test: dataset state isnotset test

author Jason Ish <jason.ish@oisf.net>

Thu, 3 Oct 2019 22:34:16 +0000 (16:34 -0600)

committer Jason Ish <jason.ish@oisf.net>

Fri, 4 Oct 2019 21:49:58 +0000 (15:49 -0600)
author Jason Ish <jason.ish@oisf.net>
Thu, 3 Oct 2019 22:34:16 +0000 (16:34 -0600)
committer Jason Ish <jason.ish@oisf.net>
Fri, 4 Oct 2019 21:49:58 +0000 (15:49 -0600)
diff --git a/tests/datasets-state-isnotset/README.md b/tests/datasets-state-isnotset/README.md

new file mode 100644 (file)

index 0000000..4a9c616
--- /dev/null
+++ b/tests/datasets-state-isnotset/README.md
@@ -0,0 +1,3 @@
+Test dataset isnotseen for state. The idea is to check the first occurrence of
+something happening. Then once recorded in the state, isnotset should not
+match.
diff --git a/tests/datasets-state-isnotset/test.rules b/tests/datasets-state-isnotset/test.rules

new file mode 100644 (file)

index 0000000..95f94a4
--- /dev/null
+++ b/tests/datasets-state-isnotset/test.rules
@@ -0,0 +1,4 @@
+alert dns any any -> any any (dns.query; to_md5; \
+       dataset:isnotset, dns-seen.md5, type md5, state dns-seen.md5; \
+       dataset:set, dns-seen.md5; \
+       sid:1; rev:1;)
diff --git a/tests/datasets-state-isnotset/test.yaml b/tests/datasets-state-isnotset/test.yaml

new file mode 100644 (file)

index 0000000..ea1bf19
--- /dev/null
+++ b/tests/datasets-state-isnotset/test.yaml
@@ -0,0 +1,13 @@
+requires:
+  min-version: 5.0.0
+
+pcap: ../datasets-05-state/input.pcap
+
+args:
+  - --data-dir ./output
+
+checks:
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 1
author	Jason Ish <jason.ish@oisf.net>
	Thu, 3 Oct 2019 22:34:16 +0000 (16:34 -0600)
committer	Jason Ish <jason.ish@oisf.net>
	Fri, 4 Oct 2019 21:49:58 +0000 (15:49 -0600)
tests/datasets-state-isnotset/README.md	[new file with mode: 0644]	patch \| blob
tests/datasets-state-isnotset/test.rules	[new file with mode: 0644]	patch \| blob
tests/datasets-state-isnotset/test.yaml	[new file with mode: 0644]	patch \| blob