tests: add rule to check for tcp_seq

Related to
Issue: 6353

diff --git a/tests/rules/tcp-seq-keyword/README.md b/tests/rules/tcp-seq-keyword/README.md
new file mode 100644 (file)
index 0000000..5a8d4ad
--- /dev/null
+++ b/tests/rules/tcp-seq-keyword/README.md
@@ -0,0 +1,2 @@
+## Description
+Rule test for tcp-seq keyword engine-analysis output; includes the test.yaml and test.rules files.
\ No newline at end of file

diff --git a/tests/rules/tcp-seq-keyword/test.rules b/tests/rules/tcp-seq-keyword/test.rules
new file mode 100644 (file)
index 0000000..2ac64f9
--- /dev/null
+++ b/tests/rules/tcp-seq-keyword/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (msg:"Testing seq"; seq:624; sid:1;)
+alert tcp any any -> any any (msg:"Testing seq"; seq:723833; sid:2;)
\ No newline at end of file

diff --git a/tests/rules/tcp-seq-keyword/test.yaml b/tests/rules/tcp-seq-keyword/test.yaml
new file mode 100644 (file)
index 0000000..d72a8a2
--- /dev/null
+++ b/tests/rules/tcp-seq-keyword/test.yaml
@@ -0,0 +1,21 @@
+requires:
+    min-version: 8.0
+    pcap: false
+
+args:
+    - --engine-analysis
+
+checks:
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 1
+      lists.packet.matches[0].name: "tcp.seq"
+      lists.packet.matches[0].seq.number: 624
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+        id: 2
+        lists.packet.matches[0].seq.number: 723833
\ No newline at end of file