tests: add bug 990 test

diff --git a/tests/bug-990/input.pcap b/tests/bug-990/input.pcap
new file mode 100644 (file)
index 0000000..d932cce
Binary files /dev/null and b/tests/bug-990/input.pcap differ

diff --git a/tests/bug-990/test.rules b/tests/bug-990/test.rules
new file mode 100644 (file)
index 0000000..81f44a6
--- /dev/null
+++ b/tests/bug-990/test.rules
@@ -0,0 +1,2 @@
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:8;)
+alert ip any any -> any any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:8;)

diff --git a/tests/bug-990/test.yaml b/tests/bug-990/test.yaml
new file mode 100644 (file)
index 0000000..4499ae8
--- /dev/null
+++ b/tests/bug-990/test.yaml
@@ -0,0 +1,41 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.38.129.234
+      dest_port: 53
+      dns.id: 28390
+      dns.rrname: code.msdn.microsoft.com
+      dns.rrtype: A
+      dns.tx_id: 0
+      dns.type: query
+      event_type: dns
+      pcap_cnt: 1
+      proto: UDP
+      src_ip: 192.168.69.156
+      src_port: 49379
+- filter:
+    count: 1
+    match:
+      app_proto: dns
+      dest_ip: 192.38.129.234
+      dest_port: 53
+      event_type: flow
+      flow.age: 0
+      flow.alerted: false
+      flow.bytes_toclient: 0
+      flow.bytes_toserver: 83
+      flow.pkts_toclient: 0
+      flow.pkts_toserver: 1
+      flow.reason: shutdown
+      flow.state: new
+      proto: UDP
+      src_ip: 192.168.69.156
+      src_port: 49379