From: Juliana Fajardini Date: Mon, 20 Jan 2025 19:25:17 +0000 (-0300) Subject: tests: engine-analysis tests for app_tx rule type X-Git-Tag: suricata-7.0.9~66 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d0d3399ec477c94c74cd2f148b3b0e7d62fe8efe;p=thirdparty%2Fsuricata-verify.git tests: engine-analysis tests for app_tx rule type Add test for the app_tx rule type for the engine-analysis report to accompany rule types documentation. Related to Task #7031 --- diff --git a/tests/rules/rule-type-app-tx/test.rules b/tests/rules/rule-type-app-tx/test.rules new file mode 100644 index 000000000..a30fe0f37 --- /dev/null +++ b/tests/rules/rule-type-app-tx/test.rules @@ -0,0 +1,5 @@ +# Application Layer Protocol Transaction Rules +alert tcp any any -> any any (msg:"http, pos event"; app-layer-event:http.file_name_too_long; sid:501;) +alert tcp any any -> any any (msg:"byte_extract with dce"; dcerpc.stub_data; content:"abc"; byte_extract:4,0,var,relative; byte_test:4,>,var,4,little; sid:902;) +alert http any any -> any any (msg:"Test"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.host; content:!".google.com"; endswith; sid:1102;) +alert udp any any -> any any (msg:"DNS UDP Frame"; flow:to_server; frame:dns.pdu; content:"|01 20 00 01|"; offset:2; content:"suricata"; offset:13; sid:1402; rev:1;) diff --git a/tests/rules/rule-type-app-tx/test.yaml b/tests/rules/rule-type-app-tx/test.yaml new file mode 100644 index 000000000..2754861a3 --- /dev/null +++ b/tests/rules/rule-type-app-tx/test.yaml @@ -0,0 +1,32 @@ +requires: + min-version: 7 + pcap: false +args: +- --engine-analysis +checks: + - filter: + filename: rules.json + count: 1 + match: + raw: "alert tcp any any -> any any (msg:\"http, pos event\"; app-layer-event:http.file_name_too_long; sid:501;)" + id: 501 + type: "app_tx" + - filter: + filename: rules.json + count: 1 + match: + raw: "alert tcp any any -> any any (msg:\"byte_extract with dce\"; dcerpc.stub_data; content:\"abc\"; byte_extract:4,0,var,relative; byte_test:4,>,var,4,little; sid:902;)" + id: 902 + type: "app_tx" + - filter: + filename: rules.json + count: 1 + match: + id: 1102 + type: "app_tx" + - filter: + filename: rules.json + count: 1 + match: + id: 1402 + type: "app_tx"