Ticket: #6386
Signed-off-by: jason taylor <jtfas90@gmail.com>
--- /dev/null
+Test
+====
+
+Test alerts with the tls.cert_chain_len keyword
+
+PCAP
+----
+
+We are reusing/referencing the pcap file from other tls tests
+
+Related Issues
+--------------
+
+https://redmine.openinfosecfoundation.org/issues/6386
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: no
+ payload-buffer-size: 4kb
+ payload-printable: no
+ packet: no
+ metadata: no
+ - tls
--- /dev/null
+alert tls any any -> any any (msg:"cert chain exact value"; tls.cert_chain_len:3; classtype:misc-activity; sid:1; rev:1;)
+
+alert tls any any -> any any (msg:"cert chain less than value"; tls.cert_chain_len:<4; classtype:misc-activity; sid:2; rev:1;)
+
+alert tls any any -> any any (msg:"cert chain greater than value"; tls.cert_chain_len:>0; classtype:misc-activity; sid:3; rev:1;)
+
+alert tls any any -> any any (msg:"cert chain greater than less than value"; tls.cert_chain_len:0<>4; classtype:misc-activity; sid:4; rev:1;)
+
+alert tls any any -> any any (msg:"cert chain not value"; tls.cert_chain_len:!2; classtype:misc-activity; sid:5; rev:1;)
--- /dev/null
+requires:
+ min-version: 7.0.0
+ features:
+ - HAVE_LIBJANSSON
+
+args:
+ - -k none
+
+pcap: ../tls-certs-alert/input.pcap
+
+checks:
+ # Check that we can alert on all three certs in the certificate chain
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ app_proto: tls
+ alert.signature_id: 1
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ app_proto: tls
+ alert.signature_id: 2
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ app_proto: tls
+ alert.signature_id: 3
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ app_proto: tls
+ alert.signature_id: 4
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ app_proto: tls
+ alert.signature_id: 5
projects / thirdparty / suricata-verify.git / commitdiff
