]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 07491ca)
detect-icmp-id: add tests
authorAlice Akaki <akakialice@gmail.com>
Mon, 31 Oct 2022 23:52:05 +0000 (19:52 -0400)
committerVictor Julien <victor@inliniac.net>
Wed, 24 May 2023 05:54:23 +0000 (07:54 +0200)
Task: #5622

tests/detect-icmp-id-01/README.md [new file with mode: 0644] patch | blob
tests/detect-icmp-id-01/input.pcap [new file with mode: 0644] patch | blob
tests/detect-icmp-id-01/test.rules [new file with mode: 0644] patch | blob
tests/detect-icmp-id-01/test.yaml [new file with mode: 0644] patch | blob
tests/detect-icmp-id-02/README.md [new file with mode: 0644] patch | blob
tests/detect-icmp-id-02/input.pcap [new file with mode: 0644] patch | blob
tests/detect-icmp-id-02/test.rules [new file with mode: 0644] patch | blob
tests/detect-icmp-id-02/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/detect-icmp-id-01/README.md b/tests/detect-icmp-id-01/README.md
new file mode 100644 (file)
index 0000000..1d3e78c
--- /dev/null
+++ b/tests/detect-icmp-id-01/README.md
@@ -0,0 +1,3 @@
+Test for checking the working of icmp_id keyword by creating 2 rules and matching a crafted packet against them. Only the first one shall trigger.
+
+PCAP created with scapy.
diff --git a/tests/detect-icmp-id-01/input.pcap b/tests/detect-icmp-id-01/input.pcap
new file mode 100644 (file)
index 0000000..40bfa78
Binary files /dev/null and b/tests/detect-icmp-id-01/input.pcap differ
diff --git a/tests/detect-icmp-id-01/test.rules b/tests/detect-icmp-id-01/test.rules
new file mode 100644 (file)
index 0000000..1076588
--- /dev/null
+++ b/tests/detect-icmp-id-01/test.rules
@@ -0,0 +1,2 @@
+alert icmp any any -> any any (icmp_id:21781; sid:1;)
+alert icmp any any -> any any (icmp_id:21782; sid:2;)
diff --git a/tests/detect-icmp-id-01/test.yaml b/tests/detect-icmp-id-01/test.yaml
new file mode 100644 (file)
index 0000000..f5402c7
--- /dev/null
+++ b/tests/detect-icmp-id-01/test.yaml
@@ -0,0 +1,22 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
diff --git a/tests/detect-icmp-id-02/README.md b/tests/detect-icmp-id-02/README.md
new file mode 100644 (file)
index 0000000..3e0696c
--- /dev/null
+++ b/tests/detect-icmp-id-02/README.md
@@ -0,0 +1,3 @@
+Test for checking the working of icmp_id keyword by creating 1 rule and matching a crafted packet against them. The packet is an ICMP packet with no "id" field, therefore the rule should not trigger.
+
+PCAP created with scapy.
diff --git a/tests/detect-icmp-id-02/input.pcap b/tests/detect-icmp-id-02/input.pcap
new file mode 100644 (file)
index 0000000..e30c4aa
Binary files /dev/null and b/tests/detect-icmp-id-02/input.pcap differ
diff --git a/tests/detect-icmp-id-02/test.rules b/tests/detect-icmp-id-02/test.rules
new file mode 100644 (file)
index 0000000..d9b81b1
--- /dev/null
+++ b/tests/detect-icmp-id-02/test.rules
@@ -0,0 +1 @@
+alert icmp any any -> any any (icmp_id:0; sid:1;)
diff --git a/tests/detect-icmp-id-02/test.yaml b/tests/detect-icmp-id-02/test.yaml
new file mode 100644 (file)
index 0000000..ca72f78
--- /dev/null
+++ b/tests/detect-icmp-id-02/test.yaml
@@ -0,0 +1,16 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+- filter:
+    count: 1
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
Mirror of https://github.com/OISF/suricata-verify.git