Tests the `prefilter` keyword for `file_data` and `file.data`
Ticket #5801
--- /dev/null
+Description
+===========
+Tests the `prefilter` keyword for `file_data` and `file.data`.
+
+PCAP
+====
+PCAP comes from an [existing file-data test](https://github.com/OISF/suricata-verify/blob/master/tests/file-data-depth-inspection/file-data-depth-inpsection.pcap)
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/5801
\ No newline at end of file
--- /dev/null
+# test prefilter keyword for file_data
+alert tcp any any -> any 25 (msg:"VIRUS INBOUND bad file attachment"; flow:to_server,established; content:"content-disposition|3a| attachment|3b|"; nocase; content:".zip|22|"; nocase; within:128; file_data; content:".pdf.exe"; prefilter; within:64; sid:1; rev:1;)
+# test prefilter keyword for file.data
+alert tcp any any -> any 25 (msg:"VIRUS INBOUND bad file attachment"; flow:to_server,established; content:"content-disposition|3a| attachment|3b|"; nocase; content:".zip|22|"; nocase; within:128; file.data; content:".pdf.exe"; prefilter; within:64; sid:2; rev:1;)
\ No newline at end of file
--- /dev/null
+pcap: ../file-data-depth-inspection/file-data-depth-inpsection.pcap
+
+checks:
+ - filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ - filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 2
\ No newline at end of file
projects / thirdparty / suricata-verify.git / commitdiff
