tls test: based on tls tests in @regit suripcap branch

combines "TLS 1" and "TLS alert" into a single test

diff --git a/tests/tls/test.yaml b/tests/tls/test.yaml
new file mode 100644 (file)
index 0000000..3720701
--- /dev/null
+++ b/tests/tls/test.yaml
@@ -0,0 +1,24 @@
+checks:
+
+  - filter:
+      count: 4
+      match:
+        event_type: tls
+        tls.serial: 00:97:E6:47:09:8E:EA:C9:B4
+        tls.issuerdn: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS
+
+  - filter:
+      count: 1
+      match:
+        event_type: tls
+        tls.session_resumed: true
+        
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 1
+
+  - stats:
+      app_layer.flow.tls: 5
+      app_layer.tx.tls: 0

diff --git a/tests/tls/tls.pcap b/tests/tls/tls.pcap
new file mode 100644 (file)
index 0000000..8aca218
Binary files /dev/null and b/tests/tls/tls.pcap differ

diff --git a/tests/tls/tls.rules b/tests/tls/tls.rules
new file mode 100644 (file)
index 0000000..2600511
--- /dev/null
+++ b/tests/tls/tls.rules
@@ -0,0 +1 @@
+alert tls any any -> any any (msg:"Stamus TLS"; tls_cert_issuer; content:"O=Stamus"; sid:1; rev:1;)