From: Sam Muhammed <ghostinthehive.vx@gmail.com>
Date: Thu, 10 Feb 2022 15:20:12 +0000 (+0200)
Subject: nfs: Add detection rules for NFS3_READDIRPLUS
X-Git-Tag: suricata-6.0.5~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c7f4465ac6dad410ab58e04e37697095698383ef;p=thirdparty%2Fsuricata-verify.git

nfs: Add detection rules for NFS3_READDIRPLUS

Improve S-V test for NFS3PROC_READDIRPLUS
related to Suri@ 03906010a
---

diff --git a/tests/nfs3-readdirplus/test.rules b/tests/nfs3-readdirplus/test.rules
new file mode 100644
index 000000000..fc0961b8b
--- /dev/null
+++ b/tests/nfs3-readdirplus/test.rules
@@ -0,0 +1,2 @@
+alert nfs any any -> any any (nfs_version:3; flow:to_server; nfs_procedure:17; sid:1;)
+alert nfs any any -> any any (flow:to_client; content:"|2e 2e|"; sid:2;)
diff --git a/tests/nfs3-readdirplus/test.yaml b/tests/nfs3-readdirplus/test.yaml
index dbaefbd2b..17972dedc 100644
--- a/tests/nfs3-readdirplus/test.yaml
+++ b/tests/nfs3-readdirplus/test.yaml
@@ -31,3 +31,15 @@ checks:
         rpc.auth_type: UNIX
         rpc.creds.uid: 1000
         rpc.creds.gid: 1000
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        app_proto: nfs
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        app_proto: nfs
+        alert.signature_id: 2