tests: add rule check for flowint keyword

Related to
Issue: #6311

diff --git a/tests/rules/flowints/test.rules b/tests/rules/flowints/test.rules
new file mode 100644 (file)
index 0000000..5c70f26
--- /dev/null
+++ b/tests/rules/flowints/test.rules
@@ -0,0 +1,11 @@
+alert tcp any any -> any any (msg:"Counting Usernames"; content:"jonkman"; flowint: usernamecount, +, 1; noalert; sid:1;)
+alert tcp any any -> any any (msg:"Counting Usernames"; content:"jonkman"; flowint: usernamecount, -, 1; noalert; sid:2;)
+alert tcp any any -> any any (msg:"Start a login count"; content:"login failed"; flowint:loginfail, notset; flowint:loginfail, =, 1; noalert; sid:3;)
+alert tcp any any -> any any (msg:"Counting Usernames"; content:"jonkman"; flowint: usernamecount, >, 1; noalert; sid:4;)
+alert tcp any any -> any any (msg:"Counting Usernames"; content:"jonkman"; flowint: usernamecount, <, 1; noalert; sid:5;)
+alert tcp any any -> any any (msg:"Counting Usernames"; content:"jonkman"; flowint: usernamecount, <=, 1; noalert; sid:6;)
+alert tcp any any -> any any (msg:"Counting Usernames"; content:"jonkman"; flowint: usernamecount, >=, 1; noalert; sid:7;)
+alert tcp any any -> any any (msg:"Counting Usernames"; content:"jonkman"; flowint: usernamecount, ==, 1; noalert; sid:8;)
+alert tcp any any -> any any (msg:"Counting Usernames"; content:"jonkman"; flowint: usernamecount, !=, 1; noalert; sid:9;)
+alert tcp any any -> any any (msg:"Counting Usernames"; content:"jonkman"; flowint: usernamecount, isset, 1; noalert; sid:10;)
+alert tcp any any -> any any (msg:"Counting Usernames"; content:"jonkman"; flowint: usernamecount, isnotset, 1; noalert; sid:11;)

diff --git a/tests/rules/flowints/test.yaml b/tests/rules/flowints/test.yaml
new file mode 100644 (file)
index 0000000..faef063
--- /dev/null
+++ b/tests/rules/flowints/test.yaml
@@ -0,0 +1,105 @@
+requires:
+    min-version: 9.0
+    pcap: false
+
+args:
+    - --engine-analysis
+
+checks:
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 1
+      lists.postmatch.matches[0].name: "flowint"
+      lists.postmatch.matches[0].flowint.cmd: "add"
+      lists.postmatch.matches[0].flowint.var: "usernamecount"
+      lists.postmatch.matches[0].flowint.value: 1
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 2
+      lists.postmatch.matches[0].name: "flowint"
+      lists.postmatch.matches[0].flowint.cmd: "sub"
+      lists.postmatch.matches[0].flowint.var: "usernamecount"
+      lists.postmatch.matches[0].flowint.value: 1   
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 3
+      lists.postmatch.matches[0].name: "flowint"
+      lists.postmatch.matches[0].flowint.cmd: "set"
+      lists.postmatch.matches[0].flowint.var: "loginfail"
+      lists.postmatch.matches[0].flowint.value: 1 
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 4
+      lists.packet.matches[0].name: "flowint"
+      lists.packet.matches[0].flowint.cmd: "gt"
+      lists.packet.matches[0].flowint.var: "usernamecount"
+      lists.packet.matches[0].flowint.value: 1  
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 5
+      lists.packet.matches[0].name: "flowint"
+      lists.packet.matches[0].flowint.cmd: "lt"
+      lists.packet.matches[0].flowint.var: "usernamecount"
+      lists.packet.matches[0].flowint.value: 1  
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 6
+      lists.packet.matches[0].name: "flowint"
+      lists.packet.matches[0].flowint.cmd: "lte"
+      lists.packet.matches[0].flowint.var: "usernamecount"
+      lists.packet.matches[0].flowint.value: 1    
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 7
+      lists.packet.matches[0].name: "flowint"
+      lists.packet.matches[0].flowint.cmd: "gte"
+      lists.packet.matches[0].flowint.var: "usernamecount"
+      lists.packet.matches[0].flowint.value: 1  
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 8
+      lists.packet.matches[0].name: "flowint"
+      lists.packet.matches[0].flowint.cmd: "eq"
+      lists.packet.matches[0].flowint.var: "usernamecount"
+      lists.packet.matches[0].flowint.value: 1             
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 9
+      lists.packet.matches[0].name: "flowint"
+      lists.packet.matches[0].flowint.cmd: "ne"
+      lists.packet.matches[0].flowint.var: "usernamecount"
+      lists.packet.matches[0].flowint.value: 1 
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 10
+      lists.packet.matches[0].name: "flowint"
+      lists.packet.matches[0].flowint.cmd: "isset"
+      lists.packet.matches[0].flowint.var: "usernamecount"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 11
+      lists.packet.matches[0].name: "flowint"
+      lists.packet.matches[0].flowint.cmd: "isnotset"
+      lists.packet.matches[0].flowint.var: "usernamecount"
\ No newline at end of file