From: Jason Ish <jason.ish@oisf.net>
Date: Tue, 25 Feb 2025 21:18:41 +0000 (-0600)
Subject: test/quic-ietf: break out ja3 dependent tests
X-Git-Tag: suricata-7.0.9~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1eb1716b8412c31628ac871983ed781b2f4cd6e2;p=thirdparty%2Fsuricata-verify.git

test/quic-ietf: break out ja3 dependent tests

JA3 is a compile time option, breakout the JA3 tests to another test
that depends on HAVE_JA3.
---

diff --git a/tests/quic-ietf-ja3/README.md b/tests/quic-ietf-ja3/README.md
new file mode 100644
index 000000000..95cb154b1
--- /dev/null
+++ b/tests/quic-ietf-ja3/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test quic ietf v1 parsing
+
+# PCAP
+
+The pcap comes from https://www.bortzmeyer.org/quic.html
diff --git a/tests/quic-ietf-ja3/input.pcap b/tests/quic-ietf-ja3/input.pcap
new file mode 100644
index 000000000..266ba94ad
Binary files /dev/null and b/tests/quic-ietf-ja3/input.pcap differ
diff --git a/tests/quic-ietf-ja3/test.rules b/tests/quic-ietf-ja3/test.rules
new file mode 100644
index 000000000..edf16a467
--- /dev/null
+++ b/tests/quic-ietf-ja3/test.rules
@@ -0,0 +1,2 @@
+alert quic any any -> any any (msg:"QUIC JA3"; ja3s.string; content:"771,4866,43-51-41"; sid:3;)
+alert quic any any -> any any (msg:"QUIC JA3 HASH"; ja3.hash; content:"deadbeefdeadbeefdeadbeefdeadbeef"; sid:5;)
diff --git a/tests/quic-ietf-ja3/test.yaml b/tests/quic-ietf-ja3/test.yaml
new file mode 100644
index 000000000..3b06dc166
--- /dev/null
+++ b/tests/quic-ietf-ja3/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  min-version: 7.0.0
+  features:
+    - HAVE_JA3
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 5
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
diff --git a/tests/quic-ietf/test.rules b/tests/quic-ietf/test.rules
index 996800ce4..3b689762a 100644
--- a/tests/quic-ietf/test.rules
+++ b/tests/quic-ietf/test.rules
@@ -1,3 +1 @@
 alert quic any any -> any any (msg:"QUIC SNI"; quic.sni; content:"msquic.net"; sid:4;)
-alert quic any any -> any any (msg:"QUIC JA3"; ja3s.string; content:"771,4866,43-51-41"; sid:3;)
-alert quic any any -> any any (msg:"QUIC JA3 HASH"; ja3.hash; content:"deadbeefdeadbeefdeadbeefdeadbeef"; sid:5;)
diff --git a/tests/quic-ietf/test.yaml b/tests/quic-ietf/test.yaml
index 17d841124..ef8b9c602 100644
--- a/tests/quic-ietf/test.yaml
+++ b/tests/quic-ietf/test.yaml
@@ -10,13 +10,3 @@ checks:
         quic.extensions[1].values[0]: "msquic.net"
         quic.extensions[2].name: "alpn"
         quic.extensions[2].values[0]: "h3-29"
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 4
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 3