From: Eloy Pérez González <zer1t0ps@protonmail.com>
Date: Fri, 22 Oct 2021 10:44:03 +0000 (+0200)
Subject: Adds test for krb5_msg_type keyword
X-Git-Tag: suricata-6.0.13~43
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1198%2Fhead;p=thirdparty%2Fsuricata-verify.git

Adds test for krb5_msg_type keyword
---

diff --git a/tests/krb5-krb5_msg_type/README.md b/tests/krb5-krb5_msg_type/README.md
new file mode 100644
index 000000000..7ceaa054b
--- /dev/null
+++ b/tests/krb5-krb5_msg_type/README.md
@@ -0,0 +1,3 @@
+# PCAP
+
+The pcap included contains kerberos traffic generated from a Windows server 2019 with the klist tool.
diff --git a/tests/krb5-krb5_msg_type/input.pcap b/tests/krb5-krb5_msg_type/input.pcap
new file mode 100644
index 000000000..7b0451552
Binary files /dev/null and b/tests/krb5-krb5_msg_type/input.pcap differ
diff --git a/tests/krb5-krb5_msg_type/test.rules b/tests/krb5-krb5_msg_type/test.rules
new file mode 100644
index 000000000..18cd2fea6
--- /dev/null
+++ b/tests/krb5-krb5_msg_type/test.rules
@@ -0,0 +1,5 @@
+alert krb5 any any -> any any (msg:"AS-REQ"; krb5_msg_type:10; sid:10;)
+alert krb5 any any -> any any (msg:"AS-REP"; krb5_msg_type:11; sid:11;)
+alert krb5 any any -> any any (msg:"TGS-REQ"; krb5_msg_type:12; sid:12;)
+alert krb5 any any -> any any (msg:"TGS-REP"; krb5_msg_type:13; sid:13;)
+alert krb5 any any -> any any (msg:"KRB-ERROR"; krb5_msg_type:30; sid:30;)
\ No newline at end of file
diff --git a/tests/krb5-krb5_msg_type/test.yaml b/tests/krb5-krb5_msg_type/test.yaml
new file mode 100644
index 000000000..3a90f3171
--- /dev/null
+++ b/tests/krb5-krb5_msg_type/test.yaml
@@ -0,0 +1,42 @@
+# *** Add configuration here ***
+requires:
+  min-version: 7
+  features:
+    - RUST
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 10
+
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 11
+
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 12
+
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 13
+
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 30
+
+
+