From: jason taylor Date: Thu, 4 Apr 2019 00:33:52 +0000 (-0400) Subject: alert: verify test for distance/within keywords X-Git-Tag: suricata-6.0.4~466 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b6fe3e9389df7b570847d3bb0cce2b759d63d38b;p=thirdparty%2Fsuricata-verify.git alert: verify test for distance/within keywords * this is based on https://redmine.openinfosecfoundation.org/issues/1 Signed-off-by: jason taylor --- diff --git a/tests/alert-distance-within-1/input.pcap b/tests/alert-distance-within-1/input.pcap new file mode 100644 index 000000000..0ecfdfaf6 Binary files /dev/null and b/tests/alert-distance-within-1/input.pcap differ diff --git a/tests/alert-distance-within-1/suricata.yaml b/tests/alert-distance-within-1/suricata.yaml new file mode 100644 index 000000000..05c3bb0d5 --- /dev/null +++ b/tests/alert-distance-within-1/suricata.yaml @@ -0,0 +1,16 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: no + payload-buffer-size: 4kb + payload-printable: no + packet: no + metadata: no + - http: diff --git a/tests/alert-distance-within-1/test.rules b/tests/alert-distance-within-1/test.rules new file mode 100644 index 000000000..63a6902c2 --- /dev/null +++ b/tests/alert-distance-within-1/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg:"AllWorkAndNoPlay"; content:"AllWorkAndNoPlayMakesWill"; content:"DullBoy"; distance:1; within:7; sid:2;) diff --git a/tests/alert-distance-within-1/test.yaml b/tests/alert-distance-within-1/test.yaml new file mode 100644 index 000000000..7a28eded2 --- /dev/null +++ b/tests/alert-distance-within-1/test.yaml @@ -0,0 +1,16 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + + # Check that we have the following events in eve.json + # 2 - alert events + # 1 - http event + - filter: + count: 2 + match: + event_type: alert + count: 1 + match: + event_type: http