From: Modupe Falodun <falodunmodupeola@gmail.com>
Date: Tue, 1 Feb 2022 21:25:54 +0000 (+0100)
Subject: detect-dce-opnum: add test
X-Git-Tag: suricata-6.0.5~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5d88d2fab7ec23d6a13e1da947bb482b548ab23d;p=thirdparty%2Fsuricata-verify.git

detect-dce-opnum: add test

Task: 4911
---

diff --git a/tests/dcerpc/dcerpc-dce-opnum/README.md b/tests/dcerpc/dcerpc-dce-opnum/README.md
new file mode 100644
index 000000000..b31f1d6a9
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dce-opnum/README.md
@@ -0,0 +1 @@
+Tests the dce_opnum keyword
diff --git a/tests/dcerpc/dcerpc-dce-opnum/test.rules b/tests/dcerpc/dcerpc-dce-opnum/test.rules
index 947427ffa..9cfa31f5e 100644
--- a/tests/dcerpc/dcerpc-dce-opnum/test.rules
+++ b/tests/dcerpc/dcerpc-dce-opnum/test.rules
@@ -1 +1,2 @@
-alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dce_iface:afa8bd80-7d8a-11c9-bef4-08002b102989;dce_opnum:4;sid:1;)
+alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dcerpc.iface:afa8bd80-7d8a-11c9-bef4-08002b102989;dcerpc.opnum:4;sid:1;)
+alert tcp any any -> any any (msg:"DCERPC"; dcerpc.opnum:4; sid:2;)
diff --git a/tests/dcerpc/dcerpc-dce-opnum/test.yaml b/tests/dcerpc/dcerpc-dce-opnum/test.yaml
index 7c47e217d..4516db108 100644
--- a/tests/dcerpc/dcerpc-dce-opnum/test.yaml
+++ b/tests/dcerpc/dcerpc-dce-opnum/test.yaml
@@ -10,3 +10,9 @@ checks:
       count: 1
       match:
         event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 2