From: Andreas Herz <andi@geekosphere.org>
Date: Wed, 21 Aug 2019 20:04:20 +0000 (+0200)
Subject: tests: add test case for file_data depth inspection
X-Git-Tag: suricata-6.0.4~386
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=954e1fda6131dfecc47bde87cf50757d0cb2a651;p=thirdparty%2Fsuricata-verify.git

tests: add test case for file_data depth inspection
---

diff --git a/tests/file-data-depth-inspection/file-data-depth-inpsection.pcap b/tests/file-data-depth-inspection/file-data-depth-inpsection.pcap
new file mode 100644
index 000000000..ae8ab5b42
Binary files /dev/null and b/tests/file-data-depth-inspection/file-data-depth-inpsection.pcap differ
diff --git a/tests/file-data-depth-inspection/test.rules b/tests/file-data-depth-inspection/test.rules
new file mode 100644
index 000000000..d71730033
--- /dev/null
+++ b/tests/file-data-depth-inspection/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any 25 (msg:"VIRUS INBOUND bad file attachment"; flow:to_server,established; content:"content-disposition|3a| attachment|3b|"; nocase; content:".zip|22|"; nocase; within:128; file_data; content:".pdf.exe"; within:64; sid:13371339; rev:1;)
diff --git a/tests/file-data-depth-inspection/test.yaml b/tests/file-data-depth-inspection/test.yaml
new file mode 100644
index 000000000..46db7af4c
--- /dev/null
+++ b/tests/file-data-depth-inspection/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 2
+        match:
+            event_type: alert
+            alert.signature_id: 13371339