add bsize keyword tests

Signed-off-by: jason taylor <jtfas90@gmail.com>

diff --git a/tests/test-bsize-values-1/README.md b/tests/test-bsize-values-1/README.md
new file mode 100644 (file)
index 0000000..be0e00d
--- /dev/null
+++ b/tests/test-bsize-values-1/README.md
@@ -0,0 +1,10 @@
+# Description
+
+Test bsize keyword values against pcap.
+
+This test case has signatures with all the current possible
+bsize value options, all signatures should alert.
+
+# PCAP
+
+The pcap comes from a tcpdump capture of a dns query to google[.]com

diff --git a/tests/test-bsize-values-1/input.pcap b/tests/test-bsize-values-1/input.pcap
new file mode 100644 (file)
index 0000000..f2e7b94
Binary files /dev/null and b/tests/test-bsize-values-1/input.pcap differ

diff --git a/tests/test-bsize-values-1/test.rules b/tests/test-bsize-values-1/test.rules
new file mode 100644 (file)
index 0000000..0ee48b8
--- /dev/null
+++ b/tests/test-bsize-values-1/test.rules
@@ -0,0 +1,7 @@
+alert dns any any -> any any (msg:"bsize exact buffer size"; dns.query; content:"google.com"; bsize:10; sid:1; rev:1;)
+
+alert dns any any -> any any (msg:"bsize less than value"; dns.query; content:"google.com"; bsize:<25; sid:2; rev:1;)
+
+alert dns any any -> any any (msg:"bsize buffer greater than value"; dns.query; content:"google.com"; bsize:>8; sid:4; rev:1;)
+
+alert dns any any -> any any (msg:"bsize buffer range value"; dns.query; content:"google.com"; bsize:8<>20; sid:6; rev:1;)

diff --git a/tests/test-bsize-values-1/test.yaml b/tests/test-bsize-values-1/test.yaml
new file mode 100644 (file)
index 0000000..7c22c87
--- /dev/null
+++ b/tests/test-bsize-values-1/test.yaml
@@ -0,0 +1,23 @@
+args:
+- -k none
+
+requires:
+   min-version: 6.0.0
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.signature: bsize exact buffer size
+- filter:
+    count: 1
+    match:
+      alert.signature: bsize less than value
+- filter:
+    count: 1
+    match:
+      alert.signature: bsize buffer greater than value
+- filter:
+    count: 1
+    match:
+      alert.signature: bsize buffer range value

diff --git a/tests/test-bsize-values-2/README.md b/tests/test-bsize-values-2/README.md
new file mode 100644 (file)
index 0000000..be0e00d
--- /dev/null
+++ b/tests/test-bsize-values-2/README.md
@@ -0,0 +1,10 @@
+# Description
+
+Test bsize keyword values against pcap.
+
+This test case has signatures with all the current possible
+bsize value options, all signatures should alert.
+
+# PCAP
+
+The pcap comes from a tcpdump capture of a dns query to google[.]com

diff --git a/tests/test-bsize-values-2/input.pcap b/tests/test-bsize-values-2/input.pcap
new file mode 100644 (file)
index 0000000..f2e7b94
Binary files /dev/null and b/tests/test-bsize-values-2/input.pcap differ

diff --git a/tests/test-bsize-values-2/test.rules b/tests/test-bsize-values-2/test.rules
new file mode 100644 (file)
index 0000000..be1c647
--- /dev/null
+++ b/tests/test-bsize-values-2/test.rules
@@ -0,0 +1,3 @@
+alert dns any any -> any any (msg:"bsize buffer less than or equal value"; dns.query; content:"google.com"; bsize:<=20; sid:3; rev:1;)
+
+alert dns any any -> any any (msg:"bsize buffer greater than or equal value"; dns.query; content:"google.com"; bsize:>=8; sid:5; rev:1;)

diff --git a/tests/test-bsize-values-2/test.yaml b/tests/test-bsize-values-2/test.yaml
new file mode 100644 (file)
index 0000000..4986e57
--- /dev/null
+++ b/tests/test-bsize-values-2/test.yaml
@@ -0,0 +1,15 @@
+args:
+- -k none
+
+requires:
+   min-version: 7.0.0
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.signature: bsize buffer less than or equal value
+- filter:
+    count: 1
+    match:
+      alert.signature: bsize buffer greater than or equal value