From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Tue, 14 May 2024 12:57:08 +0000 (-0400)
Subject: testa/ja4: Confirm config on auto-enable
X-Git-Tag: suricata-6.0.20~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=54bf0459ac1973fc01078a419a8cd6578eefba6a;p=thirdparty%2Fsuricata-verify.git

testa/ja4: Confirm config on auto-enable

Issue: 7010

Confirm that the config-level message is displayed when JA4 is enabled
due to rule usage.
---

diff --git a/tests/ja4-rules-bug-7010/README.md b/tests/ja4-rules-bug-7010/README.md
new file mode 100644
index 000000000..21c899b3b
--- /dev/null
+++ b/tests/ja4-rules-bug-7010/README.md
@@ -0,0 +1 @@
+Confirm that Suricata logs JA4 being enabled due to a rule.
diff --git a/tests/ja4-rules-bug-7010/test.rules b/tests/ja4-rules-bug-7010/test.rules
new file mode 100644
index 000000000..bdd3f738d
--- /dev/null
+++ b/tests/ja4-rules-bug-7010/test.rules
@@ -0,0 +1 @@
+alert quic any any -> any any (msg:"JA4 QUIC Test 1"; requires: feature ja4; ja4.hash; content: "q13d0310h3_55b375c5d22e_cd85d2d88918"; sid:1;)
diff --git a/tests/ja4-rules-bug-7010/test.yaml b/tests/ja4-rules-bug-7010/test.yaml
new file mode 100644
index 000000000..bdf014ded
--- /dev/null
+++ b/tests/ja4-rules-bug-7010/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  min-version: 7.0.6
+  lt-version: 8
+  features:
+    - HAVE_JA4
+
+pcap: ../ja4-rules/input.pcap
+
+args:
+  - -k none
+  - --set logging.default-log-level=config
+
+checks:
+  - shell:
+      args: grep -c "enabling JA4 due to rule usage" stdout
+      expect: 1