]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 73a82a5)
ttl: add tests for prefilter keyword
authorHaleema Khan <hsadia538@gmail.com>
Fri, 27 Jan 2023 01:36:32 +0000 (06:36 +0500)
committerJason Ish <jason.ish@oisf.net>
Tue, 31 Jan 2023 21:33:18 +0000 (15:33 -0600)
Ticket #5800

tests/detect-ttl/README.md [new file with mode: 0644] patch | blob
tests/detect-ttl/test.rules [new file with mode: 0644] patch | blob
tests/detect-ttl/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/detect-ttl/README.md b/tests/detect-ttl/README.md
new file mode 100644 (file)
index 0000000..cf11cd7
--- /dev/null
+++ b/tests/detect-ttl/README.md
@@ -0,0 +1,11 @@
+Description
+===========
+Tests the `prefilter` keyword for `ttl` which is used to check for a specific IP time-to-live value in the header of a packet.
+
+PCAP
+====
+PCAP comes from an [existing RFB test](https://github.com/OISF/suricata-verify/blob/master/tests/rfb-protocol-3.8/04-vnc-openwall-3.8.pcap)
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/5800
\ No newline at end of file
diff --git a/tests/detect-ttl/test.rules b/tests/detect-ttl/test.rules
new file mode 100644 (file)
index 0000000..ab3f824
--- /dev/null
+++ b/tests/detect-ttl/test.rules
@@ -0,0 +1 @@
+alert ip any any -> any any (ttl:128; prefilter; sid:1;)
\ No newline at end of file
diff --git a/tests/detect-ttl/test.yaml b/tests/detect-ttl/test.yaml
new file mode 100644 (file)
index 0000000..9275339
--- /dev/null
+++ b/tests/detect-ttl/test.yaml
@@ -0,0 +1,8 @@
+pcap: ../rfb-protocol-3.8/04-vnc-openwall-3.8.pcap
+
+checks:
+  - filter:
+      count: 3866
+      match:
+        event_type: alert
+        alert.signature_id: 1
\ No newline at end of file
Mirror of https://github.com/OISF/suricata-verify.git