From: Jason Ish <ish@unx.ca>
Date: Thu, 26 Sep 2019 14:55:37 +0000 (-0600)
Subject: filemd5: test md5 rule triggers without filestore keyword
X-Git-Tag: suricata-6.0.4~332
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=421cabe026304c9176d21b78870b36b8041ce17e;p=thirdparty%2Fsuricata-verify.git

filemd5: test md5 rule triggers without filestore keyword

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/2490
---

diff --git a/tests/filemd5/suricata.yaml b/tests/filemd5/suricata.yaml
new file mode 100644
index 000000000..e9ee013b8
--- /dev/null
+++ b/tests/filemd5/suricata.yaml
@@ -0,0 +1,10 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
diff --git a/tests/filemd5/target.md5 b/tests/filemd5/target.md5
new file mode 100644
index 000000000..e807c9e46
--- /dev/null
+++ b/tests/filemd5/target.md5
@@ -0,0 +1 @@
+e19c1283c925b3206685ff522acfe3e6
diff --git a/tests/filemd5/target.pcap b/tests/filemd5/target.pcap
new file mode 100644
index 000000000..c7afde992
Binary files /dev/null and b/tests/filemd5/target.pcap differ
diff --git a/tests/filemd5/test.rules b/tests/filemd5/test.rules
new file mode 100644
index 000000000..c3a09ff2a
--- /dev/null
+++ b/tests/filemd5/test.rules
@@ -0,0 +1,4 @@
+# filemd5 rule without filestore keyword.
+alert http any any -> any any (msg:"test"; filemd5: target.md5; classtype: bad-unknown; sid:1530024;)
+
+#alert http any any -> any any (msg:"test"; filemd5: target.md5; filestore; classtype: bad-unknown; sid:1530024;)
diff --git a/tests/filemd5/test.yaml b/tests/filemd5/test.yaml
new file mode 100644
index 000000000..3c17b1b58
--- /dev/null
+++ b/tests/filemd5/test.yaml
@@ -0,0 +1,9 @@
+requires:
+  features:
+    - HAVE_NSS
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert