testa/ja4: Confirm config on auto-enable

author Jeff Lucovsky <jlucovsky@oisf.net>

Tue, 14 May 2024 12:57:08 +0000 (08:57 -0400)

committer Victor Julien <victor@inliniac.net>

Tue, 11 Jun 2024 07:03:48 +0000 (09:03 +0200)
author Jeff Lucovsky <jlucovsky@oisf.net>
Tue, 14 May 2024 12:57:08 +0000 (08:57 -0400)
committer Victor Julien <victor@inliniac.net>
Tue, 11 Jun 2024 07:03:48 +0000 (09:03 +0200)
diff --git a/tests/ja4-rules-bug-7010/README.md b/tests/ja4-rules-bug-7010/README.md

new file mode 100644 (file)

index 0000000..21c899b
--- /dev/null
+++ b/tests/ja4-rules-bug-7010/README.md
@@ -0,0 +1 @@
+Confirm that Suricata logs JA4 being enabled due to a rule.
diff --git a/tests/ja4-rules-bug-7010/test.rules b/tests/ja4-rules-bug-7010/test.rules

new file mode 100644 (file)

index 0000000..bdd3f73
--- /dev/null
+++ b/tests/ja4-rules-bug-7010/test.rules
@@ -0,0 +1 @@
+alert quic any any -> any any (msg:"JA4 QUIC Test 1"; requires: feature ja4; ja4.hash; content: "q13d0310h3_55b375c5d22e_cd85d2d88918"; sid:1;)
diff --git a/tests/ja4-rules-bug-7010/test.yaml b/tests/ja4-rules-bug-7010/test.yaml

new file mode 100644 (file)

index 0000000..bdf014d
--- /dev/null
+++ b/tests/ja4-rules-bug-7010/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  min-version: 7.0.6
+  lt-version: 8
+  features:
+    - HAVE_JA4
+
+pcap: ../ja4-rules/input.pcap
+
+args:
+  - -k none
+  - --set logging.default-log-level=config
+
+checks:
+  - shell:
+      args: grep -c "enabling JA4 due to rule usage" stdout
+      expect: 1
author	Jeff Lucovsky <jlucovsky@oisf.net>
	Tue, 14 May 2024 12:57:08 +0000 (08:57 -0400)
committer	Victor Julien <victor@inliniac.net>
	Tue, 11 Jun 2024 07:03:48 +0000 (09:03 +0200)
tests/ja4-rules-bug-7010/README.md	[new file with mode: 0644]	patch \| blob
tests/ja4-rules-bug-7010/test.rules	[new file with mode: 0644]	patch \| blob
tests/ja4-rules-bug-7010/test.yaml	[new file with mode: 0644]	patch \| blob