From: Andreas Herz <aherz@oisf.net>
Date: Thu, 19 Jan 2023 09:18:49 +0000 (+0100)
Subject: test: validate smb share match for bug #5799
X-Git-Tag: suricata-7.0.0~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d1ba92197770ec3d2036ac58d0c127b38eacae2b;p=thirdparty%2Fsuricata-verify.git

test: validate smb share match for bug #5799
---

diff --git a/tests/smb-filename/README.md b/tests/smb-filename/README.md
new file mode 100644
index 000000000..0112542ba
--- /dev/null
+++ b/tests/smb-filename/README.md
@@ -0,0 +1,8 @@
+# Description
+
+Test SMB Filename detection with PMATCH signature being loaded as well.
+See https://redmine.openinfosecfoundation.org/issues/5799
+
+# PCAP
+
+The pcap contains smb traffic with a smb share to match on
diff --git a/tests/smb-filename/input.pcap b/tests/smb-filename/input.pcap
new file mode 100644
index 000000000..3762111d8
Binary files /dev/null and b/tests/smb-filename/input.pcap differ
diff --git a/tests/smb-filename/test.rules b/tests/smb-filename/test.rules
new file mode 100644
index 000000000..de762d478
--- /dev/null
+++ b/tests/smb-filename/test.rules
@@ -0,0 +1,2 @@
+alert ssh $HOME_NET any -> any any (msg:"pcre without content and no match"; pcre:"/rabbit/"; sid:1; rev:1;)
+alert smb $HOME_NET any -> any any (msg:"smb share content with match"; smb.share; content:"C"; sid:2; rev:1;)
diff --git a/tests/smb-filename/test.yaml b/tests/smb-filename/test.yaml
new file mode 100644
index 000000000..2710754fe
--- /dev/null
+++ b/tests/smb-filename/test.yaml
@@ -0,0 +1,6 @@
+checks:
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 2