rules/test: add app-layer-protocol negated test

To complement bug-7241 tests.

diff --git a/tests/rules/app-layer-protocol/test.rules b/tests/rules/app-layer-protocol/test.rules
new file mode 100644 (file)
index 0000000..d97f65c
--- /dev/null
+++ b/tests/rules/app-layer-protocol/test.rules
@@ -0,0 +1,2 @@
+drop tcp any any -> any any (flow:established; app-layer-protocol:!tls; sid:1;)
+drop tcp any any -> any any (flow:established; app-layer-protocol:!tls; prefilter; sid:2;)

diff --git a/tests/rules/app-layer-protocol/test.yaml b/tests/rules/app-layer-protocol/test.yaml
new file mode 100644 (file)
index 0000000..23b8132
--- /dev/null
+++ b/tests/rules/app-layer-protocol/test.yaml
@@ -0,0 +1,24 @@
+requires:
+    min-version: 7.0
+    pcap: false
+
+args:
+    - --engine-analysis
+    - --simulate-ips
+
+checks:
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 1
+      app_proto: "unknown"
+      not-has-key: "prefilter"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 2
+      app_proto: "unknown"
+      prefilter.buffer: "packet"
+      prefilter.name: app-layer-protocol