Adds check about flow.age keyword

diff --git a/tests/decode-teredo-01/test.rules b/tests/decode-teredo-01/test.rules
new file mode 100644 (file)
index 0000000..a5b0b7d
--- /dev/null
+++ b/tests/decode-teredo-01/test.rules
@@ -0,0 +1 @@
+alert ip any any -> any any (msg:"Flow longer than 20 seconds"; flow.age:>20; flowbits: isnotset, longflow; flowbits: set, longflow; sid:3;)

diff --git a/tests/decode-teredo-01/test.yaml b/tests/decode-teredo-01/test.yaml
index daafa85a3aed116d87da1668787ea0998ee26ec3..fa107662a55d417ac20a1cd1bd5946f2e0f3bf3f 100644 (file)
--- a/tests/decode-teredo-01/test.yaml
+++ b/tests/decode-teredo-01/test.yaml
@@ -371,7 +371,7 @@ checks:
       dest_port: 1576
       event_type: flow
       flow.age: 27
-      flow.alerted: false
+      flow.alerted: true
       flow.bytes_toclient: 108
       flow.bytes_toserver: 108
       flow.pkts_toclient: 2
@@ -410,7 +410,7 @@ checks:
       dest_port: 138
       event_type: flow
       flow.age: 29
-      flow.alerted: false
+      flow.alerted: true
       flow.bytes_toclient: 0
       flow.bytes_toserver: 500
       flow.pkts_toclient: 0
@@ -461,7 +461,7 @@ checks:
       dest_port: 1577
       event_type: flow
       flow.age: 24
-      flow.alerted: false
+      flow.alerted: true
       flow.bytes_toclient: 108
       flow.bytes_toserver: 162
       flow.pkts_toclient: 2
@@ -562,3 +562,8 @@ checks:
       tcp.tcp_flags: 1b
       tcp.tcp_flags_tc: 1b
       tcp.tcp_flags_ts: 1b
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 3