tests: add test for packet_alert_max more than 15

Task#4207

diff --git a/tests/alert-max/alert-max-20/input.pcap b/tests/alert-max/alert-max-20/input.pcap
new file mode 100644 (file)
index 0000000..baa322b
Binary files /dev/null and b/tests/alert-max/alert-max-20/input.pcap differ

diff --git a/tests/alert-max/alert-max-20/suricata.yaml b/tests/alert-max/alert-max-20/suricata.yaml
new file mode 100644 (file)
index 0000000..8e52a1c
--- /dev/null
+++ b/tests/alert-max/alert-max-20/suricata.yaml
@@ -0,0 +1,14 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+
+# Define maximum number of possible alerts that can be triggered for the same
+# packet. Default is 15
+packet-alert-max: 20

diff --git a/tests/alert-max/alert-max-20/test.rules b/tests/alert-max/alert-max-20/test.rules
new file mode 100644 (file)
index 0000000..51c7dfa
--- /dev/null
+++ b/tests/alert-max/alert-max-20/test.rules
@@ -0,0 +1,20 @@
+alert tcp any any -> any any (msg:"Noalert rule 1"; noalert; sid:1; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 2"; noalert; sid:2; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 3"; noalert; sid:3; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 4"; noalert; sid:4; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 5"; noalert; sid:5; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 6"; noalert; sid:6; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 7"; noalert; sid:7; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 8"; noalert; sid:8; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 9"; noalert; sid:9; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 10"; noalert; sid:10; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 11"; noalert; sid:11; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 12"; noalert; sid:12; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 13"; noalert; sid:13; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 14"; noalert; sid:14; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 15"; noalert; sid:15; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 16"; noalert; sid:16; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 17"; noalert; sid:17; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 18"; noalert; sid:18; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 19"; noalert; sid:19; rev:1;)
+alert tcp any any -> any any (msg:"Alert rule"; sid:20; rev:1;)

diff --git a/tests/alert-max/alert-max-20/test.yaml b/tests/alert-max/alert-max-20/test.yaml
new file mode 100644 (file)
index 0000000..cd8540c
--- /dev/null
+++ b/tests/alert-max/alert-max-20/test.yaml
@@ -0,0 +1,8 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert

diff --git a/tests/alert-max/alert-max-20/writepcap.py b/tests/alert-max/alert-max-20/writepcap.py
new file mode 100755 (executable)
index 0000000..df22b22
--- /dev/null
+++ b/tests/alert-max/alert-max-20/writepcap.py
@@ -0,0 +1,7 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = list()
+pkts.append(IP()/TCP())
+
+wrpcap('input.pcap', pkts)