Add tests for flowbit oring

diff --git a/tests/flowbit-oring/input.pcap b/tests/flowbit-oring/input.pcap
new file mode 100644 (file)
index 0000000..8fb6832
Binary files /dev/null and b/tests/flowbit-oring/input.pcap differ

diff --git a/tests/flowbit-oring/test.rules b/tests/flowbit-oring/test.rules
new file mode 100644 (file)
index 0000000..ef15113
--- /dev/null
+++ b/tests/flowbit-oring/test.rules
@@ -0,0 +1,5 @@
+alert http any any -> any any (msg:"Setting flowbit fb1";content:"testmyids.com";http_header;flowbits:set,fb1;noalert;sid:1;rev:1;)
+alert http any any -> any any (msg:"Setting flowbit fb2";content:"something";flowbits:set,fb2;sid:2;rev:1;)
+alert http any any -> any any (msg:"Setting flowbit fb3";content:"wwnotginh";flowbits:set,fb3;sid:3;rev:1;)
+alert http any any -> any any (msg:"Testing flowbits OR isset";http.stat_code;content:"200";flowbits:isset,fb4|fb2|fb1;sid:4;rev:1;)
+alert http any any -> any any (msg:"Testing flowbits OR isset";http.stat_code;content:"200";flowbits:isset,fb2|fb3|fb4;sid:5;rev:1;)

diff --git a/tests/flowbit-oring/test.yaml b/tests/flowbit-oring/test.yaml
new file mode 100644 (file)
index 0000000..ddb3a7b
--- /dev/null
+++ b/tests/flowbit-oring/test.yaml
@@ -0,0 +1,11 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 6.0.0
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 4