--- /dev/null
+Purpose
+-------
+Validate that detection_filter with unique_on dst_port does not trigger when
+the number of distinct destination ports stays below the threshold.
+
+Rule requires 3 distinct destination ports for the same destination host (track by_dst).
+The PCAP only has 2 distinct destination ports, so the threshold is not reached
+and no alerts are expected (sid 100011).
+
+Why this matters
+---------------
+Ensures duplicates or insufficient variety of dst ports do not produce alerts
+when distinct counting (unique_on dst_port) is configured with a higher threshold.
+
+Ticket: https://redmine.openinfosecfoundation.org/issues/7928
+
+PCAP: Crafted manually to fit the test.
--- /dev/null
+## Expect 0 alerts: only 2 distinct dst ports present but threshold is 3
+alert tcp any any -> 1.1.1.1 any (msg:"DF distinct dst_port no dup"; flags:S; flow:stateless; detection_filter: track by_dst, count 3, seconds 60, unique_on dst_port; sid:100011; rev:1;)
--- /dev/null
+requires:
+ min-version: 9
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 100011
--- /dev/null
+Purpose
+-------
+Validate detection_filter distinct counting with unique_on dst_port.
+
+Rule requires 1 distinct destination port for the same destination host (track by_dst).
+The PCAP contains traffic that hits 2 different destination ports to 1.1.1.1,
+so the distinct counter reaches the threshold and one alert is expected (sid 100001).
+
+Why this matters
+---------------
+Introduces coverage for detection_filter unique_on dst_port behavior added in Suricata.
+This test ensures that different dst ports contribute separately toward the threshold
+while duplicate ports do not.
+
+Ticket: https://redmine.openinfosecfoundation.org/issues/7928
+
+PCAP: Crafted manually to fit the test.
--- /dev/null
+## Expect 1 alert after 1 distinct destination port (unique_on dst_port, count 1)
+alert tcp any any -> 1.1.1.1 any (msg:"DF distinct dst_port"; flags:S; flow:stateless; detection_filter: track by_dst, count 1, seconds 60, unique_on dst_port; sid:100001; rev:1;)
--- /dev/null
+requires:
+ min-version: 9
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 100001
+
+ - filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.detect.thresholds.bitmap_alloc_fail: 0
+ stats.detect.thresholds.bitmap_memuse: 8192
--- /dev/null
+Purpose
+-------
+Validate that detection_filter with unique_on src_port does not trigger when
+the number of distinct source ports stays below the threshold.
+
+Rule requires 3 distinct source ports for the same source host (track by_src).
+The PCAP only has 2 distinct source ports, so the threshold is not reached
+and no alerts are expected (sid 100012).
+
+Why this matters
+---------------
+Ensures duplicates or insufficient variety of src ports do not produce alerts
+when distinct counting (unique_on src_port) is configured with a higher threshold.
+
+Ticket: https://redmine.openinfosecfoundation.org/issues/7928
+
+PCAP: Crafted manually to fit the test.
--- /dev/null
+## Expect 0 alerts: only 2 distinct src ports present but threshold is 3
+alert tcp any any -> 2.2.2.2 80 (msg:"DF distinct src_port no dup"; flags:S; flow:stateless; detection_filter: track by_src, count 3, seconds 60, unique_on src_port; sid:100012; rev:1;)
--- /dev/null
+requires:
+ min-version: 9
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 100012
--- /dev/null
+Purpose
+-------
+Validate detection_filter distinct counting with unique_on src_port.
+
+Rule uses count 1, meaning it alerts after seeing more than 1 distinct source port
+for the same source host (track by_src). The PCAP contains traffic with 2 different
+source ports toward 2.2.2.2:80, so the distinct counter exceeds the threshold (2 > 1)
+and one alert is expected (sid 100002).
+
+Why this matters
+---------------
+Introduces coverage for detection_filter unique_on src_port behavior added in Suricata.
+This test ensures that different src ports contribute separately toward the threshold
+while duplicate ports do not.
+
+Ticket: https://redmine.openinfosecfoundation.org/issues/7928
+
+PCAP: Crafted manually to fit the test.
--- /dev/null
+## Expect 1 alert after seeing >1 distinct source ports (unique_on src_port, count 1)
+alert tcp any any -> 2.2.2.2 80 (msg:"DF distinct src_port"; flags:S; flow:stateless; detection_filter: track by_src, count 1, seconds 60, unique_on src_port; sid:100002; rev:1;)
--- /dev/null
+requires:
+ min-version: 9
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 100002
projects / thirdparty / suricata-verify.git / commitdiff
