From: Juliana Fajardini <jufajardini@gmail.com>
Date: Wed, 19 Jan 2022 18:46:17 +0000 (+0000)
Subject: tests: add test for packet_alert_max more than 15
X-Git-Tag: suricata-6.0.8~51
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a434f48db23b46f4c0ce2bc116f7d858a3d28740;p=thirdparty%2Fsuricata-verify.git

tests: add test for packet_alert_max more than 15

Task#4207
---

diff --git a/tests/alert-max/alert-max-20/input.pcap b/tests/alert-max/alert-max-20/input.pcap
new file mode 100644
index 000000000..baa322b8c
Binary files /dev/null and b/tests/alert-max/alert-max-20/input.pcap differ
diff --git a/tests/alert-max/alert-max-20/suricata.yaml b/tests/alert-max/alert-max-20/suricata.yaml
new file mode 100644
index 000000000..8e52a1cc8
--- /dev/null
+++ b/tests/alert-max/alert-max-20/suricata.yaml
@@ -0,0 +1,14 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+
+# Define maximum number of possible alerts that can be triggered for the same
+# packet. Default is 15
+packet-alert-max: 20
diff --git a/tests/alert-max/alert-max-20/test.rules b/tests/alert-max/alert-max-20/test.rules
new file mode 100644
index 000000000..51c7dfa3b
--- /dev/null
+++ b/tests/alert-max/alert-max-20/test.rules
@@ -0,0 +1,20 @@
+alert tcp any any -> any any (msg:"Noalert rule 1"; noalert; sid:1; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 2"; noalert; sid:2; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 3"; noalert; sid:3; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 4"; noalert; sid:4; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 5"; noalert; sid:5; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 6"; noalert; sid:6; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 7"; noalert; sid:7; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 8"; noalert; sid:8; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 9"; noalert; sid:9; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 10"; noalert; sid:10; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 11"; noalert; sid:11; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 12"; noalert; sid:12; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 13"; noalert; sid:13; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 14"; noalert; sid:14; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 15"; noalert; sid:15; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 16"; noalert; sid:16; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 17"; noalert; sid:17; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 18"; noalert; sid:18; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 19"; noalert; sid:19; rev:1;)
+alert tcp any any -> any any (msg:"Alert rule"; sid:20; rev:1;)
diff --git a/tests/alert-max/alert-max-20/test.yaml b/tests/alert-max/alert-max-20/test.yaml
new file mode 100644
index 000000000..cd8540ce2
--- /dev/null
+++ b/tests/alert-max/alert-max-20/test.yaml
@@ -0,0 +1,8 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
diff --git a/tests/alert-max/alert-max-20/writepcap.py b/tests/alert-max/alert-max-20/writepcap.py
new file mode 100755
index 000000000..df22b22a8
--- /dev/null
+++ b/tests/alert-max/alert-max-20/writepcap.py
@@ -0,0 +1,7 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = list()
+pkts.append(IP()/TCP())
+
+wrpcap('input.pcap', pkts)