
new file mode 100644 (file)
index 0000000..4c74dd6
--- /dev/null
+++ b/tests/smb2-08-rule/test.yaml
@@ -0,0 +1,27 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - RUST
+  files:
+    - rust/src/smb/smb.rs
+    - src/detect-smb-ntlmssp.c
+args:
+- --set stream.reassembly.depth=0
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 3
+