tests: engine-analysis tests for pd_only rule type

Test protocol detection only engine-analysis tests to accompany rule
types documentation.

Related to
Task #7031

diff --git a/tests/rules/rule-type-pd-only/test.rules b/tests/rules/rule-type-pd-only/test.rules
new file mode 100644 (file)
index 0000000..cc68852
--- /dev/null
+++ b/tests/rules/rule-type-pd-only/test.rules
@@ -0,0 +1,5 @@
+# Protocol Detection Only Rules
+alert tcp any any -> any any (msg:"tcp, pd negated"; app-layer-protocol:!http; sid:401;)
+alert tcp any any -> any any (msg:"tcp, pd positive"; app-layer-protocol:http; sid:402;)
+alert tcp any any -> any any (msg:"tcp, pd positive dns"; app-layer-protocol:dns; sid:403;)
+alert tcp any any -> any any (msg:"tcp, pd positive, dns, flow:to_server"; app-layer-protocol:dns; flow:to_server; sid:405;)

diff --git a/tests/rules/rule-type-pd-only/test.yaml b/tests/rules/rule-type-pd-only/test.yaml
new file mode 100644 (file)
index 0000000..9c46473
--- /dev/null
+++ b/tests/rules/rule-type-pd-only/test.yaml
@@ -0,0 +1,34 @@
+requires:
+  min-version: 7
+  pcap: false
+args:
+- --engine-analysis
+checks:
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        raw: "alert tcp any any -> any any (msg:\"tcp, pd negated\"; app-layer-protocol:!http; sid:401;)"
+        id: 401
+        type: "pd_only"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        raw: "alert tcp any any -> any any (msg:\"tcp, pd positive\"; app-layer-protocol:http; sid:402;)"
+        id: 402
+        type: "pd_only"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        raw: "alert tcp any any -> any any (msg:\"tcp, pd positive dns\"; app-layer-protocol:dns; sid:403;)"
+        id: 403
+        type: "pd_only"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        raw: "alert tcp any any -> any any (msg:\"tcp, pd positive, dns, flow:to_server\"; app-layer-protocol:dns; flow:to_server; sid:405;)"
+        id: 405
+        type: "pd_only"