detect-dce-opnum: add test

Task: 4911

diff --git a/tests/dcerpc/dcerpc-dce-opnum/README.md b/tests/dcerpc/dcerpc-dce-opnum/README.md
new file mode 100644 (file)
index 0000000..b31f1d6
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dce-opnum/README.md
@@ -0,0 +1 @@
+Tests the dce_opnum keyword

diff --git a/tests/dcerpc/dcerpc-dce-opnum/test.rules b/tests/dcerpc/dcerpc-dce-opnum/test.rules
index 947427ffae0465217d49649c7722e30614277665..9cfa31f5ecd73298038b1899add80f1f2838537b 100644 (file)
--- a/tests/dcerpc/dcerpc-dce-opnum/test.rules
+++ b/tests/dcerpc/dcerpc-dce-opnum/test.rules
@@ -1 +1,2 @@
-alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dce_iface:afa8bd80-7d8a-11c9-bef4-08002b102989;dce_opnum:4;sid:1;)
+alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dcerpc.iface:afa8bd80-7d8a-11c9-bef4-08002b102989;dcerpc.opnum:4;sid:1;)
+alert tcp any any -> any any (msg:"DCERPC"; dcerpc.opnum:4; sid:2;)

diff --git a/tests/dcerpc/dcerpc-dce-opnum/test.yaml b/tests/dcerpc/dcerpc-dce-opnum/test.yaml
index 7c47e217dc612bee636934e72b8851087af89c93..4516db1080ebd62ec4002165e6c5bbd79cfaa636 100644 (file)
--- a/tests/dcerpc/dcerpc-dce-opnum/test.yaml
+++ b/tests/dcerpc/dcerpc-dce-opnum/test.yaml
@@ -10,3 +10,9 @@ checks:
       count: 1
       match:
         event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 2