From: jason taylor <jtfas90@gmail.com>
Date: Mon, 25 Jul 2022 23:37:02 +0000 (+0000)
Subject: add bsize keyword tests
X-Git-Tag: suricata-6.0.8~37
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e111ad479e581431365ea3b433b67254a9e979bc;p=thirdparty%2Fsuricata-verify.git

add bsize keyword tests

Signed-off-by: jason taylor <jtfas90@gmail.com>
---

diff --git a/tests/test-bsize-values-1/README.md b/tests/test-bsize-values-1/README.md
new file mode 100644
index 000000000..be0e00d0d
--- /dev/null
+++ b/tests/test-bsize-values-1/README.md
@@ -0,0 +1,10 @@
+# Description
+
+Test bsize keyword values against pcap.
+
+This test case has signatures with all the current possible
+bsize value options, all signatures should alert.
+
+# PCAP
+
+The pcap comes from a tcpdump capture of a dns query to google[.]com
diff --git a/tests/test-bsize-values-1/input.pcap b/tests/test-bsize-values-1/input.pcap
new file mode 100644
index 000000000..f2e7b947e
Binary files /dev/null and b/tests/test-bsize-values-1/input.pcap differ
diff --git a/tests/test-bsize-values-1/test.rules b/tests/test-bsize-values-1/test.rules
new file mode 100644
index 000000000..0ee48b8f0
--- /dev/null
+++ b/tests/test-bsize-values-1/test.rules
@@ -0,0 +1,7 @@
+alert dns any any -> any any (msg:"bsize exact buffer size"; dns.query; content:"google.com"; bsize:10; sid:1; rev:1;)
+
+alert dns any any -> any any (msg:"bsize less than value"; dns.query; content:"google.com"; bsize:<25; sid:2; rev:1;)
+
+alert dns any any -> any any (msg:"bsize buffer greater than value"; dns.query; content:"google.com"; bsize:>8; sid:4; rev:1;)
+
+alert dns any any -> any any (msg:"bsize buffer range value"; dns.query; content:"google.com"; bsize:8<>20; sid:6; rev:1;)
diff --git a/tests/test-bsize-values-1/test.yaml b/tests/test-bsize-values-1/test.yaml
new file mode 100644
index 000000000..7c22c8720
--- /dev/null
+++ b/tests/test-bsize-values-1/test.yaml
@@ -0,0 +1,23 @@
+args:
+- -k none
+
+requires:
+   min-version: 6.0.0
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.signature: bsize exact buffer size
+- filter:
+    count: 1
+    match:
+      alert.signature: bsize less than value
+- filter:
+    count: 1
+    match:
+      alert.signature: bsize buffer greater than value
+- filter:
+    count: 1
+    match:
+      alert.signature: bsize buffer range value
diff --git a/tests/test-bsize-values-2/README.md b/tests/test-bsize-values-2/README.md
new file mode 100644
index 000000000..be0e00d0d
--- /dev/null
+++ b/tests/test-bsize-values-2/README.md
@@ -0,0 +1,10 @@
+# Description
+
+Test bsize keyword values against pcap.
+
+This test case has signatures with all the current possible
+bsize value options, all signatures should alert.
+
+# PCAP
+
+The pcap comes from a tcpdump capture of a dns query to google[.]com
diff --git a/tests/test-bsize-values-2/input.pcap b/tests/test-bsize-values-2/input.pcap
new file mode 100644
index 000000000..f2e7b947e
Binary files /dev/null and b/tests/test-bsize-values-2/input.pcap differ
diff --git a/tests/test-bsize-values-2/test.rules b/tests/test-bsize-values-2/test.rules
new file mode 100644
index 000000000..be1c64765
--- /dev/null
+++ b/tests/test-bsize-values-2/test.rules
@@ -0,0 +1,3 @@
+alert dns any any -> any any (msg:"bsize buffer less than or equal value"; dns.query; content:"google.com"; bsize:<=20; sid:3; rev:1;)
+
+alert dns any any -> any any (msg:"bsize buffer greater than or equal value"; dns.query; content:"google.com"; bsize:>=8; sid:5; rev:1;)
diff --git a/tests/test-bsize-values-2/test.yaml b/tests/test-bsize-values-2/test.yaml
new file mode 100644
index 000000000..4986e5746
--- /dev/null
+++ b/tests/test-bsize-values-2/test.yaml
@@ -0,0 +1,15 @@
+args:
+- -k none
+
+requires:
+   min-version: 7.0.0
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.signature: bsize buffer less than or equal value
+- filter:
+    count: 1
+    match:
+      alert.signature: bsize buffer greater than or equal value