From: Philippe Antoine <pantoine@oisf.net>
Date: Fri, 26 Jul 2024 12:54:53 +0000 (+0200)
Subject: detect: adds check for decode-event with prefilter
X-Git-Tag: suricata-7.0.7~32
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bd0e2d2e758c4d97d772035e1a3fce54e9135ecb;p=thirdparty%2Fsuricata-verify.git

detect: adds check for decode-event with prefilter

Ticket: 6728
---

diff --git a/tests/decode-too-small/test.rules b/tests/decode-too-small/test.rules
index 399d4cd4d..8cb197256 100644
--- a/tests/decode-too-small/test.rules
+++ b/tests/decode-too-small/test.rules
@@ -1,3 +1,4 @@
 alert tcp any any -> any any (msg:"TCP packet too small"; decode-event:tcp.pkt_too_small; sid:1;)
+alert tcp any any -> any any (msg:"TCP packet too small"; decode-event:tcp.pkt_too_small; prefilter; requires: version >= 8; sid:1; rev: 2;)
 alert udp any any -> any any (msg:"UDP packet too small"; decode-event:udp.hlen_too_small; sid:2;)
 alert ip any any -> any any (msg:"GRE packet too small"; decode-event:gre.pkt_too_small; sid:3;)
diff --git a/tests/decode-too-small/test.yaml b/tests/decode-too-small/test.yaml
index ffbcfd880..8f91f91cb 100644
--- a/tests/decode-too-small/test.yaml
+++ b/tests/decode-too-small/test.yaml
@@ -1,3 +1,6 @@
+requires:
+  min-version: 7
+
 checks:
   # Look for IPv4 TCP too small
   - filter:
@@ -7,6 +10,15 @@ checks:
         src_ip: 1.1.1.1
         alert.signature_id: 1
 
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: alert
+        src_ip: 1.1.1.1
+        alert.signature_id: 1
+        alert.rev: 2
+
   # Look for IPv6 TCP too small
   - filter:
       count: 1