From: Philippe Antoine <contact@catenacyber.fr>
Date: Fri, 23 Sep 2022 09:31:52 +0000 (+0200)
Subject: Adds check about flow.age keyword
X-Git-Tag: suricata-6.0.9~33
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=90341aeeea7eaaa9dd53dd4a3ef0ccbf92e83989;p=thirdparty%2Fsuricata-verify.git

Adds check about flow.age keyword
---

diff --git a/tests/decode-teredo-01/test.rules b/tests/decode-teredo-01/test.rules
new file mode 100644
index 000000000..a5b0b7d87
--- /dev/null
+++ b/tests/decode-teredo-01/test.rules
@@ -0,0 +1 @@
+alert ip any any -> any any (msg:"Flow longer than 20 seconds"; flow.age:>20; flowbits: isnotset, longflow; flowbits: set, longflow; sid:3;)
diff --git a/tests/decode-teredo-01/test.yaml b/tests/decode-teredo-01/test.yaml
index daafa85a3..fa107662a 100644
--- a/tests/decode-teredo-01/test.yaml
+++ b/tests/decode-teredo-01/test.yaml
@@ -371,7 +371,7 @@ checks:
       dest_port: 1576
       event_type: flow
       flow.age: 27
-      flow.alerted: false
+      flow.alerted: true
       flow.bytes_toclient: 108
       flow.bytes_toserver: 108
       flow.pkts_toclient: 2
@@ -410,7 +410,7 @@ checks:
       dest_port: 138
       event_type: flow
       flow.age: 29
-      flow.alerted: false
+      flow.alerted: true
       flow.bytes_toclient: 0
       flow.bytes_toserver: 500
       flow.pkts_toclient: 0
@@ -461,7 +461,7 @@ checks:
       dest_port: 1577
       event_type: flow
       flow.age: 24
-      flow.alerted: false
+      flow.alerted: true
       flow.bytes_toclient: 108
       flow.bytes_toserver: 162
       flow.pkts_toclient: 2
@@ -562,3 +562,8 @@ checks:
       tcp.tcp_flags: 1b
       tcp.tcp_flags_tc: 1b
       tcp.tcp_flags_ts: 1b
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 3