From: Victor Julien <victor@inliniac.net>
Date: Tue, 14 Jun 2022 09:52:17 +0000 (+0200)
Subject: tests: add dcerpc/smb test
X-Git-Tag: suricata-5.0.10~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F854%2Fhead;p=thirdparty%2Fsuricata-verify.git

tests: add dcerpc/smb test
---

diff --git a/tests/dcerpc-smb-test-01/README.md b/tests/dcerpc-smb-test-01/README.md
new file mode 100644
index 000000000..1effb79cd
--- /dev/null
+++ b/tests/dcerpc-smb-test-01/README.md
@@ -0,0 +1,2 @@
+Pcap from:
+20171220_smb_psexec_add_user.pcap
diff --git a/tests/dcerpc-smb-test-01/input.pcap b/tests/dcerpc-smb-test-01/input.pcap
new file mode 100644
index 000000000..a1ec294a2
Binary files /dev/null and b/tests/dcerpc-smb-test-01/input.pcap differ
diff --git a/tests/dcerpc-smb-test-01/test.rules b/tests/dcerpc-smb-test-01/test.rules
new file mode 100644
index 000000000..0706f9b06
--- /dev/null
+++ b/tests/dcerpc-smb-test-01/test.rules
@@ -0,0 +1,3 @@
+alert tcp any any -> any any (flow:to_server; dcerpc.iface:367abb81-9844-35f1-ad32-98f038001003; dcerpc.opnum:15; sid:1;)
+alert smb any any -> any any (flow:to_server; dcerpc.iface:367abb81-9844-35f1-ad32-98f038001003; dcerpc.opnum:15; sid:2;)
+alert dcerpc any any -> any any (flow:to_server; dcerpc.iface:367abb81-9844-35f1-ad32-98f038001003; dcerpc.opnum:15; sid:3;)
diff --git a/tests/dcerpc-smb-test-01/test.yaml b/tests/dcerpc-smb-test-01/test.yaml
new file mode 100644
index 000000000..e3e492cf8
--- /dev/null
+++ b/tests/dcerpc-smb-test-01/test.yaml
@@ -0,0 +1,16 @@
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 3