From: Haleema Khan <hsadia538@gmail.com>
Date: Tue, 14 Feb 2023 13:27:10 +0000 (+0500)
Subject: file: Add tests for file_data prefilter keyword
X-Git-Tag: suricata-6.0.12~26
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7b0c4d17b243aba6a11c3a9ba9cbd93c528b8612;p=thirdparty%2Fsuricata-verify.git

file: Add tests for file_data prefilter keyword

Tests the `prefilter` keyword for `file_data` and `file.data`

Ticket #5801
---

diff --git a/tests/file-data-prefilter/README.md b/tests/file-data-prefilter/README.md
new file mode 100644
index 000000000..74ab4309d
--- /dev/null
+++ b/tests/file-data-prefilter/README.md
@@ -0,0 +1,11 @@
+Description
+===========
+Tests the `prefilter` keyword for `file_data` and `file.data`.
+
+PCAP
+====
+PCAP comes from an [existing file-data test](https://github.com/OISF/suricata-verify/blob/master/tests/file-data-depth-inspection/file-data-depth-inpsection.pcap)
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/5801
\ No newline at end of file
diff --git a/tests/file-data-prefilter/test.rules b/tests/file-data-prefilter/test.rules
new file mode 100644
index 000000000..066714609
--- /dev/null
+++ b/tests/file-data-prefilter/test.rules
@@ -0,0 +1,4 @@
+# test prefilter keyword for file_data
+alert tcp any any -> any 25 (msg:"VIRUS INBOUND bad file attachment"; flow:to_server,established; content:"content-disposition|3a| attachment|3b|"; nocase; content:".zip|22|"; nocase; within:128; file_data; content:".pdf.exe"; prefilter; within:64; sid:1; rev:1;)
+# test prefilter keyword for file.data
+alert tcp any any -> any 25 (msg:"VIRUS INBOUND bad file attachment"; flow:to_server,established; content:"content-disposition|3a| attachment|3b|"; nocase; content:".zip|22|"; nocase; within:128; file.data; content:".pdf.exe"; prefilter; within:64; sid:2; rev:1;)
\ No newline at end of file
diff --git a/tests/file-data-prefilter/test.yaml b/tests/file-data-prefilter/test.yaml
new file mode 100644
index 000000000..54c081ced
--- /dev/null
+++ b/tests/file-data-prefilter/test.yaml
@@ -0,0 +1,13 @@
+pcap: ../file-data-depth-inspection/file-data-depth-inpsection.pcap
+
+checks:
+    - filter:
+        count: 2
+        match:
+            event_type: alert
+            alert.signature_id: 1
+    - filter:
+        count: 2
+        match:
+            event_type: alert
+            alert.signature_id: 2
\ No newline at end of file