detect-proto: add tests for detect-engine-proto

Task: 4911

diff --git a/tests/detect-engine-proto/README.md b/tests/detect-engine-proto/README.md
new file mode 100644 (file)
index 0000000..d18d6d6
--- /dev/null
+++ b/tests/detect-engine-proto/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test the working of protocol detection by setting up the signature and later testing its working by matching the received packet against the sig.
+
+# PCAP
+
+The pcap comes from https://github.com/bro/bro/blob/master/testing/btest/Traces/tcp/tcp-fast-open.pcap

diff --git a/tests/detect-engine-proto/input.pcap b/tests/detect-engine-proto/input.pcap
new file mode 100644 (file)
index 0000000..2893440
Binary files /dev/null and b/tests/detect-engine-proto/input.pcap differ

diff --git a/tests/detect-engine-proto/test.rules b/tests/detect-engine-proto/test.rules
new file mode 100644 (file)
index 0000000..a4c742c
--- /dev/null
+++ b/tests/detect-engine-proto/test.rules
@@ -0,0 +1,4 @@
+alert udp any any -> any any (msg:"Not tcp"; flow:to_server; sid:1;)
+alert ip any any -> any any (msg:"IP"; flow:to_server; sid:2;)
+alert tcp any any -> any any (msg:"TCP"; flow:to_server; sid:3;)
+alert http any any -> any any (msg:"http"; flow:to_server; sid:4;)

diff --git a/tests/detect-engine-proto/test.yaml b/tests/detect-engine-proto/test.yaml
new file mode 100644 (file)
index 0000000..ba4d158
--- /dev/null
+++ b/tests/detect-engine-proto/test.yaml
@@ -0,0 +1,36 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: http
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 7
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 7
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 4
+- filter:
+    count: 2
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats