tests/iprep: add a non-matching rule

diff --git a/tests/issue-4280-iprep/iprep.rules b/tests/issue-4280-iprep/iprep.rules
index 9fc8a128f9c5c621c6d02487fa72e9db2b53a1ee..5a67ce81f0aafb263ccd56bf746af2b720e95356 100644 (file)
--- a/tests/issue-4280-iprep/iprep.rules
+++ b/tests/issue-4280-iprep/iprep.rules
@@ -1 +1,2 @@
 alert ip any any -> any any (msg:"ET DROP Dshield Block Listed Source"; reference:url,feeds.dshield.org/block.txt;  classtype:misc-attack;  sid:2402000; rev:5733; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Major, created_at 2010_12_30, updated_at 2020_11_18; iprep:any,2402000,>,1; target:dest_ip;)
+alert ip any any -> any any (msg:"ET DROP Dshield Block Listed Source"; reference:url,feeds.dshield.org/block.txt;  classtype:misc-attack;  sid:2402001; rev:5733; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Major, created_at 2010_12_30, updated_at 2020_11_18; iprep:any,2402000,>,100; target:dest_ip;)

diff --git a/tests/issue-4280-iprep/test.yaml b/tests/issue-4280-iprep/test.yaml
index 7cb97b20d7632ccf88f1e6a90a2f59c28c4f6784..0619f8bb4a6b82155c599a9db5deed4e5788cae9 100644 (file)
--- a/tests/issue-4280-iprep/test.yaml
+++ b/tests/issue-4280-iprep/test.yaml
@@ -16,3 +16,8 @@ checks:
       count: 3
       match:
         alert.signature_id: 2402000
+checks:
+  - filter:
+      count: 0
+      match:
+        alert.signature_id: 2402001