rfb: adds test for rules with secresult being an integer keyword

author Philippe Antoine <pantoine@oisf.net>

Fri, 19 Jul 2024 09:41:18 +0000 (11:41 +0200)

committer Victor Julien <victor@inliniac.net>

Wed, 7 Aug 2024 17:04:33 +0000 (19:04 +0200)
author Philippe Antoine <pantoine@oisf.net>
Fri, 19 Jul 2024 09:41:18 +0000 (11:41 +0200)
committer Victor Julien <victor@inliniac.net>
Wed, 7 Aug 2024 17:04:33 +0000 (19:04 +0200)
diff --git a/tests/rfb-rules-8/test.rules b/tests/rfb-rules-8/test.rules

new file mode 100644 (file)

index 0000000..8b7008d
--- /dev/null
+++ b/tests/rfb-rules-8/test.rules
@@ -0,0 +1,5 @@
+alert rfb any any -> any any (msg:"rfb-secresult0"; rfb.secresult:0; sid:50;)
+alert rfb any any -> any any (msg:"rfb-secresult1"; rfb.secresult:ok; sid:5;)
+alert rfb any any -> any any (msg:"rfb-secresult2"; rfb.secresult:unknown; sid:6;)
+alert rfb any any -> any any (msg:"rfb-secresult!0"; rfb.secresult:!0; sid:7;)
+
diff --git a/tests/rfb-rules-8/test.yaml b/tests/rfb-rules-8/test.yaml

new file mode 100644 (file)

index 0000000..db3fef9
--- /dev/null
+++ b/tests/rfb-rules-8/test.yaml
@@ -0,0 +1,27 @@
+requires:
+  min-version: 8
+
+pcap: ../rfb-rules/00-vnc-openwall-3.7.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature: "rfb-secresult1"
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature: "rfb-secresult0"
+
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature: "rfb-secresult2"
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature: "rfb-secresult!0"
author	Philippe Antoine <pantoine@oisf.net>
	Fri, 19 Jul 2024 09:41:18 +0000 (11:41 +0200)
committer	Victor Julien <victor@inliniac.net>
	Wed, 7 Aug 2024 17:04:33 +0000 (19:04 +0200)
tests/rfb-rules-8/test.rules	[new file with mode: 0644]	patch \| blob
tests/rfb-rules-8/test.yaml	[new file with mode: 0644]	patch \| blob