From: Alice Akaki <akakialice@gmail.com>
Date: Thu, 6 Feb 2025 06:16:40 +0000 (-0400)
Subject: detect: add test for ldap.responses.result_code
X-Git-Tag: suricata-7.0.9~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5dc44edb3326b6c2cd341a31302601318fe4f8ee;p=thirdparty%2Fsuricata-verify.git

detect: add test for ldap.responses.result_code

Ticket: #7532
---

diff --git a/tests/detect-ldap-result/Makefile b/tests/detect-ldap-result/Makefile
new file mode 100644
index 000000000..318ba91b6
--- /dev/null
+++ b/tests/detect-ldap-result/Makefile
@@ -0,0 +1,3 @@
+ldap.pcap: ldap.syn
+	flowsynth.py -f pcap -w $@ $^
+
diff --git a/tests/detect-ldap-result/README.md b/tests/detect-ldap-result/README.md
new file mode 100644
index 000000000..01da05535
--- /dev/null
+++ b/tests/detect-ldap-result/README.md
@@ -0,0 +1,5 @@
+Test ldap.responses.result_code keyword.
+
+PCAP created with flowsynth.py
+
+Redmine ticket: https://redmine.openinfosecfoundation.org/issues/7532
diff --git a/tests/detect-ldap-result/ldap.pcap b/tests/detect-ldap-result/ldap.pcap
new file mode 100644
index 000000000..0ac54431b
Binary files /dev/null and b/tests/detect-ldap-result/ldap.pcap differ
diff --git a/tests/detect-ldap-result/ldap.syn b/tests/detect-ldap-result/ldap.syn
new file mode 100644
index 000000000..734e92d11
--- /dev/null
+++ b/tests/detect-ldap-result/ldap.syn
@@ -0,0 +1,2 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default < (content:"\x30\x1f\x02\x01\x02\x65\x1a\x0a\x01\x04\x04\x00\x04\x13\x53\x69\x7a\x65\x20\x6c\x69\x6d\x69\x74\x20\x65\x78\x63\x65\x65\x64\x65\x64";);
\ No newline at end of file
diff --git a/tests/detect-ldap-result/test.rules b/tests/detect-ldap-result/test.rules
new file mode 100644
index 000000000..57c767bcd
--- /dev/null
+++ b/tests/detect-ldap-result/test.rules
@@ -0,0 +1 @@
+alert ldap any any -> any any (msg:"Test LDAP result code"; ldap.responses.result_code:size_limit_exceeded; sid:1;)
diff --git a/tests/detect-ldap-result/test.yaml b/tests/detect-ldap-result/test.yaml
new file mode 100644
index 000000000..f8c673ab3
--- /dev/null
+++ b/tests/detect-ldap-result/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none --set stream.inline=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 4
+        event_type: alert
+        ldap.responses[0].operation: search_result_done
+        ldap.responses[0].search_result_done.result_code: size_limit_exceeded
+        alert.signature_id: 1