ssh: adds test for frames

Ticket: 5734

diff --git a/tests/ssh-frames/README.md b/tests/ssh-frames/README.md
new file mode 100644 (file)
index 0000000..1721f2b
--- /dev/null
+++ b/tests/ssh-frames/README.md
@@ -0,0 +1,8 @@
+# Description
+
+Test ssh frames.
+https://redmine.openinfosecfoundation.org/issues/5734
+
+# PCAP
+
+reused from another test

diff --git a/tests/ssh-frames/test.rules b/tests/ssh-frames/test.rules
new file mode 100644 (file)
index 0000000..e5c7f6e
--- /dev/null
+++ b/tests/ssh-frames/test.rules
@@ -0,0 +1,3 @@
+alert ssh any any -> any 22 (msg:"pdu frame"; frame:ssh.record.pdu; content: "|06 1e 00 00 00 20|"; offset: 4; depth:6; sid:1;)
+alert ssh any any -> any 22 (msg:"hdr frame new keys"; frame:ssh.record.hdr; content: "|15|"; endswith; bsize: 6; sid:2;)
+alert ssh any any -> any 22 (msg:"data frame"; frame:ssh.record.data; content: "curve"; sid:3;)

diff --git a/tests/ssh-frames/test.yaml b/tests/ssh-frames/test.yaml
new file mode 100644 (file)
index 0000000..5d7f181
--- /dev/null
+++ b/tests/ssh-frames/test.yaml
@@ -0,0 +1,25 @@
+requires:
+  min-version: 8
+
+pcap:  ../ssh-newkeys/input.pcap
+
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 1
+         ssh.client.software_version: "libssh-0.7.2"
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 3