detect-itype: add tests

Ticket: #5590

diff --git a/tests/detect-itype/README.md b/tests/detect-itype/README.md
new file mode 100644 (file)
index 0000000..ecf9001
--- /dev/null
+++ b/tests/detect-itype/README.md
@@ -0,0 +1,11 @@
+Description
+===========
+Test ICMP itype rule keyword.
+
+PCAP
+====
+PCAP comes from the redmine ticket [5590](https://redmine.openinfosecfoundation.org/issues/5590)
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/5590
\ No newline at end of file

diff --git a/tests/detect-itype/test.pcap b/tests/detect-itype/test.pcap
new file mode 100644 (file)
index 0000000..f84ec75
Binary files /dev/null and b/tests/detect-itype/test.pcap differ

diff --git a/tests/detect-itype/test.rules b/tests/detect-itype/test.rules
new file mode 100644 (file)
index 0000000..ea24b4c
--- /dev/null
+++ b/tests/detect-itype/test.rules
@@ -0,0 +1,4 @@
+alert icmp any any -> any any (itype:8; sid:1;)
+alert icmp any any -> any any (itype:<15; sid:2;)
+alert icmp any any -> any any (itype:>7; sid:3;)
+alert icmp any any -> any any (itype:7<>20; sid:4;)
\ No newline at end of file

diff --git a/tests/detect-itype/test.yaml b/tests/detect-itype/test.yaml
new file mode 100644 (file)
index 0000000..d9347e8
--- /dev/null
+++ b/tests/detect-itype/test.yaml
@@ -0,0 +1,24 @@
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 75
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 150
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 75
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 75
+      match:
+        event_type: alert
+        alert.signature_id: 4
\ No newline at end of file