From: Jason <jason.ish@oisf.net>
Date: Mon, 18 Oct 2021 21:44:22 +0000 (-0400)
Subject: tls-fingerprint: test sticky buffer variant
X-Git-Tag: suricata-6.0.4~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8983dff66b051fdf25c299494cc56f79566c285e;p=thirdparty%2Fsuricata-verify.git

tls-fingerprint: test sticky buffer variant

Add another rule and filter to test the sticky buffer variant
of a tls fingerprint match. Also shows that the 2 are more or
less equivalent.
---

diff --git a/tests/tls-fingerprint-alert/test.rules b/tests/tls-fingerprint-alert/test.rules
index f796ecfd1..2c337901a 100644
--- a/tests/tls-fingerprint-alert/test.rules
+++ b/tests/tls-fingerprint-alert/test.rules
@@ -1,5 +1,10 @@
 # Rule should only fire in the to client direction, with the server address
 # being the source address in the event.
 alert tls any any -> any any (msg:"TLS FINGERPRINT TEST"; \
-tls.fingerprint:"90:86:a4:3b:f5:cf:1b:2e:4e:f7:97:96:f9:de:ba:b9:66:35:86:3f"; \
-sid:1; rev:1;)
+	tls.fingerprint:"90:86:a4:3b:f5:cf:1b:2e:4e:f7:97:96:f9:de:ba:b9:66:35:86:3f"; \
+	sid:1; rev:1;)
+
+# Equivalent rule by using a sticky buffer.
+alert tls any any -> any any (msg:"TLS FINGERPRINT STICKY BUFFER TEST"; \
+	tls.cert_fingerprint; content:"90:86:a4:3b:f5:cf:1b:2e:4e:f7:97:96:f9:de:ba:b9:66:35:86:3f"; \
+	sid:2; rev:1;)
diff --git a/tests/tls-fingerprint-alert/test.yaml b/tests/tls-fingerprint-alert/test.yaml
index d8119d83e..56db381fa 100644
--- a/tests/tls-fingerprint-alert/test.yaml
+++ b/tests/tls-fingerprint-alert/test.yaml
@@ -7,3 +7,9 @@ checks:
       count: 1
       match:
         event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2