From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Fri, 23 Aug 2024 07:03:40 +0000 (+0530)
Subject: flow/pkts: add rules w new syntax
X-Git-Tag: suricata-7.0.9~83
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=30440e7fe6467cdb92d6d9c6c4a8d9a87780ce23;p=thirdparty%2Fsuricata-verify.git

flow/pkts: add rules w new syntax
---

diff --git a/tests/detect-flow-pkts/README.md b/tests/detect-flow-pkts/README.md
index 6691a2c40..2d9c13602 100644
--- a/tests/detect-flow-pkts/README.md
+++ b/tests/detect-flow-pkts/README.md
@@ -1,7 +1,7 @@
 Test
 ====
 
-Test `flow.pkts_toclient` and alike (bytes, server) keywords
+Test `flow.pkts:toclient`.. and alike (bytes, server) keywords
 
 PCAP
 ====
diff --git a/tests/detect-flow-pkts/test.rules b/tests/detect-flow-pkts/test.rules
index d808c07d9..5aaa2bbd3 100644
--- a/tests/detect-flow-pkts/test.rules
+++ b/tests/detect-flow-pkts/test.rules
@@ -1 +1,2 @@
-alert ip any any -> any any (msg:"Flow has 10 packets"; flow.pkts_toclient:10; flow.pkts_toserver:10; flow.bytes_toserver:<3000; flow.bytes_toclient:>8000; sid:1;)
+alert ip any any -> any any (msg:"Flow has 10 packets"; flow.pkts:toclient,=10; flow.pkts:toserver,=10; flow.bytes:toserver,<3000; flow.bytes:toclient,>8000; sid:1;)
+alert ip any any -> any any (msg:"Flow has 10 packets (old syntax)"; flow.pkts_toclient:10; flow.pkts_toserver:10; flow.bytes_toserver:<3000; flow.bytes_toclient:>8000; sid:2;)
diff --git a/tests/detect-flow-pkts/test.yaml b/tests/detect-flow-pkts/test.yaml
index 440484ffc..7bb601c11 100644
--- a/tests/detect-flow-pkts/test.yaml
+++ b/tests/detect-flow-pkts/test.yaml
@@ -12,3 +12,8 @@ checks:
     match:
       event_type: alert
       alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2