detect: adds check for decode-event with prefilter

Ticket: 6728

diff --git a/tests/decode-too-small/test.rules b/tests/decode-too-small/test.rules
index 399d4cd4dc241097371cf2562fc6c414ba3fdce3..8cb197256d6a8b8a07139fdc6e56d525b8b09c18 100644 (file)
--- a/tests/decode-too-small/test.rules
+++ b/tests/decode-too-small/test.rules
@@ -1,3 +1,4 @@
 alert tcp any any -> any any (msg:"TCP packet too small"; decode-event:tcp.pkt_too_small; sid:1;)
+alert tcp any any -> any any (msg:"TCP packet too small"; decode-event:tcp.pkt_too_small; prefilter; requires: version >= 8; sid:1; rev: 2;)
 alert udp any any -> any any (msg:"UDP packet too small"; decode-event:udp.hlen_too_small; sid:2;)
 alert ip any any -> any any (msg:"GRE packet too small"; decode-event:gre.pkt_too_small; sid:3;)

diff --git a/tests/decode-too-small/test.yaml b/tests/decode-too-small/test.yaml
index ffbcfd8806a46420b0e729c8d7946a20c1ebf72a..8f91f91cb40c66892dd66709db82fc6be1de5626 100644 (file)
--- a/tests/decode-too-small/test.yaml
+++ b/tests/decode-too-small/test.yaml
@@ -1,3 +1,6 @@
+requires:
+  min-version: 7
+
 checks:
   # Look for IPv4 TCP too small
   - filter:
@@ -7,6 +10,15 @@ checks:
         src_ip: 1.1.1.1
         alert.signature_id: 1
 
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: alert
+        src_ip: 1.1.1.1
+        alert.signature_id: 1
+        alert.rev: 2
+
   # Look for IPv6 TCP too small
   - filter:
       count: 1