From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 7 May 2024 07:06:15 +0000 (+0200)
Subject: detect: add a test for protocol mismatch detection
X-Git-Tag: suricata-6.0.20~49
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1832%2Fhead;p=thirdparty%2Fsuricata-verify.git

detect: add a test for protocol mismatch detection

Ticket: #4921
---

diff --git a/tests/detect-app-layer-protocol-05/README.md b/tests/detect-app-layer-protocol-05/README.md
new file mode 100644
index 000000000..ad276369a
--- /dev/null
+++ b/tests/detect-app-layer-protocol-05/README.md
@@ -0,0 +1,11 @@
+# Test Purpose
+
+Test `app-layer-protocol` keyword with protocol mismatch
+
+## PCAP
+
+PCAP reused from proto-mismatch-http-ssh
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/4921
diff --git a/tests/detect-app-layer-protocol-05/test.rules b/tests/detect-app-layer-protocol-05/test.rules
new file mode 100644
index 000000000..150dd00d4
--- /dev/null
+++ b/tests/detect-app-layer-protocol-05/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"HTTP client to SSH server"; flow:to_client; app-layer-protocol:http1,to_server; app-layer-protocol:ssh,to_client; sid:1; )
diff --git a/tests/detect-app-layer-protocol-05/test.yaml b/tests/detect-app-layer-protocol-05/test.yaml
new file mode 100644
index 000000000..9ae49ce93
--- /dev/null
+++ b/tests/detect-app-layer-protocol-05/test.yaml
@@ -0,0 +1,11 @@
+pcap: ../output-eve-anomaly-02/input.pcap
+
+requires:
+  min-version: 8
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1