From: Philippe Antoine <contact@catenacyber.fr>
Date: Tue, 22 Feb 2022 08:20:26 +0000 (+0100)
Subject: Adds quic ietf v1 test
X-Git-Tag: suricata-6.0.8~24
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F931%2Fhead;p=thirdparty%2Fsuricata-verify.git

Adds quic ietf v1 test
---

diff --git a/tests/quic-ietf/README.md b/tests/quic-ietf/README.md
new file mode 100644
index 000000000..95cb154b1
--- /dev/null
+++ b/tests/quic-ietf/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test quic ietf v1 parsing
+
+# PCAP
+
+The pcap comes from https://www.bortzmeyer.org/quic.html
diff --git a/tests/quic-ietf/input.pcap b/tests/quic-ietf/input.pcap
new file mode 100644
index 000000000..266ba94ad
Binary files /dev/null and b/tests/quic-ietf/input.pcap differ
diff --git a/tests/quic-ietf/test.rules b/tests/quic-ietf/test.rules
new file mode 100644
index 000000000..25d1489ab
--- /dev/null
+++ b/tests/quic-ietf/test.rules
@@ -0,0 +1,2 @@
+alert quic any any -> any any (msg:"QUIC SNI"; quic.sni; content:"msquic.net"; sid:4;)
+alert quic any any -> any any (msg:"QUIC JA3"; ja3.string; content:"771,4866,43-51-41"; sid:3;)
diff --git a/tests/quic-ietf/test.yaml b/tests/quic-ietf/test.yaml
new file mode 100644
index 000000000..17d841124
--- /dev/null
+++ b/tests/quic-ietf/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  min-version: 7.0.0
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: quic
+        quic.extensions[1].name: "server_name"
+        quic.extensions[1].values[0]: "msquic.net"
+        quic.extensions[2].name: "alpn"
+        quic.extensions[2].values[0]: "h3-29"
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3