From: Daniel Olatunji Date: Mon, 13 Nov 2023 11:57:31 +0000 (+0000) Subject: tests: add rule to check for tcp_mss X-Git-Tag: suricata-6.0.19~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c7f038affc3c60343d9569dc53cb89e28759576e;p=thirdparty%2Fsuricata-verify.git tests: add rule to check for tcp_mss Related to Issue: #6355 --- diff --git a/tests/rules/tcp-mss/test.rules b/tests/rules/tcp-mss/test.rules new file mode 100644 index 000000000..075f6c485 --- /dev/null +++ b/tests/rules/tcp-mss/test.rules @@ -0,0 +1,10 @@ +alert tcp any any -> any any (msg:"Testing mss"; tcp.mss:50; sid:1;) +alert tcp any any -> any any (msg:"Testing mss"; tcp.mss:>123; sid:2;) +alert tcp any any -> any any (msg:"Testing mss"; tcp.mss:<536; sid:3;) +alert tcp any any -> any any (msg:"Testing mss"; tcp.mss:123-456; sid:4;) +alert tcp any any -> any any (msg:"Testing mss"; tcp.mss:>=439; sid:5;) +alert tcp any any -> any any (msg:"Testing mss"; tcp.mss:<=70; sid:6;) +alert tcp any any -> any any (msg:"Testing mss"; tcp.mss:!1000; sid:7;) +alert tcp any any -> any any (msg:"Testing mss"; tcp.mss:!=953; sid:8;) +alert tcp any any -> any any (msg:"Testing mss"; tcp.mss:!123-456; sid:9;) +alert tcp any any -> any any (msg:"Testing mss"; tcp.mss:&0xF=4; sid:10;) diff --git a/tests/rules/tcp-mss/test.yaml b/tests/rules/tcp-mss/test.yaml new file mode 100644 index 000000000..b1d1b0bff --- /dev/null +++ b/tests/rules/tcp-mss/test.yaml @@ -0,0 +1,81 @@ +requires: + min-version: 8 + pcap: false + +args: + - --engine-analysis + +checks: +- filter: + filename: rules.json + count: 1 + match: + id: 1 + lists.packet.matches[0].name: "tcp.mss" + lists.packet.matches[0].tcp_mss.equal: 50 +- filter: + filename: rules.json + count: 1 + match: + id: 2 + lists.packet.matches[0].name: "tcp.mss" + lists.packet.matches[0].tcp_mss.gt: 123 +- filter: + filename: rules.json + count: 1 + match: + id: 3 + lists.packet.matches[0].name: "tcp.mss" + lists.packet.matches[0].tcp_mss.lt: 536 +- filter: + filename: rules.json + count: 1 + match: + id: 4 + lists.packet.matches[0].name: "tcp.mss" + lists.packet.matches[0].tcp_mss.range.min: 123 + lists.packet.matches[0].tcp_mss.range.max: 456 +- filter: + filename: rules.json + count: 1 + match: + id: 5 + lists.packet.matches[0].name: "tcp.mss" + lists.packet.matches[0].tcp_mss.gte: 439 +- filter: + filename: rules.json + count: 1 + match: + id: 6 + lists.packet.matches[0].name: "tcp.mss" + lists.packet.matches[0].tcp_mss.lte: 70 +- filter: + filename: rules.json + count: 1 + match: + id: 7 + lists.packet.matches[0].name: "tcp.mss" + lists.packet.matches[0].tcp_mss.diff: 1000 +- filter: + filename: rules.json + count: 1 + match: + id: 8 + lists.packet.matches[0].name: "tcp.mss" + lists.packet.matches[0].tcp_mss.diff: 953 +- filter: + filename: rules.json + count: 1 + match: + id: 9 + lists.packet.matches[0].name: "tcp.mss" + lists.packet.matches[0].tcp_mss.negated_range.min: 123 + lists.packet.matches[0].tcp_mss.negated_range.max: 456 +- filter: + filename: rules.json + count: 1 + match: + id: 10 + lists.packet.matches[0].name: "tcp.mss" + lists.packet.matches[0].tcp_mss.bitmask.mask: 15 + lists.packet.matches[0].tcp_mss.bitmask.value: 4