From: Alice Akaki <akakialice@gmail.com>
Date: Mon, 3 Mar 2025 15:45:14 +0000 (-0400)
Subject: detect: add test for ldap.responses.attribute_type keyword
X-Git-Tag: suricata-7.0.11~97
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2430%2Fhead;p=thirdparty%2Fsuricata-verify.git

detect: add test for ldap.responses.attribute_type keyword

Ticket: #7533
---

diff --git a/tests/detect-ldap-attribute/README.md b/tests/detect-ldap-attribute/README.md
index e824abd1a..434dbaeee 100644
--- a/tests/detect-ldap-attribute/README.md
+++ b/tests/detect-ldap-attribute/README.md
@@ -1,4 +1,4 @@
-Test ldap.request.attribute_type keyword.
+Test ldap.request.attribute_type and ldap.responses.attribute_type keywords.
 
 PCAP from ../ldap-search/ldap.pcap
 
diff --git a/tests/detect-ldap-attribute/test.rules b/tests/detect-ldap-attribute/test.rules
index d1d2853e3..e0dce85ad 100644
--- a/tests/detect-ldap-attribute/test.rules
+++ b/tests/detect-ldap-attribute/test.rules
@@ -1,2 +1,4 @@
 alert ldap any any -> any any (msg:"Test request attribute type"; ldap.request.attribute_type; content:"*"; startswith; endswith; sid:1;)
 alert ldap any any -> any any (msg:"Test request attribute type"; ldap.request.attribute_type; content:"+"; startswith; endswith; sid:2;)
+alert ldap any any -> any any (msg:"Test responses attribute type"; ldap.responses.attribute_type; content:"objectClass"; startswith; endswith; sid:3;)
+alert ldap any any -> any any (msg:"Test responses attribute type"; ldap.responses.attribute_type; content:"dc"; startswith; endswith; sid:4;)
\ No newline at end of file
diff --git a/tests/detect-ldap-attribute/test.yaml b/tests/detect-ldap-attribute/test.yaml
index d126cec12..3463f3962 100644
--- a/tests/detect-ldap-attribute/test.yaml
+++ b/tests/detect-ldap-attribute/test.yaml
@@ -20,4 +20,18 @@ checks:
         event_type: alert
         ldap.request.operation: search_request
         ldap.request.search_request.attributes[1]: +
-        alert.signature_id: 2
\ No newline at end of file
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ldap.responses[0].operation: search_result_entry
+        ldap.responses[0].search_result_entry.attributes[0].type: objectClass
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ldap.responses[0].operation: search_result_entry
+        ldap.responses[0].search_result_entry.attributes[1].type: dc
+        alert.signature_id: 4