tls-fingerprint: test sticky buffer variant

Add another rule and filter to test the sticky buffer variant
of a tls fingerprint match. Also shows that the 2 are more or
less equivalent.

diff --git a/tests/tls-fingerprint-alert/test.rules b/tests/tls-fingerprint-alert/test.rules
index f796ecfd11d47231ac0719b697d3935df924fc09..2c337901ac89478b5660e4a99b04fbe01240ff99 100644 (file)
--- a/tests/tls-fingerprint-alert/test.rules
+++ b/tests/tls-fingerprint-alert/test.rules
@@ -1,5 +1,10 @@
 # Rule should only fire in the to client direction, with the server address
 # being the source address in the event.
 alert tls any any -> any any (msg:"TLS FINGERPRINT TEST"; \
-tls.fingerprint:"90:86:a4:3b:f5:cf:1b:2e:4e:f7:97:96:f9:de:ba:b9:66:35:86:3f"; \
-sid:1; rev:1;)
+       tls.fingerprint:"90:86:a4:3b:f5:cf:1b:2e:4e:f7:97:96:f9:de:ba:b9:66:35:86:3f"; \
+       sid:1; rev:1;)
+
+# Equivalent rule by using a sticky buffer.
+alert tls any any -> any any (msg:"TLS FINGERPRINT STICKY BUFFER TEST"; \
+       tls.cert_fingerprint; content:"90:86:a4:3b:f5:cf:1b:2e:4e:f7:97:96:f9:de:ba:b9:66:35:86:3f"; \
+       sid:2; rev:1;)

diff --git a/tests/tls-fingerprint-alert/test.yaml b/tests/tls-fingerprint-alert/test.yaml
index d8119d83edc28f57349add973b1405a5b9b53b34..56db381fa42139ee8927853ffd4a08551477c349 100644 (file)
--- a/tests/tls-fingerprint-alert/test.yaml
+++ b/tests/tls-fingerprint-alert/test.yaml
@@ -7,3 +7,9 @@ checks:
       count: 1
       match:
         event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2