From: Alice Akaki <akakialice@gmail.com>
Date: Mon, 31 Oct 2022 23:52:05 +0000 (-0400)
Subject: detect-icmp-id: add tests
X-Git-Tag: suricata-6.0.13~33
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=76bde9ebc0a2c334c2832ca31e76f74ba2d806a4;p=thirdparty%2Fsuricata-verify.git

detect-icmp-id: add tests

Task: #5622
---

diff --git a/tests/detect-icmp-id-01/README.md b/tests/detect-icmp-id-01/README.md
new file mode 100644
index 000000000..1d3e78c60
--- /dev/null
+++ b/tests/detect-icmp-id-01/README.md
@@ -0,0 +1,3 @@
+Test for checking the working of icmp_id keyword by creating 2 rules and matching a crafted packet against them. Only the first one shall trigger.
+
+PCAP created with scapy.
diff --git a/tests/detect-icmp-id-01/input.pcap b/tests/detect-icmp-id-01/input.pcap
new file mode 100644
index 000000000..40bfa7864
Binary files /dev/null and b/tests/detect-icmp-id-01/input.pcap differ
diff --git a/tests/detect-icmp-id-01/test.rules b/tests/detect-icmp-id-01/test.rules
new file mode 100644
index 000000000..1076588fd
--- /dev/null
+++ b/tests/detect-icmp-id-01/test.rules
@@ -0,0 +1,2 @@
+alert icmp any any -> any any (icmp_id:21781; sid:1;)
+alert icmp any any -> any any (icmp_id:21782; sid:2;)
diff --git a/tests/detect-icmp-id-01/test.yaml b/tests/detect-icmp-id-01/test.yaml
new file mode 100644
index 000000000..f5402c759
--- /dev/null
+++ b/tests/detect-icmp-id-01/test.yaml
@@ -0,0 +1,22 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
diff --git a/tests/detect-icmp-id-02/README.md b/tests/detect-icmp-id-02/README.md
new file mode 100644
index 000000000..3e0696c2e
--- /dev/null
+++ b/tests/detect-icmp-id-02/README.md
@@ -0,0 +1,3 @@
+Test for checking the working of icmp_id keyword by creating 1 rule and matching a crafted packet against them. The packet is an ICMP packet with no "id" field, therefore the rule should not trigger.
+
+PCAP created with scapy.
diff --git a/tests/detect-icmp-id-02/input.pcap b/tests/detect-icmp-id-02/input.pcap
new file mode 100644
index 000000000..e30c4aa11
Binary files /dev/null and b/tests/detect-icmp-id-02/input.pcap differ
diff --git a/tests/detect-icmp-id-02/test.rules b/tests/detect-icmp-id-02/test.rules
new file mode 100644
index 000000000..d9b81b133
--- /dev/null
+++ b/tests/detect-icmp-id-02/test.rules
@@ -0,0 +1 @@
+alert icmp any any -> any any (icmp_id:0; sid:1;)
diff --git a/tests/detect-icmp-id-02/test.yaml b/tests/detect-icmp-id-02/test.yaml
new file mode 100644
index 000000000..ca72f784c
--- /dev/null
+++ b/tests/detect-icmp-id-02/test.yaml
@@ -0,0 +1,16 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+- filter:
+    count: 1
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats