From: Modupe Falodun <falodunmodupeola@gmail.com>
Date: Mon, 24 Jan 2022 21:53:45 +0000 (+0100)
Subject: detect-proto: add tests for detect-engine-proto
X-Git-Tag: suricata-6.0.5~23
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=53c425b23389fd9aa0d4bad18c8ff18863d4af50;p=thirdparty%2Fsuricata-verify.git

detect-proto: add tests for detect-engine-proto

Task: 4911
---

diff --git a/tests/detect-engine-proto/README.md b/tests/detect-engine-proto/README.md
new file mode 100644
index 000000000..d18d6d682
--- /dev/null
+++ b/tests/detect-engine-proto/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test the working of protocol detection by setting up the signature and later testing its working by matching the received packet against the sig.
+
+# PCAP
+
+The pcap comes from https://github.com/bro/bro/blob/master/testing/btest/Traces/tcp/tcp-fast-open.pcap
diff --git a/tests/detect-engine-proto/input.pcap b/tests/detect-engine-proto/input.pcap
new file mode 100644
index 000000000..2893440fa
Binary files /dev/null and b/tests/detect-engine-proto/input.pcap differ
diff --git a/tests/detect-engine-proto/test.rules b/tests/detect-engine-proto/test.rules
new file mode 100644
index 000000000..a4c742c67
--- /dev/null
+++ b/tests/detect-engine-proto/test.rules
@@ -0,0 +1,4 @@
+alert udp any any -> any any (msg:"Not tcp"; flow:to_server; sid:1;)
+alert ip any any -> any any (msg:"IP"; flow:to_server; sid:2;)
+alert tcp any any -> any any (msg:"TCP"; flow:to_server; sid:3;)
+alert http any any -> any any (msg:"http"; flow:to_server; sid:4;)
diff --git a/tests/detect-engine-proto/test.yaml b/tests/detect-engine-proto/test.yaml
new file mode 100644
index 000000000..ba4d1584e
--- /dev/null
+++ b/tests/detect-engine-proto/test.yaml
@@ -0,0 +1,36 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: http
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 7
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 7
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 4
+- filter:
+    count: 2
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats