tests: byte_test bitmask tests

author Jeff Lucovsky <jeff@lucovsky.org>

Wed, 4 Mar 2020 13:23:37 +0000 (08:23 -0500)

committer Victor Julien <victor@inliniac.net>

Mon, 23 Mar 2020 06:26:17 +0000 (07:26 +0100)
author Jeff Lucovsky <jeff@lucovsky.org>
Wed, 4 Mar 2020 13:23:37 +0000 (08:23 -0500)
committer Victor Julien <victor@inliniac.net>
Mon, 23 Mar 2020 06:26:17 +0000 (07:26 +0100)
diff --git a/tests/detect-bytetest-01/README.md b/tests/detect-bytetest-01/README.md

new file mode 100644 (file)

index 0000000..b8de7ad
--- /dev/null
+++ b/tests/detect-bytetest-01/README.md
@@ -0,0 +1,4 @@
+# Test the `bitmask` modifier for byte-test
+
+This test covers different byte_test cases using bitmask. The pcap was taken
+from https://redmine.openinfosecfoundation.org/issues/3047
diff --git a/tests/detect-bytetest-01/input.pcap b/tests/detect-bytetest-01/input.pcap

new file mode 100644 (file)

index 0000000..274449d

Binary files /dev/null and b/tests/detect-bytetest-01/input.pcap differ
diff --git a/tests/detect-bytetest-01/test.rules b/tests/detect-bytetest-01/test.rules

new file mode 100644 (file)

index 0000000..df19ee0
--- /dev/null
+++ b/tests/detect-bytetest-01/test.rules
@@ -0,0 +1,5 @@
+alert tcp-pkt any any -> any any (msg:"byte-test test 1"; content: "|48 54 54 50|"; byte_test:1,=,0x9,0, bitmask 0xf8; sid:1; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte-test test 1"; content: "|48 54 54 50|"; byte_test:1,>,0x8,0, bitmask 0xf8; sid:2; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte-test test 1"; content: "|48 54 54 50|"; byte_test:1,<,0xa,0, bitmask 0xf8; sid:3; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte-test test 1"; content: "|48 54 54 50|"; byte_test:1,!=,0x48,0, bitmask 0xf8; sid:4; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte-test test 1"; content: "|48 54 54 50|"; byte_test:2,=,0x90a,0, bitmask 0xf8f8; sid:5; rev:1;)
diff --git a/tests/detect-bytetest-01/test.yaml b/tests/detect-bytetest-01/test.yaml

new file mode 100644 (file)

index 0000000..2f5c8ec
--- /dev/null
+++ b/tests/detect-bytetest-01/test.yaml
@@ -0,0 +1,32 @@
+requires:
+    version: 6.0.0
+
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 5
author	Jeff Lucovsky <jeff@lucovsky.org>
	Wed, 4 Mar 2020 13:23:37 +0000 (08:23 -0500)
committer	Victor Julien <victor@inliniac.net>
	Mon, 23 Mar 2020 06:26:17 +0000 (07:26 +0100)
tests/detect-bytetest-01/README.md	[new file with mode: 0644]	patch \| blob
tests/detect-bytetest-01/input.pcap	[new file with mode: 0644]	patch \| blob
tests/detect-bytetest-01/test.rules	[new file with mode: 0644]	patch \| blob
tests/detect-bytetest-01/test.yaml	[new file with mode: 0644]	patch \| blob