From: Philippe Antoine <contact@catenacyber.fr>
Date: Tue, 13 Jul 2021 08:56:52 +0000 (+0200)
Subject: Adds test about file deletion over SMB2
X-Git-Tag: suricata-6.0.4~67
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=50b59b14689ebe4ff40219eee5955b30baac9262;p=thirdparty%2Fsuricata-verify.git

Adds test about file deletion over SMB2
---

diff --git a/tests/smb2-delete/README.md b/tests/smb2-delete/README.md
new file mode 100644
index 000000000..25e28d29e
--- /dev/null
+++ b/tests/smb2-delete/README.md
@@ -0,0 +1,15 @@
+# Description
+
+Test SMB2 file deletion logging.
+
+# PCAP
+
+The pcap comes from running Macos client smbclient against a Windows 2019 Server (with a public shared folder without needed authentication)
+Commands on the client are
+```
+mount_smbfs "//GUEST@192.168.1.51/sand" tmp
+ls tmp/
+echo "to remove" > tmp/test
+rm tmp/test
+umount tmp
+```
diff --git a/tests/smb2-delete/input.pcap b/tests/smb2-delete/input.pcap
new file mode 100644
index 000000000..2aeb815ca
Binary files /dev/null and b/tests/smb2-delete/input.pcap differ
diff --git a/tests/smb2-delete/test.yaml b/tests/smb2-delete/test.yaml
new file mode 100644
index 000000000..0837bad88
--- /dev/null
+++ b/tests/smb2-delete/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 7
+
+# disables checksum verification
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: smb
+        smb.access: "delete on close"
+        smb.filename: "test"