From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Fri, 26 Apr 2024 07:21:23 +0000 (+0530)
Subject: tls/random: add tests for bug 6989
X-Git-Tag: suricata-6.0.20~67
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c213a9ec763ba1958d1b0c7924ddaa5c378da3bb;p=thirdparty%2Fsuricata-verify.git

tls/random: add tests for bug 6989
---

diff --git a/tests/tls/tls-random-6989/README.md b/tests/tls/tls-random-6989/README.md
new file mode 100644
index 000000000..c57998a74
--- /dev/null
+++ b/tests/tls/tls-random-6989/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+This test demonstrates that the TLS random buffer should match the correct direction.
+
+## PCAP
+
+Comes from the redmine ticket below.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6989
diff --git a/tests/tls/tls-random-6989/input.pcap b/tests/tls/tls-random-6989/input.pcap
new file mode 100644
index 000000000..037883058
Binary files /dev/null and b/tests/tls/tls-random-6989/input.pcap differ
diff --git a/tests/tls/tls-random-6989/test.rules b/tests/tls/tls-random-6989/test.rules
new file mode 100644
index 000000000..fe419c919
--- /dev/null
+++ b/tests/tls/tls-random-6989/test.rules
@@ -0,0 +1,4 @@
+alert tls any any -> any any (msg:"CLIENT HELLO DATA - to_server"; flow:established,to_server; tls.random_time; content:"|54 b4 c9 7b|"; sid:1;)
+alert tls any any -> any any (msg:"CLIENT HELLO DATA - to_client"; flow:established,to_client; tls.random_time; content:"|54 b4 c9 7b|"; sid:2;)
+alert tls any any -> any any (msg:"SERVER HELLO DATA - to_server"; flow:established,to_server; tls.random_time; content:"|54 b8 f7 73|"; sid:3;)
+alert tls any any -> any any (msg:"SERVER HELLO DATA - to_client"; flow:established,to_client; tls.random_time; content:"|54 b8 f7 73|"; sid:4;)
diff --git a/tests/tls/tls-random-6989/test.yaml b/tests/tls/tls-random-6989/test.yaml
new file mode 100644
index 000000000..69bbb23e3
--- /dev/null
+++ b/tests/tls/tls-random-6989/test.yaml
@@ -0,0 +1,17 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 1
+      event_type: alert
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 4
+      event_type: alert