ssl: add test for ssl_version keyword with negation

Ticket: 3220

diff --git a/tests/ssl_version_negated/README.md b/tests/ssl_version_negated/README.md
new file mode 100644 (file)
index 0000000..8b015fe
--- /dev/null
+++ b/tests/ssl_version_negated/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test `ssl_version` keyword with negation
+
+## PCAP
+
+This PCAP comes from redmine ticket https://redmine.openinfosecfoundation.org/issues/3220
+
+## Related issues
+
+Ticket https://redmine.openinfosecfoundation.org/issues/3220

diff --git a/tests/ssl_version_negated/input.pcap b/tests/ssl_version_negated/input.pcap
new file mode 100644 (file)
index 0000000..d967bc4
Binary files /dev/null and b/tests/ssl_version_negated/input.pcap differ

diff --git a/tests/ssl_version_negated/test.rules b/tests/ssl_version_negated/test.rules
new file mode 100644 (file)
index 0000000..a8dda2b
--- /dev/null
+++ b/tests/ssl_version_negated/test.rules
@@ -0,0 +1,6 @@
+alert tcp any any -> any any (ssl_version:!sslv3; sid: 1;)
+alert tcp any any -> any any (ssl_version:!tls1.3,tls1.2; sid:2;)
+alert tcp any any -> any any (ssl_version:tls1.0; sid:3;)
+alert tcp any any -> any any (ssl_version:tls1.0,tls1.1; sid:5;)
+# no match
+alert tcp any any -> any any (ssl_version:!tls1.0; sid:4;)
\ No newline at end of file

diff --git a/tests/ssl_version_negated/test.yaml b/tests/ssl_version_negated/test.yaml
new file mode 100644 (file)
index 0000000..413cbc7
--- /dev/null
+++ b/tests/ssl_version_negated/test.yaml
@@ -0,0 +1,32 @@
+requires:
+  min-version: 9
+
+args:
+  - -k none
+
+checks:
+ - filter:
+     count: 12
+     match:
+       event_type: alert
+       alert.signature_id: 1
+ - filter:
+     count: 12
+     match:
+       event_type: alert
+       alert.signature_id: 2
+ - filter:
+     count: 12
+     match:
+       event_type: alert
+       alert.signature_id: 3
+ - filter:
+     count: 12
+     match:
+       event_type: alert
+       alert.signature_id: 5
+ - filter:
+     count: 0
+     match:
+       event_type: alert
+       alert.signature_id: 4