tests: add rdp parser test

diff --git a/tests/rdp-protocol/RDP-003.pcap b/tests/rdp-protocol/RDP-003.pcap
new file mode 100644 (file)
index 0000000..d7e8e84
Binary files /dev/null and b/tests/rdp-protocol/RDP-003.pcap differ

diff --git a/tests/rdp-protocol/README.md b/tests/rdp-protocol/README.md
new file mode 100644 (file)
index 0000000..4ce083a
--- /dev/null
+++ b/tests/rdp-protocol/README.md
@@ -0,0 +1 @@
+Match on RDP event and check different protocol specific details.

diff --git a/tests/rdp-protocol/suricata.yaml b/tests/rdp-protocol/suricata.yaml
new file mode 100644 (file)
index 0000000..0bfabbc
--- /dev/null
+++ b/tests/rdp-protocol/suricata.yaml
@@ -0,0 +1,16 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - rdp
+        - flow
+
+app-layer:
+  protocols:
+    rdp:
+      enabled: yes

diff --git a/tests/rdp-protocol/test.yaml b/tests/rdp-protocol/test.yaml
new file mode 100644 (file)
index 0000000..7c271e3
--- /dev/null
+++ b/tests/rdp-protocol/test.yaml
@@ -0,0 +1,35 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+checks:
+
+  # Check if rdp is detected and some protocol specific details are in the output
+  #
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        app_proto: rdp
+
+  - filter:
+      count: 1
+      match:
+        event_type: rdp
+        rdp.event_type: "initial_request"
+        rdp.cookie: "A70067"
+
+  - filter:
+      count: 1
+      match:
+        event_type: rdp
+        rdp.event_type: "connect_request"
+        rdp.client.version: "v5"
+        rdp.client.build: "Windows XP"
+        rdp.client.desktop_height: 864
+        rdp.client.client_name: "ISD2-KM84178"
+        rdp.client.capabilities[0]: "support_errinfo_pdf"
+        rdp.client.id: "55274-OEM-0011903-00107"
+        rdp.channels[0]: "rdpdr"
+        rdp.channels[1]: "cliprdr"
+        rdp.channels[2]: "rdpsnd"