From: Haleema Khan <hsadia538@gmail.com>
Date: Fri, 27 Jan 2023 01:36:32 +0000 (+0500)
Subject: ttl: add tests for prefilter keyword
X-Git-Tag: suricata-6.0.10~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a48878d671284cb0d65be69f138a3b17a0fcd135;p=thirdparty%2Fsuricata-verify.git

ttl: add tests for prefilter keyword

Ticket #5800
---

diff --git a/tests/detect-ttl/README.md b/tests/detect-ttl/README.md
new file mode 100644
index 000000000..cf11cd747
--- /dev/null
+++ b/tests/detect-ttl/README.md
@@ -0,0 +1,11 @@
+Description
+===========
+Tests the `prefilter` keyword for `ttl` which is used to check for a specific IP time-to-live value in the header of a packet.
+
+PCAP
+====
+PCAP comes from an [existing RFB test](https://github.com/OISF/suricata-verify/blob/master/tests/rfb-protocol-3.8/04-vnc-openwall-3.8.pcap)
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/5800
\ No newline at end of file
diff --git a/tests/detect-ttl/test.rules b/tests/detect-ttl/test.rules
new file mode 100644
index 000000000..ab3f82471
--- /dev/null
+++ b/tests/detect-ttl/test.rules
@@ -0,0 +1 @@
+alert ip any any -> any any (ttl:128; prefilter; sid:1;)
\ No newline at end of file
diff --git a/tests/detect-ttl/test.yaml b/tests/detect-ttl/test.yaml
new file mode 100644
index 000000000..927533959
--- /dev/null
+++ b/tests/detect-ttl/test.yaml
@@ -0,0 +1,8 @@
+pcap: ../rfb-protocol-3.8/04-vnc-openwall-3.8.pcap
+
+checks:
+  - filter:
+      count: 3866
+      match:
+        event_type: alert
+        alert.signature_id: 1
\ No newline at end of file