rdp-protocol: test rdp metadata in alert

author Jason Ish <jason.ish@oisf.net>

Tue, 4 Aug 2020 22:29:34 +0000 (16:29 -0600)

committer Victor Julien <victor@inliniac.net>

Thu, 6 Aug 2020 06:37:27 +0000 (08:37 +0200)
author Jason Ish <jason.ish@oisf.net>
Tue, 4 Aug 2020 22:29:34 +0000 (16:29 -0600)
committer Victor Julien <victor@inliniac.net>
Thu, 6 Aug 2020 06:37:27 +0000 (08:37 +0200)
diff --git a/tests/rdp-protocol/suricata.yaml b/tests/rdp-protocol/suricata.yaml

index 0bfabbc4b2b632fa8b9f8d73a49fffb8fcbfb542..7b5a5edd4e2c6d7b37b9846bc6a273cbef0a1bf2 100644 (file)
--- a/tests/rdp-protocol/suricata.yaml
+++ b/tests/rdp-protocol/suricata.yaml
@@ -7,6 +7,7 @@ outputs:
        filetype: regular
        filename: eve.json
        types:
+        - alert
          - rdp
          - flow
  
diff --git a/tests/rdp-protocol/test.rules b/tests/rdp-protocol/test.rules

new file mode 100644 (file)

index 0000000..aaa2752
--- /dev/null
+++ b/tests/rdp-protocol/test.rules
@@ -0,0 +1 @@
+alert rdp any any -> any any (msg:"TEST RDP RULE"; sid:1; rev:1;)
diff --git a/tests/rdp-protocol/test.yaml b/tests/rdp-protocol/test.yaml

index 031f6ce7ed2c244c33906a79e346c2857883a26c..7743886649e4b066fa49d4136eb9008a6c69a5a2 100644 (file)
--- a/tests/rdp-protocol/test.yaml
+++ b/tests/rdp-protocol/test.yaml
@@ -35,3 +35,11 @@ checks:
          rdp.channels[0]: "rdpdr"
          rdp.channels[1]: "cliprdr"
          rdp.channels[2]: "rdpsnd"
+  - filter:
+      count: 1
+      match:
+        event_type: "alert"
+        pcap_cnt: 5
+        rdp.tx_id: 0
+        rdp.event_type: "initial_request"
+        rdp.cookie: "A70067"
author	Jason Ish <jason.ish@oisf.net>
	Tue, 4 Aug 2020 22:29:34 +0000 (16:29 -0600)
committer	Victor Julien <victor@inliniac.net>
	Thu, 6 Aug 2020 06:37:27 +0000 (08:37 +0200)
tests/rdp-protocol/suricata.yaml		patch \| blob \| blame \| history
tests/rdp-protocol/test.rules	[new file with mode: 0644]	patch \| blob
tests/rdp-protocol/test.yaml		patch \| blob \| blame \| history