From: Victor Julien <victor@inliniac.net>
Date: Wed, 31 Jul 2024 12:12:55 +0000 (+0200)
Subject: tests: add test for 7187
X-Git-Tag: suricata-7.0.7~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ffdd0e2a4f101b5fb22dcb87f8f58ba50303db6a;p=thirdparty%2Fsuricata-verify.git

tests: add test for 7187
---

diff --git a/tests/dcerpc-issue-7187-01/README.md b/tests/dcerpc-issue-7187-01/README.md
new file mode 100644
index 000000000..421fd99e9
--- /dev/null
+++ b/tests/dcerpc-issue-7187-01/README.md
@@ -0,0 +1 @@
+Pcap from https://forum.suricata.io/t/suricata-protocol-dcerpc-cannot-trigger-alert-when-adding-new-rule/
diff --git a/tests/dcerpc-issue-7187-01/test.pcap b/tests/dcerpc-issue-7187-01/test.pcap
new file mode 100644
index 000000000..566feb2d2
Binary files /dev/null and b/tests/dcerpc-issue-7187-01/test.pcap differ
diff --git a/tests/dcerpc-issue-7187-01/test.rules b/tests/dcerpc-issue-7187-01/test.rules
new file mode 100644
index 000000000..395f72951
--- /dev/null
+++ b/tests/dcerpc-issue-7187-01/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:1; dce_stub_data; content:"|42 77 4E 6F 64 65 49 50 2E 65 78 65 20|"; content:!"|00|"; within:100; distance:97; sid:1; rev:1; )
+alert tcp any any -> any any (dsize:3; sid:2; rev:1; )
diff --git a/tests/dcerpc-issue-7187-01/test.yaml b/tests/dcerpc-issue-7187-01/test.yaml
new file mode 100644
index 000000000..c2663cec0
--- /dev/null
+++ b/tests/dcerpc-issue-7187-01/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 3
+    match:
+      event_type: dcerpc
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1