tls: adds test for tls_cert_notafter keyword

author Philippe Antoine <pantoine@oisf.net>

Fri, 16 Jan 2026 16:52:57 +0000 (17:52 +0100)

committer Victor Julien <vjulien@oisf.net>

Wed, 4 Feb 2026 10:47:37 +0000 (10:47 +0000)
author Philippe Antoine <pantoine@oisf.net>
Fri, 16 Jan 2026 16:52:57 +0000 (17:52 +0100)
committer Victor Julien <vjulien@oisf.net>
Wed, 4 Feb 2026 10:47:37 +0000 (10:47 +0000)
diff --git a/tests/tls/tls-cert-validity/test.yaml b/tests/tls/tls-cert-validity/test.yaml

new file mode 100644 (file)

index 0000000..493d6c2
--- /dev/null
+++ b/tests/tls/tls-cert-validity/test.yaml
@@ -0,0 +1,23 @@
+requires:
+  min-version: 9
+
+pcap: ../tls-cert-issuer/tls.pcap
+
+checks:
+
+  - filter:
+      count: 4
+      match:
+        event_type: tls
+        tls.notbefore: "2015-02-12T18:07:27"
+        tls.notafter: "2025-02-09T18:07:27"
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 3
diff --git a/tests/tls/tls-cert-validity/tls.rules b/tests/tls/tls-cert-validity/tls.rules

new file mode 100644 (file)

index 0000000..71211b4
--- /dev/null
+++ b/tests/tls/tls-cert-validity/tls.rules
@@ -0,0 +1,2 @@
+alert tls any any -> any any (msg:"Stamus TLS"; tls_cert_notafter:>2015; sid:2; rev:1;)
+alert tls any any -> any any (msg:"Stamus TLS"; tls_cert_notbefore:<2025; sid:3; rev:1;)
author	Philippe Antoine <pantoine@oisf.net>
	Fri, 16 Jan 2026 16:52:57 +0000 (17:52 +0100)
committer	Victor Julien <vjulien@oisf.net>
	Wed, 4 Feb 2026 10:47:37 +0000 (10:47 +0000)
tests/tls/tls-cert-validity/test.yaml	[new file with mode: 0644]	patch \| blob
tests/tls/tls-cert-validity/tls.rules	[new file with mode: 0644]	patch \| blob