From: Philippe Antoine <pantoine@oisf.net>
Date: Mon, 27 Nov 2023 16:28:47 +0000 (+0100)
Subject: Adds test about ssh new keys
X-Git-Tag: suricata-6.0.17~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1710%2Fhead;p=thirdparty%2Fsuricata-verify.git

Adds test about ssh new keys

Ticket: 6578
---

diff --git a/tests/ssh-newkeys/README.md b/tests/ssh-newkeys/README.md
new file mode 100644
index 000000000..39fb109c2
--- /dev/null
+++ b/tests/ssh-newkeys/README.md
@@ -0,0 +1,8 @@
+# Description
+
+Test rule on ssh for new keys packet.
+https://redmine.openinfosecfoundation.org/issues/6578
+
+# PCAP
+
+The pcap comes from https://forum.suricata.io/t/can-not-get-ssh-alert/4223/9
diff --git a/tests/ssh-newkeys/input.pcap b/tests/ssh-newkeys/input.pcap
new file mode 100644
index 000000000..275d7283c
Binary files /dev/null and b/tests/ssh-newkeys/input.pcap differ
diff --git a/tests/ssh-newkeys/test.rules b/tests/ssh-newkeys/test.rules
new file mode 100644
index 000000000..3837fe45c
--- /dev/null
+++ b/tests/ssh-newkeys/test.rules
@@ -0,0 +1 @@
+alert ssh any any -> any 22 (msg:"This is a test"; content:"|15 00 00 00 00 00 00 00 00 00 00|"; classtype:protocol-command-decode; sid:1300013; rev:1; metadata:created_at 2023_05_23, updated_at 2023_05_24;)
diff --git a/tests/ssh-newkeys/test.yaml b/tests/ssh-newkeys/test.yaml
new file mode 100644
index 000000000..2c78fd6f3
--- /dev/null
+++ b/tests/ssh-newkeys/test.yaml
@@ -0,0 +1,12 @@
+requires:
+  min-version: 8
+
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 1300013