From: Jason Ish <jason.ish@oisf.net>
Date: Tue, 4 Aug 2020 22:29:34 +0000 (-0600)
Subject: rdp-protocol: test rdp metadata in alert
X-Git-Tag: suricata-6.0.4~252
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=745b64d31c21743af37da51680de9b3141272202;p=thirdparty%2Fsuricata-verify.git

rdp-protocol: test rdp metadata in alert
---

diff --git a/tests/rdp-protocol/suricata.yaml b/tests/rdp-protocol/suricata.yaml
index 0bfabbc4b..7b5a5edd4 100644
--- a/tests/rdp-protocol/suricata.yaml
+++ b/tests/rdp-protocol/suricata.yaml
@@ -7,6 +7,7 @@ outputs:
       filetype: regular
       filename: eve.json
       types:
+        - alert
         - rdp
         - flow
 
diff --git a/tests/rdp-protocol/test.rules b/tests/rdp-protocol/test.rules
new file mode 100644
index 000000000..aaa2752c3
--- /dev/null
+++ b/tests/rdp-protocol/test.rules
@@ -0,0 +1 @@
+alert rdp any any -> any any (msg:"TEST RDP RULE"; sid:1; rev:1;)
diff --git a/tests/rdp-protocol/test.yaml b/tests/rdp-protocol/test.yaml
index 031f6ce7e..774388664 100644
--- a/tests/rdp-protocol/test.yaml
+++ b/tests/rdp-protocol/test.yaml
@@ -35,3 +35,11 @@ checks:
         rdp.channels[0]: "rdpdr"
         rdp.channels[1]: "cliprdr"
         rdp.channels[2]: "rdpsnd"
+  - filter:
+      count: 1
+      match:
+        event_type: "alert"
+        pcap_cnt: 5
+        rdp.tx_id: 0
+        rdp.event_type: "initial_request"
+        rdp.cookie: "A70067"