From: Victor Julien Date: Tue, 21 Dec 2021 09:07:01 +0000 (+0100) Subject: tests: add tests for negated protocol matching X-Git-Tag: suricata-6.0.9~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4fe239fe3078a86f41dc4f1df6fd9f6e55b27497;p=thirdparty%2Fsuricata-verify.git tests: add tests for negated protocol matching --- diff --git a/tests/detect-app-layer-protocol-01/README.md b/tests/detect-app-layer-protocol-01/README.md new file mode 100644 index 000000000..52fe89a2e --- /dev/null +++ b/tests/detect-app-layer-protocol-01/README.md @@ -0,0 +1,3 @@ +Test `app-layer-protocol:!http`. + +PCAP from alert-testmyids. diff --git a/tests/detect-app-layer-protocol-01/input.pcap b/tests/detect-app-layer-protocol-01/input.pcap new file mode 100644 index 000000000..8fb6832de Binary files /dev/null and b/tests/detect-app-layer-protocol-01/input.pcap differ diff --git a/tests/detect-app-layer-protocol-01/test.rules b/tests/detect-app-layer-protocol-01/test.rules new file mode 100644 index 000000000..20acc18ff --- /dev/null +++ b/tests/detect-app-layer-protocol-01/test.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any [80,443] (msg:"non-HTTP traffic over HTTP/S standard port"; flow:to_server; app-layer-protocol:!http; app-layer-protocol:!tls; sid:1; ) +alert tcp any [80,443] -> any any (msg:"non-HTTP traffic over HTTP/S standard port"; flow:to_client; app-layer-protocol:!http; app-layer-protocol:!tls; sid:2; ) diff --git a/tests/detect-app-layer-protocol-01/test.yaml b/tests/detect-app-layer-protocol-01/test.yaml new file mode 100644 index 000000000..ade805c54 --- /dev/null +++ b/tests/detect-app-layer-protocol-01/test.yaml @@ -0,0 +1,11 @@ +checks: +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 diff --git a/tests/detect-app-layer-protocol-02/README.md b/tests/detect-app-layer-protocol-02/README.md new file mode 100644 index 000000000..eaf452704 --- /dev/null +++ b/tests/detect-app-layer-protocol-02/README.md @@ -0,0 +1,3 @@ +Test `app-layer-protocol:!http1` (7+ only). + +PCAP from alert-testmyids. diff --git a/tests/detect-app-layer-protocol-02/input.pcap b/tests/detect-app-layer-protocol-02/input.pcap new file mode 100644 index 000000000..8fb6832de Binary files /dev/null and b/tests/detect-app-layer-protocol-02/input.pcap differ diff --git a/tests/detect-app-layer-protocol-02/test.rules b/tests/detect-app-layer-protocol-02/test.rules new file mode 100644 index 000000000..b9bc4ab36 --- /dev/null +++ b/tests/detect-app-layer-protocol-02/test.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any [80,443] (msg:"non-HTTP traffic over HTTP/S standard port"; flow:to_server; app-layer-protocol:!http1; app-layer-protocol:!tls; sid:1; ) +alert tcp any [80,443] -> any any (msg:"non-HTTP traffic over HTTP/S standard port"; flow:to_client; app-layer-protocol:!http1; app-layer-protocol:!tls; sid:2; ) diff --git a/tests/detect-app-layer-protocol-02/test.yaml b/tests/detect-app-layer-protocol-02/test.yaml new file mode 100644 index 000000000..1d0eb860a --- /dev/null +++ b/tests/detect-app-layer-protocol-02/test.yaml @@ -0,0 +1,14 @@ +requires: + min-version: 7 + +checks: +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2