From: Eric Leblond <el@stamus-networks.com>
Date: Mon, 27 Jun 2022 04:17:31 +0000 (+0200)
Subject: tests: add tests for ntlmssp keywords
X-Git-Tag: suricata-6.0.8~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3ff06ed5bb2ea4d9fafdf1224a7d1ff26c7ae58f;p=thirdparty%2Fsuricata-verify.git

tests: add tests for ntlmssp keywords
---

diff --git a/tests/smb2-08-rule/README.md b/tests/smb2-08-rule/README.md
new file mode 100644
index 000000000..a96a2785c
--- /dev/null
+++ b/tests/smb2-08-rule/README.md
@@ -0,0 +1,4 @@
+PCAP
+====
+
+Pcap found in Zeek/Bro git repo.
diff --git a/tests/smb2-08-rule/smb2.pcap b/tests/smb2-08-rule/smb2.pcap
new file mode 100644
index 000000000..49c711601
Binary files /dev/null and b/tests/smb2-08-rule/smb2.pcap differ
diff --git a/tests/smb2-08-rule/test.rules b/tests/smb2-08-rule/test.rules
new file mode 100644
index 000000000..0b6f57b03
--- /dev/null
+++ b/tests/smb2-08-rule/test.rules
@@ -0,0 +1,3 @@
+alert smb any any -> any any (msg:"user"; smb.ntlmssp_user; content:"Administrator"; sid:1;)
+alert smb any any -> any any (msg:"user"; smb.ntlmssp_domain; content:"CONTOSO"; sid:2;)
+alert smb any any -> any any (msg:"user"; smb.ntlmssp_user; content:"root"; sid:3;)
diff --git a/tests/smb2-08-rule/test.yaml b/tests/smb2-08-rule/test.yaml
new file mode 100644
index 000000000..4c74dd6ce
--- /dev/null
+++ b/tests/smb2-08-rule/test.yaml
@@ -0,0 +1,27 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - RUST
+  files:
+    - rust/src/smb/smb.rs
+    - src/detect-smb-ntlmssp.c
+args:
+- --set stream.reassembly.depth=0
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 3
+