From: Eric Leblond Date: Wed, 19 Oct 2022 14:07:00 +0000 (+0200) Subject: tests: filestore alert event X-Git-Tag: suricata-6.0.14~19 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9f0a82de77ed36286e7ddd228267809cea469c4b;p=thirdparty%2Fsuricata-verify.git tests: filestore alert event --- diff --git a/tests/filestore-alert-log/README.md b/tests/filestore-alert-log/README.md new file mode 100644 index 000000000..7b7d4bb7f --- /dev/null +++ b/tests/filestore-alert-log/README.md @@ -0,0 +1,7 @@ +# Description + +Test alert event with filestore + +# PCAP + +The pcap comes from test filestore-filecontainer-http diff --git a/tests/filestore-alert-log/suricata.yaml b/tests/filestore-alert-log/suricata.yaml new file mode 100644 index 000000000..66ab441dd --- /dev/null +++ b/tests/filestore-alert-log/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - files + - stats + - alert + - file-store: + version: 2 + enabled: yes + stream-depth: 0 + write-fileinfo: true diff --git a/tests/filestore-alert-log/test.rules b/tests/filestore-alert-log/test.rules new file mode 100644 index 000000000..c60c01bde --- /dev/null +++ b/tests/filestore-alert-log/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"store png images"; filemagic:"PNG image data"; filestore; sid:13371338; rev:1;) diff --git a/tests/filestore-alert-log/test.yaml b/tests/filestore-alert-log/test.yaml new file mode 100644 index 000000000..16143c2a3 --- /dev/null +++ b/tests/filestore-alert-log/test.yaml @@ -0,0 +1,19 @@ +pcap: ../filestore-filecontainer-http/filecontainer-http.pcap + +requires: + features: + - MAGIC + files: + - src/output-filestore.c + +checks: + + - shell: + args: test -e filestore/e0/e092858d5bd66ab33085a966ee4ac0bf0edf6eab8d8b1e66432ee600e904bb4f + + - filter: + min-version: 7 + count: 1 + match: + event_type: alert + files[0].storing: true