]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6560028)
tests: add test case for file_data depth inspection
authorAndreas Herz <andi@geekosphere.org>
Wed, 21 Aug 2019 20:04:20 +0000 (22:04 +0200)
committerVictor Julien <victor@inliniac.net>
Tue, 17 Sep 2019 18:03:22 +0000 (20:03 +0200)
tests/file-data-depth-inspection/file-data-depth-inpsection.pcap [new file with mode: 0644] patch | blob
tests/file-data-depth-inspection/test.rules [new file with mode: 0644] patch | blob
tests/file-data-depth-inspection/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/file-data-depth-inspection/file-data-depth-inpsection.pcap b/tests/file-data-depth-inspection/file-data-depth-inpsection.pcap
new file mode 100644 (file)
index 0000000..ae8ab5b
Binary files /dev/null and b/tests/file-data-depth-inspection/file-data-depth-inpsection.pcap differ
diff --git a/tests/file-data-depth-inspection/test.rules b/tests/file-data-depth-inspection/test.rules
new file mode 100644 (file)
index 0000000..d717300
--- /dev/null
+++ b/tests/file-data-depth-inspection/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any 25 (msg:"VIRUS INBOUND bad file attachment"; flow:to_server,established; content:"content-disposition|3a| attachment|3b|"; nocase; content:".zip|22|"; nocase; within:128; file_data; content:".pdf.exe"; within:64; sid:13371339; rev:1;)
diff --git a/tests/file-data-depth-inspection/test.yaml b/tests/file-data-depth-inspection/test.yaml
new file mode 100644 (file)
index 0000000..46db7af
--- /dev/null
+++ b/tests/file-data-depth-inspection/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 2
+        match:
+            event_type: alert
+            alert.signature_id: 13371339
Mirror of https://github.com/OISF/suricata-verify.git