From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Sat, 4 Apr 2020 19:31:32 +0000 (+0530)
Subject: Add tests for flowbit oring
X-Git-Tag: suricata-6.0.4~310
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8ef94e29f423fdbd4230639a2dfdfe87a26fc6e1;p=thirdparty%2Fsuricata-verify.git

Add tests for flowbit oring
---

diff --git a/tests/flowbit-oring/input.pcap b/tests/flowbit-oring/input.pcap
new file mode 100644
index 000000000..8fb6832de
Binary files /dev/null and b/tests/flowbit-oring/input.pcap differ
diff --git a/tests/flowbit-oring/test.rules b/tests/flowbit-oring/test.rules
new file mode 100644
index 000000000..ef15113f1
--- /dev/null
+++ b/tests/flowbit-oring/test.rules
@@ -0,0 +1,5 @@
+alert http any any -> any any (msg:"Setting flowbit fb1";content:"testmyids.com";http_header;flowbits:set,fb1;noalert;sid:1;rev:1;)
+alert http any any -> any any (msg:"Setting flowbit fb2";content:"something";flowbits:set,fb2;sid:2;rev:1;)
+alert http any any -> any any (msg:"Setting flowbit fb3";content:"wwnotginh";flowbits:set,fb3;sid:3;rev:1;)
+alert http any any -> any any (msg:"Testing flowbits OR isset";http.stat_code;content:"200";flowbits:isset,fb4|fb2|fb1;sid:4;rev:1;)
+alert http any any -> any any (msg:"Testing flowbits OR isset";http.stat_code;content:"200";flowbits:isset,fb2|fb3|fb4;sid:5;rev:1;)
diff --git a/tests/flowbit-oring/test.yaml b/tests/flowbit-oring/test.yaml
new file mode 100644
index 000000000..ddb3a7b9a
--- /dev/null
+++ b/tests/flowbit-oring/test.yaml
@@ -0,0 +1,11 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 6.0.0
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 4