From: Philippe Antoine <contact@catenacyber.fr>
Date: Wed, 1 Jun 2022 12:17:11 +0000 (+0200)
Subject: Adds test about filesize keyword
X-Git-Tag: suricata-5.0.10~20
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a6b85c12ad436cc9c01632f16ab7eae8eda0db4d;p=thirdparty%2Fsuricata-verify.git

Adds test about filesize keyword
---

diff --git a/tests/filesize-keyword/README.md b/tests/filesize-keyword/README.md
new file mode 100644
index 000000000..bef8641d9
--- /dev/null
+++ b/tests/filesize-keyword/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test filesize keyword
+
+# PCAP
+
+The pcap is the same as smb-eicar-file test with the eicar file in it
diff --git a/tests/filesize-keyword/input.pcap b/tests/filesize-keyword/input.pcap
new file mode 100644
index 000000000..e97b433c4
Binary files /dev/null and b/tests/filesize-keyword/input.pcap differ
diff --git a/tests/filesize-keyword/test.rules b/tests/filesize-keyword/test.rules
new file mode 100644
index 000000000..a49560cdf
--- /dev/null
+++ b/tests/filesize-keyword/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (filesize:<70; sid:1234;)
+alert tcp any any -> any any (filesize:>50; sid:1235;)
diff --git a/tests/filesize-keyword/test.yaml b/tests/filesize-keyword/test.yaml
new file mode 100644
index 000000000..ce6258fc7
--- /dev/null
+++ b/tests/filesize-keyword/test.yaml
@@ -0,0 +1,15 @@
+# disables checksum verification
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1234
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1235