tests: add tests for negated protocol matching

diff --git a/tests/detect-app-layer-protocol-01/README.md b/tests/detect-app-layer-protocol-01/README.md
new file mode 100644 (file)
index 0000000..52fe89a
--- /dev/null
+++ b/tests/detect-app-layer-protocol-01/README.md
@@ -0,0 +1,3 @@
+Test `app-layer-protocol:!http`.
+
+PCAP from alert-testmyids.

diff --git a/tests/detect-app-layer-protocol-01/input.pcap b/tests/detect-app-layer-protocol-01/input.pcap
new file mode 100644 (file)
index 0000000..8fb6832
Binary files /dev/null and b/tests/detect-app-layer-protocol-01/input.pcap differ

diff --git a/tests/detect-app-layer-protocol-01/test.rules b/tests/detect-app-layer-protocol-01/test.rules
new file mode 100644 (file)
index 0000000..20acc18
--- /dev/null
+++ b/tests/detect-app-layer-protocol-01/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any [80,443] (msg:"non-HTTP traffic over HTTP/S standard port"; flow:to_server; app-layer-protocol:!http; app-layer-protocol:!tls; sid:1; )
+alert tcp any [80,443] -> any any (msg:"non-HTTP traffic over HTTP/S standard port"; flow:to_client; app-layer-protocol:!http; app-layer-protocol:!tls; sid:2; )

diff --git a/tests/detect-app-layer-protocol-01/test.yaml b/tests/detect-app-layer-protocol-01/test.yaml
new file mode 100644 (file)
index 0000000..ade805c
--- /dev/null
+++ b/tests/detect-app-layer-protocol-01/test.yaml
@@ -0,0 +1,11 @@
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 2

diff --git a/tests/detect-app-layer-protocol-02/README.md b/tests/detect-app-layer-protocol-02/README.md
new file mode 100644 (file)
index 0000000..eaf4527
--- /dev/null
+++ b/tests/detect-app-layer-protocol-02/README.md
@@ -0,0 +1,3 @@
+Test `app-layer-protocol:!http1` (7+ only).
+
+PCAP from alert-testmyids.

diff --git a/tests/detect-app-layer-protocol-02/input.pcap b/tests/detect-app-layer-protocol-02/input.pcap
new file mode 100644 (file)
index 0000000..8fb6832
Binary files /dev/null and b/tests/detect-app-layer-protocol-02/input.pcap differ

diff --git a/tests/detect-app-layer-protocol-02/test.rules b/tests/detect-app-layer-protocol-02/test.rules
new file mode 100644 (file)
index 0000000..b9bc4ab
--- /dev/null
+++ b/tests/detect-app-layer-protocol-02/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any [80,443] (msg:"non-HTTP traffic over HTTP/S standard port"; flow:to_server; app-layer-protocol:!http1; app-layer-protocol:!tls; sid:1; )
+alert tcp any [80,443] -> any any (msg:"non-HTTP traffic over HTTP/S standard port"; flow:to_client; app-layer-protocol:!http1; app-layer-protocol:!tls; sid:2; )

diff --git a/tests/detect-app-layer-protocol-02/test.yaml b/tests/detect-app-layer-protocol-02/test.yaml
new file mode 100644 (file)
index 0000000..1d0eb86
--- /dev/null
+++ b/tests/detect-app-layer-protocol-02/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 7
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 2