From: Haleema Khan <hsadia538@gmail.com>
Date: Tue, 24 Jan 2023 13:59:31 +0000 (+0500)
Subject: tls: add test for tls.issuerdn keyword
X-Git-Tag: suricata-6.0.12~30
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b8d0d97a414735a2a12a3e170dd6ee3a0c2ec958;p=thirdparty%2Fsuricata-verify.git

tls: add test for tls.issuerdn keyword

Adds tests for `tls.issuerdn` legacy keyword and `tls.cert_issuer` new keyword.
Ticket #5544
---

diff --git a/tests/tls/tls-issuerdn/README b/tests/tls/tls-issuerdn/README
new file mode 100644
index 000000000..8e4f218bb
--- /dev/null
+++ b/tests/tls/tls-issuerdn/README
@@ -0,0 +1,13 @@
+Description
+===========
+Tests the `tls.issuerdn` legacy keyword
+Tests the `tls.cert_issuer` new keyword
+Both represent TLS/SSL certificate IssuerDN field
+
+PCAP
+====
+PCAP comes from an [existing TLS test](https://github.com/OISF/suricata-verify/blob/master/tests/tls/tls-cert-issuer/tls.pcap)
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/5544
diff --git a/tests/tls/tls-issuerdn/test.yaml b/tests/tls/tls-issuerdn/test.yaml
new file mode 100644
index 000000000..e25eceb44
--- /dev/null
+++ b/tests/tls/tls-issuerdn/test.yaml
@@ -0,0 +1,20 @@
+pcap: ../tls-cert-issuer/tls.pcap
+
+checks:
+  - filter:
+      count: 4
+      match:
+        event_type: tls
+        tls.issuerdn: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS
+        
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 1
+
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 2
\ No newline at end of file
diff --git a/tests/tls/tls-issuerdn/tls.rules b/tests/tls/tls-issuerdn/tls.rules
new file mode 100644
index 000000000..dbc8df81f
--- /dev/null
+++ b/tests/tls/tls-issuerdn/tls.rules
@@ -0,0 +1,5 @@
+# tests tls legacy keyword tls.issuerdn
+alert tls any any -> any any (msg:"TLS issuerDN keyword"; tls.issuerdn:"C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS"; sid:1; rev:1;)
+
+# tests new tls keyword tls.cert_issuer
+alert tls any any -> any any (msg:"TLS cert_issuer keyword"; tls.cert_issuer; content:"C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS"; sid:2; rev:1;)
\ No newline at end of file