From: Jason Ish <jason.ish@oisf.net>
Date: Fri, 20 Mar 2020 22:25:07 +0000 (-0600)
Subject: file-data-depth-inspection: break into 2 tests
X-Git-Tag: suricata-6.0.4~330
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7949f938cd767964dc0bd02b29de1bb2f7b749a8;p=thirdparty%2Fsuricata-verify.git

file-data-depth-inspection: break into 2 tests

As the alert one doesn't work with 4.1.
---

diff --git a/tests/file-data-depth-inspection-alert/file-data-depth-inpsection.pcap b/tests/file-data-depth-inspection-alert/file-data-depth-inpsection.pcap
new file mode 100644
index 000000000..ae8ab5b42
Binary files /dev/null and b/tests/file-data-depth-inspection-alert/file-data-depth-inpsection.pcap differ
diff --git a/tests/file-data-depth-inspection-alert/test.rules b/tests/file-data-depth-inspection-alert/test.rules
new file mode 100644
index 000000000..5e2c1674c
--- /dev/null
+++ b/tests/file-data-depth-inspection-alert/test.rules
@@ -0,0 +1,4 @@
+# should match:
+alert tcp any any -> any 25 (msg:"VIRUS INBOUND bad file attachment"; flow:to_server,established; content:"content-disposition|3a| attachment|3b|"; nocase; content:".zip|22|"; nocase; within:128; file_data; content:".pdf.exe"; within:64; sid:13371339; rev:1;)
+# should match:
+alert tcp any any -> any any (msg:"ATTACK-RESPONSES directory listing"; flow:established; content:"Volume Serial Number"; sid:13371338; rev:1;)
diff --git a/tests/file-data-depth-inspection-alert/test.yaml b/tests/file-data-depth-inspection-alert/test.yaml
new file mode 100644
index 000000000..ad4f17fd8
--- /dev/null
+++ b/tests/file-data-depth-inspection-alert/test.yaml
@@ -0,0 +1,16 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+    min-version: 5.0.0
+
+checks:
+    - filter:
+        count: 2
+        match:
+            event_type: alert
+            alert.signature_id: 13371339
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 13371338
diff --git a/tests/file-data-depth-inspection/test.rules b/tests/file-data-depth-inspection/test.rules
index 5e2c1674c..d71730033 100644
--- a/tests/file-data-depth-inspection/test.rules
+++ b/tests/file-data-depth-inspection/test.rules
@@ -1,4 +1 @@
-# should match:
 alert tcp any any -> any 25 (msg:"VIRUS INBOUND bad file attachment"; flow:to_server,established; content:"content-disposition|3a| attachment|3b|"; nocase; content:".zip|22|"; nocase; within:128; file_data; content:".pdf.exe"; within:64; sid:13371339; rev:1;)
-# should match:
-alert tcp any any -> any any (msg:"ATTACK-RESPONSES directory listing"; flow:established; content:"Volume Serial Number"; sid:13371338; rev:1;)
diff --git a/tests/file-data-depth-inspection/test.yaml b/tests/file-data-depth-inspection/test.yaml
index 93702a23b..46db7af4c 100644
--- a/tests/file-data-depth-inspection/test.yaml
+++ b/tests/file-data-depth-inspection/test.yaml
@@ -8,8 +8,3 @@ checks:
         match:
             event_type: alert
             alert.signature_id: 13371339
-    - filter:
-        count: 1
-        match:
-            event_type: alert
-            alert.signature_id: 13371338