tests: add detection_filter tests for by_flow and by_src

diff --git a/tests/threshold/detection_filter-rule-flow/test.rules b/tests/threshold/detection_filter-rule-flow/test.rules
new file mode 100644 (file)
index 0000000..2409f9c
--- /dev/null
+++ b/tests/threshold/detection_filter-rule-flow/test.rules
@@ -0,0 +1,6 @@
+alert icmp any any -> any any (itype:8; sid:1;)
+alert icmp any any -> any any (itype:8; detection_filter:track by_flow, count 1, seconds 3600; sid:2;)
+alert icmp any any -> any any (itype:8; detection_filter:track by_flow, count 2, seconds 3600; sid:3;)
+alert icmp any any -> any any (itype:8; detection_filter:track by_flow, count 4, seconds 3600; sid:4;)
+alert icmp any any -> any any (itype:8; detection_filter:track by_flow, count 7, seconds 3600; sid:5;)
+alert icmp any any -> any any (itype:8; detection_filter:track by_flow, count 8, seconds 3600; sid:6;)

diff --git a/tests/threshold/detection_filter-rule-flow/test.yaml b/tests/threshold/detection_filter-rule-flow/test.yaml
new file mode 100644 (file)
index 0000000..a6b4106
--- /dev/null
+++ b/tests/threshold/detection_filter-rule-flow/test.yaml
@@ -0,0 +1,36 @@
+requires:
+  min-version: 8
+
+pcap: ../threshold-rule-flow/icmp.pcap
+
+checks:
+  - filter:
+      count: 8
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 7
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 6
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 5
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 6

diff --git a/tests/threshold/detection_filter-rule-hostsrc/test.rules b/tests/threshold/detection_filter-rule-hostsrc/test.rules
new file mode 100644 (file)
index 0000000..acbe80c
--- /dev/null
+++ b/tests/threshold/detection_filter-rule-hostsrc/test.rules
@@ -0,0 +1,6 @@
+alert icmp any any -> any any (itype:8; sid:1;)
+alert icmp any any -> any any (itype:8; detection_filter:track by_src, count 1, seconds 3600; sid:2;)
+alert icmp any any -> any any (itype:8; detection_filter:track by_src, count 2, seconds 3600; sid:3;)
+alert icmp any any -> any any (itype:8; detection_filter:track by_src, count 4, seconds 3600; sid:4;)
+alert icmp any any -> any any (itype:8; detection_filter:track by_src, count 7, seconds 3600; sid:5;)
+alert icmp any any -> any any (itype:8; detection_filter:track by_src, count 8, seconds 3600; sid:6;)

diff --git a/tests/threshold/detection_filter-rule-hostsrc/test.yaml b/tests/threshold/detection_filter-rule-hostsrc/test.yaml
new file mode 100644 (file)
index 0000000..a6b4106
--- /dev/null
+++ b/tests/threshold/detection_filter-rule-hostsrc/test.yaml
@@ -0,0 +1,36 @@
+requires:
+  min-version: 8
+
+pcap: ../threshold-rule-flow/icmp.pcap
+
+checks:
+  - filter:
+      count: 8
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 7
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 6
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 5
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 6