]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 969708a)
tests: add threshold backoff tests 1939/head 1947/head
authorVictor Julien <victor@inliniac.net>
Mon, 24 Jun 2024 12:18:08 +0000 (14:18 +0200)
committerVictor Julien <victor@inliniac.net>
Mon, 24 Jun 2024 12:18:08 +0000 (14:18 +0200)
tests/threshold/threshold-rule-flow-backoff-single-flow/test.rules [new file with mode: 0644] patch | blob
tests/threshold/threshold-rule-flow-backoff-single-flow/test.yaml [new file with mode: 0644] patch | blob
tests/threshold/threshold-rule-flow-backoff/test.rules [new file with mode: 0644] patch | blob
tests/threshold/threshold-rule-flow-backoff/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/threshold/threshold-rule-flow-backoff-single-flow/test.rules b/tests/threshold/threshold-rule-flow-backoff-single-flow/test.rules
new file mode 100644 (file)
index 0000000..38e4ebd
--- /dev/null
+++ b/tests/threshold/threshold-rule-flow-backoff-single-flow/test.rules
@@ -0,0 +1,4 @@
+alert tcp any any -> any any (dsize:>0; sid:1;)
+alert tcp any any -> any any (dsize:>0; threshold:type backoff, track by_flow, count 1, multiplier 2; sid:2;)
+alert tcp any any -> any any (dsize:>0; threshold:type backoff, track by_flow, count 3, multiplier 2; sid:3;)
+alert tcp any any -> any any (dsize:>0; threshold:type backoff, track by_flow, count 5, multiplier 5; sid:4;)
diff --git a/tests/threshold/threshold-rule-flow-backoff-single-flow/test.yaml b/tests/threshold/threshold-rule-flow-backoff-single-flow/test.yaml
new file mode 100644 (file)
index 0000000..dca2674
--- /dev/null
+++ b/tests/threshold/threshold-rule-flow-backoff-single-flow/test.yaml
@@ -0,0 +1,26 @@
+requires:
+  min-version: 8
+
+pcap: ../../filestore-filecontainer-smb/filecontainer-smb.pcap
+
+checks:
+  - filter:
+      count: 6676
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 13
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 12
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 5
+      match:
+        event_type: alert
+        alert.signature_id: 4
diff --git a/tests/threshold/threshold-rule-flow-backoff/test.rules b/tests/threshold/threshold-rule-flow-backoff/test.rules
new file mode 100644 (file)
index 0000000..16727ef
--- /dev/null
+++ b/tests/threshold/threshold-rule-flow-backoff/test.rules
@@ -0,0 +1,4 @@
+alert tcp any any -> any any (dsize:>0; sid:1;)
+alert tcp any any -> any any (dsize:>0; threshold:type backoff, track by_flow, count 1, multiplier 2; sid:2;)
+alert tcp any any -> any any (dsize:>0; threshold:type backoff, track by_flow, count 3, multiplier 2; sid:3;)
+alert tcp any any -> any any (dsize:>0; threshold:type backoff, track by_flow, count 1, multiplier 10; sid:4;)
diff --git a/tests/threshold/threshold-rule-flow-backoff/test.yaml b/tests/threshold/threshold-rule-flow-backoff/test.yaml
new file mode 100644 (file)
index 0000000..6a8f1c0
--- /dev/null
+++ b/tests/threshold/threshold-rule-flow-backoff/test.yaml
@@ -0,0 +1,26 @@
+requires:
+  min-version: 8
+
+pcap: ../../bug-2482-01/proxyCONNECT_443.pcap
+
+checks:
+  - filter:
+      count: 1725
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 707
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 338
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 257
+      match:
+        event_type: alert
+        alert.signature_id: 4
Mirror of https://github.com/OISF/suricata-verify.git