From: Victor Julien <victor@inliniac.net>
Date: Fri, 13 Oct 2023 14:18:56 +0000 (+0200)
Subject: tests: add bug 6402 test
X-Git-Tag: suricata-6.0.15~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e175f28c6ac69dfc7f2416a24efa60e987320ad3;p=thirdparty%2Fsuricata-verify.git

tests: add bug 6402 test
---

diff --git a/tests/bug-6402-01/input.pcap b/tests/bug-6402-01/input.pcap
new file mode 100644
index 000000000..ca3600287
Binary files /dev/null and b/tests/bug-6402-01/input.pcap differ
diff --git a/tests/bug-6402-01/test.rules b/tests/bug-6402-01/test.rules
new file mode 100644
index 000000000..858ff2e5c
--- /dev/null
+++ b/tests/bug-6402-01/test.rules
@@ -0,0 +1,9 @@
+alert udp any any -> any 6081 (msg:"geneve udp"; sid:2;)
+pass udp any any -> any 6081 (sid:1;)
+alert ip any any -> any any (msg:"all IP"; sid:5554;)
+alert tcp any any -> any any (msg:"all TCP"; sid:5553;)
+alert ip any any -> any any (msg:"IP Packet with 47 protocol"; ip_proto:47; sid:5555;)
+alert ip any any -> any any (msg:"IP Packet with GRE protocol"; ip_proto:gre; sid:5556;)
+alert icmp any any -> any any (msg:"ICMP"; sid:5557;)
+alert http any any -> any any (http.uri; content:"/"; sid:666;)
+
diff --git a/tests/bug-6402-01/test.yaml b/tests/bug-6402-01/test.yaml
new file mode 100644
index 000000000..b3d07b3c3
--- /dev/null
+++ b/tests/bug-6402-01/test.yaml
@@ -0,0 +1,70 @@
+args:
+- --runmode=single
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: flow
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        proto: TCP
+        flow.alerted: true
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        proto: UDP
+        flow.alerted: false
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 666
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 5553
+  - filter:
+      count: 14
+      match:
+        event_type: alert
+        alert.signature_id: 5554
+  - filter:
+      count: 12
+      match:
+        event_type: alert
+        alert.signature_id: 5554
+        proto: GRE
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 5554
+        proto: TCP
+  - filter:
+      count: 12
+      match:
+        event_type: alert
+        alert.signature_id: 5555
+  - filter:
+      count: 12
+      match:
+        event_type: alert
+        alert.signature_id: 5556
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 5557
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.state: "CLOSED"
+        fileinfo.size: 18
+
+