From: Alice Akaki <akakialice@gmail.com>
Date: Wed, 26 Oct 2022 02:42:12 +0000 (-0400)
Subject: detect-icmp-seq: add test
X-Git-Tag: suricata-6.0.9~25
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ebc34854df4204b3294797a7845ac371fa8148d8;p=thirdparty%2Fsuricata-verify.git

detect-icmp-seq: add test

Task: #5597
---

diff --git a/tests/detect-icmp-seq/README.md b/tests/detect-icmp-seq/README.md
new file mode 100644
index 000000000..4b3af190c
--- /dev/null
+++ b/tests/detect-icmp-seq/README.md
@@ -0,0 +1,3 @@
+Test for checking the working of icmp_seq keyword by creating 2 rules and matching a packet against them. Only the first one shall trigger.
+
+PCAP created with scapy.
diff --git a/tests/detect-icmp-seq/input.pcap b/tests/detect-icmp-seq/input.pcap
new file mode 100644
index 000000000..12a05c2e7
Binary files /dev/null and b/tests/detect-icmp-seq/input.pcap differ
diff --git a/tests/detect-icmp-seq/test.rules b/tests/detect-icmp-seq/test.rules
new file mode 100644
index 000000000..7dc465ff3
--- /dev/null
+++ b/tests/detect-icmp-seq/test.rules
@@ -0,0 +1,2 @@
+alert icmp any any -> any any (icmp_seq:2216; sid:1;)
+alert icmp any any -> any any (icmp_seq:5000; sid:2;)
diff --git a/tests/detect-icmp-seq/test.yaml b/tests/detect-icmp-seq/test.yaml
new file mode 100644
index 000000000..f5402c759
--- /dev/null
+++ b/tests/detect-icmp-seq/test.yaml
@@ -0,0 +1,22 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats