rfb: add test case for logging of partial txs

diff --git a/tests/rfb-partial-tx/in.pcap b/tests/rfb-partial-tx/in.pcap
new file mode 100644 (file)
index 0000000..75b6d5a
Binary files /dev/null and b/tests/rfb-partial-tx/in.pcap differ

diff --git a/tests/rfb-partial-tx/suricata.yaml b/tests/rfb-partial-tx/suricata.yaml
new file mode 100644 (file)
index 0000000..208e9ef
--- /dev/null
+++ b/tests/rfb-partial-tx/suricata.yaml
@@ -0,0 +1,19 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - rfb
+        - flow
+        - anomaly
+
+app-layer:
+  protocols:
+    rfb:
+      enabled: yes
+      detection-ports:
+        dp: 5900

diff --git a/tests/rfb-partial-tx/test.yaml b/tests/rfb-partial-tx/test.yaml
new file mode 100644 (file)
index 0000000..fc9665d
--- /dev/null
+++ b/tests/rfb-partial-tx/test.yaml
@@ -0,0 +1,27 @@
+requires:
+  min-version: 7.0.0
+  script:
+    - test $(fgrep -c 'current_transaction.complete = true' rust/src/rfb/rfb.rs) -gt 1
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        app_proto: rfb
+
+  - filter:
+      count: 1
+      match:
+        event_type: anomaly
+        anomaly.event: unimplemented_security_type
+
+  - filter:
+      count: 1
+      match:
+        event_type: rfb
+        rfb.server_protocol_version.major: "003"
+        rfb.server_protocol_version.minor: "889"
+        rfb.client_protocol_version.major: "003"
+        rfb.client_protocol_version.minor: "008"
+        rfb.authentication.security_type: 30  # Apple authentication, which we don't support yet