From: Juliana Fajardini <jufajardini@gmail.com>
Date: Mon, 20 Jan 2025 20:45:03 +0000 (-0300)
Subject: tests: engine-analysis tests for pd_only rule type
X-Git-Tag: suricata-7.0.9~64
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eadccac6254fa6c0f50b93c94b44475b2afe49c7;p=thirdparty%2Fsuricata-verify.git

tests: engine-analysis tests for pd_only rule type

Test protocol detection only engine-analysis tests to accompany rule
types documentation.

Related to
Task #7031
---

diff --git a/tests/rules/rule-type-pd-only/test.rules b/tests/rules/rule-type-pd-only/test.rules
new file mode 100644
index 000000000..cc6885213
--- /dev/null
+++ b/tests/rules/rule-type-pd-only/test.rules
@@ -0,0 +1,5 @@
+# Protocol Detection Only Rules
+alert tcp any any -> any any (msg:"tcp, pd negated"; app-layer-protocol:!http; sid:401;)
+alert tcp any any -> any any (msg:"tcp, pd positive"; app-layer-protocol:http; sid:402;)
+alert tcp any any -> any any (msg:"tcp, pd positive dns"; app-layer-protocol:dns; sid:403;)
+alert tcp any any -> any any (msg:"tcp, pd positive, dns, flow:to_server"; app-layer-protocol:dns; flow:to_server; sid:405;)
diff --git a/tests/rules/rule-type-pd-only/test.yaml b/tests/rules/rule-type-pd-only/test.yaml
new file mode 100644
index 000000000..9c46473ec
--- /dev/null
+++ b/tests/rules/rule-type-pd-only/test.yaml
@@ -0,0 +1,34 @@
+requires:
+  min-version: 7
+  pcap: false
+args:
+- --engine-analysis
+checks:
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        raw: "alert tcp any any -> any any (msg:\"tcp, pd negated\"; app-layer-protocol:!http; sid:401;)"
+        id: 401
+        type: "pd_only"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        raw: "alert tcp any any -> any any (msg:\"tcp, pd positive\"; app-layer-protocol:http; sid:402;)"
+        id: 402
+        type: "pd_only"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        raw: "alert tcp any any -> any any (msg:\"tcp, pd positive dns\"; app-layer-protocol:dns; sid:403;)"
+        id: 403
+        type: "pd_only"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        raw: "alert tcp any any -> any any (msg:\"tcp, pd positive, dns, flow:to_server\"; app-layer-protocol:dns; flow:to_server; sid:405;)"
+        id: 405
+        type: "pd_only"