--- /dev/null
+Description
+===========
+Test rfb Pdu frames.
+
+PCAP
+====
+PCAP comes from the suricata verify test[rfb-protocol-3.8]
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/5717
\ No newline at end of file
--- /dev/null
+alert rfb any any -> any any (msg:"RFB Frame 1"; flow:to_client; frame:pdu; content:"|01 02|"; startswith; sid:1;)
+alert rfb any any -> any any (msg:"RFB Frame 2"; flow:to_server; frame:pdu; content:"|7A 6F 36|"; offset:2; sid:2;)
+alert rfb any any -> any any (msg:"RFB Frame 3"; frame:pdu; content:"|30 30 38 0A|"; endswith; sid:3;)
+alert rfb any any -> any any (msg:"RFB Frame 4"; frame:pdu; content:"|17 0C E2|"; sid:4;)
+alert rfb any any -> any any (msg:"RFB Frame 5"; frame:pdu; content:"|00 00 54 46|"; sid:5;)
\ No newline at end of file
--- /dev/null
+pcap: ../rfb-protocol-3.8/04-vnc-openwall-3.8.pcap
+
+requires:
+ min-version: 7
+
+checks:
+- filter:
+ count: 1
+ match:
+ alert.signature_id: 1
+ frame.type: "pdu"
+ frame.direction: toclient
+ frame.complete: true
+- filter:
+ count: 1
+ match:
+ alert.signature_id: 2
+ frame.type: "pdu"
+ frame.direction: toserver
+ frame.complete: true
+- filter:
+ count: 2
+ match:
+ alert.signature_id: 3
+- filter:
+ count: 0
+ match:
+ alert.signature_id: 4
+- filter:
+ count: 0
+ match:
+ alert.signature_id: 5
\ No newline at end of file