From: Juliana Fajardini <jufajardini@gmail.com>
Date: Tue, 5 Apr 2022 19:47:31 +0000 (-0300)
Subject: test/alert-max: add check for discarded alerts
X-Git-Tag: suricata-6.0.8~49
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F896%2Fhead;p=thirdparty%2Fsuricata-verify.git

test/alert-max: add check for discarded alerts

Check that we correctly log to stats how many alerts have been discarded
due to packet alert queue overflow.

Task #5179
---

diff --git a/tests/alert-max/alert-max-append-higher-priority/suricata.yaml b/tests/alert-max/alert-max-append-higher-priority/suricata.yaml
index affc4f204..36e3dc31d 100644
--- a/tests/alert-max/alert-max-append-higher-priority/suricata.yaml
+++ b/tests/alert-max/alert-max-append-higher-priority/suricata.yaml
@@ -15,6 +15,7 @@ outputs:
       types:
         - alert
         - http
+        - stats
 
 # Define maximum number of possible alerts that can be triggered for the same
 # packet. Default is 15
diff --git a/tests/alert-max/alert-max-append-higher-priority/test.rules b/tests/alert-max/alert-max-append-higher-priority/test.rules
index 3c0133f94..46e020e39 100644
--- a/tests/alert-max/alert-max-append-higher-priority/test.rules
+++ b/tests/alert-max/alert-max-append-higher-priority/test.rules
@@ -14,3 +14,11 @@ alert http any any -> any any (msg:"Match rule internal id 5"; uricontent:"/inde
 alert http any any -> any any (msg:"Match rule internal id 6"; http.request_line; bsize:10<>100; sid:7; rev:1;)
 # Internal id 7
 alert http any any -> any any (msg:"Match rule internal id 7"; http.request_line; content:"GET /index.html HTTP/1.0"; sid:8;)
+# internal id doesn't matter here
+alert tcp any any -> any any (msg:"No match rule 8"; dsize:>140; sid:9; rev:1;)
+# internal id doesn't matter here
+alert http any any -> any any (msg:"Match rule 9"; http.request_line; content:"GET /index.html HTTP/1.0"; sid:10;)
+# internal id doesn't matter here
+alert http any any -> any any (msg:"Match rule 10"; uricontent:"/index.html"; sid:11; rev:1;)
+# internal id doesn't matter here
+alert http any any -> any any (msg:"Match rule 11"; http.request_line; content:"GET /index.html HTTP/1.0"; sid:12;)
diff --git a/tests/alert-max/alert-max-append-higher-priority/test.yaml b/tests/alert-max/alert-max-append-higher-priority/test.yaml
index 6d71b4218..a81975ba9 100644
--- a/tests/alert-max/alert-max-append-higher-priority/test.yaml
+++ b/tests/alert-max/alert-max-append-higher-priority/test.yaml
@@ -52,3 +52,9 @@ checks:
     match:
       event_type: alert
       alert.signature_id: 8
+# Subtest 9
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.detect.alert_queue_overflow: 4