From: Haleema Khan <hsadia538@gmail.com>
Date: Thu, 22 Dec 2022 09:01:45 +0000 (+0500)
Subject: rfb: test rfb frames
X-Git-Tag: suricata-6.0.13~42
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f628272f1e81ea7b75016659f69b1268449df6d;p=thirdparty%2Fsuricata-verify.git

rfb: test rfb frames
---

diff --git a/tests/rfb-frames/README.md b/tests/rfb-frames/README.md
new file mode 100644
index 000000000..7b16d0946
--- /dev/null
+++ b/tests/rfb-frames/README.md
@@ -0,0 +1,11 @@
+Description
+===========
+Test rfb Pdu frames.
+
+PCAP
+====
+PCAP comes from the suricata verify test[rfb-protocol-3.8]
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/5717
\ No newline at end of file
diff --git a/tests/rfb-frames/test.rules b/tests/rfb-frames/test.rules
new file mode 100644
index 000000000..97396104f
--- /dev/null
+++ b/tests/rfb-frames/test.rules
@@ -0,0 +1,5 @@
+alert rfb any any -> any any (msg:"RFB Frame 1"; flow:to_client; frame:pdu; content:"|01 02|"; startswith; sid:1;)
+alert rfb any any -> any any (msg:"RFB Frame 2"; flow:to_server; frame:pdu; content:"|7A 6F 36|"; offset:2; sid:2;)
+alert rfb any any -> any any (msg:"RFB Frame 3"; frame:pdu; content:"|30 30 38 0A|"; endswith; sid:3;)
+alert rfb any any -> any any (msg:"RFB Frame 4"; frame:pdu; content:"|17 0C E2|"; sid:4;)
+alert rfb any any -> any any (msg:"RFB Frame 5"; frame:pdu; content:"|00 00 54 46|"; sid:5;)
\ No newline at end of file
diff --git a/tests/rfb-frames/test.yaml b/tests/rfb-frames/test.yaml
new file mode 100644
index 000000000..81e7aa773
--- /dev/null
+++ b/tests/rfb-frames/test.yaml
@@ -0,0 +1,32 @@
+pcap: ../rfb-protocol-3.8/04-vnc-openwall-3.8.pcap
+
+requires:
+  min-version: 7
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 1
+      frame.type: "pdu"
+      frame.direction: toclient
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 2
+      frame.type: "pdu"
+      frame.direction: toserver
+      frame.complete: true
+- filter:
+    count: 2
+    match:
+      alert.signature_id: 3
+- filter:
+    count: 0
+    match:
+      alert.signature_id: 4
+- filter:
+    count: 0
+    match:
+      alert.signature_id: 5
\ No newline at end of file