Add test for the app_tx rule type for the engine-analysis report to
accompany rule types documentation.
Related to
Task #7031
--- /dev/null
+# Application Layer Protocol Transaction Rules
+alert tcp any any -> any any (msg:"http, pos event"; app-layer-event:http.file_name_too_long; sid:501;)
+alert tcp any any -> any any (msg:"byte_extract with dce"; dcerpc.stub_data; content:"abc"; byte_extract:4,0,var,relative; byte_test:4,>,var,4,little; sid:902;)
+alert http any any -> any any (msg:"Test"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.host; content:!".google.com"; endswith; sid:1102;)
+alert udp any any -> any any (msg:"DNS UDP Frame"; flow:to_server; frame:dns.pdu; content:"|01 20 00 01|"; offset:2; content:"suricata"; offset:13; sid:1402; rev:1;)
--- /dev/null
+requires:
+ min-version: 7
+ pcap: false
+args:
+- --engine-analysis
+checks:
+ - filter:
+ filename: rules.json
+ count: 1
+ match:
+ raw: "alert tcp any any -> any any (msg:\"http, pos event\"; app-layer-event:http.file_name_too_long; sid:501;)"
+ id: 501
+ type: "app_tx"
+ - filter:
+ filename: rules.json
+ count: 1
+ match:
+ raw: "alert tcp any any -> any any (msg:\"byte_extract with dce\"; dcerpc.stub_data; content:\"abc\"; byte_extract:4,0,var,relative; byte_test:4,>,var,4,little; sid:902;)"
+ id: 902
+ type: "app_tx"
+ - filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 1102
+ type: "app_tx"
+ - filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 1402
+ type: "app_tx"
projects / thirdparty / suricata-verify.git / commitdiff
