Signed-off-by: jason taylor <jtfas90@gmail.com>
--- /dev/null
+# Description
+
+Test dsize keyword values against pcap.
+
+This test case has signatures with all the current possible
+dsize value options, all signatures should alert.
+
+# PCAP
+
+The pcap is a flowsynth generated pcap.
--- /dev/null
+alert tcp any any -> any any (msg:"dsize exact size"; dsize:10; sid:1; rev:1;)
+
+alert tcp any any -> any any (msg:"dsize less than value"; dsize:<10; sid:2; rev:1;)
+
+alert tcp any any -> any any (msg:"dsize less than or equal value"; dsize:<=10; sid:3; rev:1;)
+
+alert tcp any any -> any any (msg:"dsize greater than value"; dsize:>8; sid:4; rev:1;)
+
+alert tcp any any -> any any (msg:"dsize greater than or equal value"; dsize:>=10; sid:5; rev:1;)
+
+alert tcp any any -> any any (msg:"dsize range value"; dsize:8<>20; sid:6; rev:1;)
+
+alert tcp any any -> any any (msg:"dsize not equal value"; dsize:!9; sid:7; rev:1;)
--- /dev/null
+args:
+- -k none
+
+requires:
+ min-version: 7.0.0
+
+checks:
+- filter:
+ count: 4
+ match:
+ alert.signature: dsize less than value
+- filter:
+ count: 5
+ match:
+ alert.signature: dsize less than or equal value
+- filter:
+ count: 1
+ match:
+ alert.signature: dsize exact size
+- filter:
+ count: 1
+ match:
+ alert.signature: dsize greater than value
+- filter:
+ count: 1
+ match:
+ alert.signature: dsize greater than or equal value
+- filter:
+ count: 1
+ match:
+ alert.signature: dsize range value
+- filter:
+ count: 1
+ match:
+ alert.signature: dsize not equal value
projects / thirdparty / suricata-verify.git / commitdiff
