]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c2f5bb4)
file-data-depth-inspection: break into 2 tests
authorJason Ish <jason.ish@oisf.net>
Fri, 20 Mar 2020 22:25:07 +0000 (16:25 -0600)
committerJason Ish <jason.ish@oisf.net>
Fri, 20 Mar 2020 22:26:03 +0000 (16:26 -0600)
As the alert one doesn't work with 4.1.

tests/file-data-depth-inspection-alert/file-data-depth-inpsection.pcap [new file with mode: 0644] patch | blob
tests/file-data-depth-inspection-alert/test.rules [new file with mode: 0644] patch | blob
tests/file-data-depth-inspection-alert/test.yaml [new file with mode: 0644] patch | blob
tests/file-data-depth-inspection/test.rules patch | blob | blame | history
tests/file-data-depth-inspection/test.yaml patch | blob | blame | history

diff --git a/tests/file-data-depth-inspection-alert/file-data-depth-inpsection.pcap b/tests/file-data-depth-inspection-alert/file-data-depth-inpsection.pcap
new file mode 100644 (file)
index 0000000..ae8ab5b
Binary files /dev/null and b/tests/file-data-depth-inspection-alert/file-data-depth-inpsection.pcap differ
diff --git a/tests/file-data-depth-inspection-alert/test.rules b/tests/file-data-depth-inspection-alert/test.rules
new file mode 100644 (file)
index 0000000..5e2c167
--- /dev/null
+++ b/tests/file-data-depth-inspection-alert/test.rules
@@ -0,0 +1,4 @@
+# should match:
+alert tcp any any -> any 25 (msg:"VIRUS INBOUND bad file attachment"; flow:to_server,established; content:"content-disposition|3a| attachment|3b|"; nocase; content:".zip|22|"; nocase; within:128; file_data; content:".pdf.exe"; within:64; sid:13371339; rev:1;)
+# should match:
+alert tcp any any -> any any (msg:"ATTACK-RESPONSES directory listing"; flow:established; content:"Volume Serial Number"; sid:13371338; rev:1;)
diff --git a/tests/file-data-depth-inspection-alert/test.yaml b/tests/file-data-depth-inspection-alert/test.yaml
new file mode 100644 (file)
index 0000000..ad4f17f
--- /dev/null
+++ b/tests/file-data-depth-inspection-alert/test.yaml
@@ -0,0 +1,16 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+    min-version: 5.0.0
+
+checks:
+    - filter:
+        count: 2
+        match:
+            event_type: alert
+            alert.signature_id: 13371339
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 13371338
diff --git a/tests/file-data-depth-inspection/test.rules b/tests/file-data-depth-inspection/test.rules
index 5e2c1674c7d065c0658b589755504ad51c7c2458..d71730033692f7a401331d04153e7058db8d4f33 100644 (file)
--- a/tests/file-data-depth-inspection/test.rules
+++ b/tests/file-data-depth-inspection/test.rules
@@ -1,4 +1 @@
-# should match:
 alert tcp any any -> any 25 (msg:"VIRUS INBOUND bad file attachment"; flow:to_server,established; content:"content-disposition|3a| attachment|3b|"; nocase; content:".zip|22|"; nocase; within:128; file_data; content:".pdf.exe"; within:64; sid:13371339; rev:1;)
-# should match:
-alert tcp any any -> any any (msg:"ATTACK-RESPONSES directory listing"; flow:established; content:"Volume Serial Number"; sid:13371338; rev:1;)
diff --git a/tests/file-data-depth-inspection/test.yaml b/tests/file-data-depth-inspection/test.yaml
index 93702a23bf9383afd8c472708e0ede801bb6d363..46db7af4c93d45b441a9ddf8f03e564cd45f8335 100644 (file)
--- a/tests/file-data-depth-inspection/test.yaml
+++ b/tests/file-data-depth-inspection/test.yaml
@@ -8,8 +8,3 @@ checks:
         match:
             event_type: alert
             alert.signature_id: 13371339
-    - filter:
-        count: 1
-        match:
-            event_type: alert
-            alert.signature_id: 13371338
Mirror of https://github.com/OISF/suricata-verify.git