From 53c425b23389fd9aa0d4bad18c8ff18863d4af50 Mon Sep 17 00:00:00 2001
From: Modupe Falodun <falodunmodupeola@gmail.com>
Date: Mon, 24 Jan 2022 22:53:45 +0100
Subject: [PATCH] detect-proto: add tests for detect-engine-proto

Task: 4911
---
 tests/detect-engine-proto/README.md  |   7 ++++++
 tests/detect-engine-proto/input.pcap | Bin 0 -> 3054 bytes
 tests/detect-engine-proto/test.rules |   4 +++
 tests/detect-engine-proto/test.yaml  |  36 +++++++++++++++++++++++++++
 4 files changed, 47 insertions(+)
 create mode 100644 tests/detect-engine-proto/README.md
 create mode 100644 tests/detect-engine-proto/input.pcap
 create mode 100644 tests/detect-engine-proto/test.rules
 create mode 100644 tests/detect-engine-proto/test.yaml

diff --git a/tests/detect-engine-proto/README.md b/tests/detect-engine-proto/README.md
new file mode 100644
index 000000000..d18d6d682
--- /dev/null
+++ b/tests/detect-engine-proto/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test the working of protocol detection by setting up the signature and later testing its working by matching the received packet against the sig.
+
+# PCAP
+
+The pcap comes from https://github.com/bro/bro/blob/master/testing/btest/Traces/tcp/tcp-fast-open.pcap
diff --git a/tests/detect-engine-proto/input.pcap b/tests/detect-engine-proto/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..2893440fa28055e3d833875079290cbaea3d429c
GIT binary patch
literal 3054
zc-qZYU2GIp6uw)w(9E&{d?LO$Pee$!GyBs5qw-T)iY=9mU5JS>_U_DOcjD~Kc7D3s
z`qG4$O8kKriSa>HY=wjvQk7`Z2cscDOpvG#kmwUZe6T$9fzn`F&$-j?@37DAy)(Jz
z-gCe6-E+=8v%mj1_h}mmlj<)_LhwHQ?FS>Vfe3jC#`uuUI}2AQN&3Y1B-BCr2|2L%
z*8y^1qw%Mpsv&q{w--oy^xQ}NsC=c(-ulh2gtUd*zYe!`2;@%w0?vmvY}m9CUOtWJ
z(=SHI37Esj$MtP+^dn#Z&|jZNWVAriw-=s!x^Ev?IDG4=G4Y2|6@7K}(L=NV=o?oy
zFQ4A=%$3obH?E#VD?0`w<P;b<6?6t~@jgGp7Y%1P43_p!Z7260z6qQ|od4%&WuQMJ
zO1i1Ba#t~56pv&wX(`?%M}^}KvttKy%yboT*qYQ0gG$}Fa8OlQ5hiy@yP`r=KuYFN
zg!BTN-k^i0=C32A3!54az8`2!Pi+ldyL-o{1ay{=79yS>jSvB%hEEgXzw<vK;%EB;
z5x0k~ouC!OM~Jv~s<@bx6L6SurimF=C|WkPbz>qbj4*qg*@|f9bh8YKJ$TMO>M}(f
zp>C%r?-mC=Q%uP5lo*dIiEc&SD-H~2qQW7|biqZj%tR5CT~>Cbyjw8%g2_}@w@gJ;
z4a;Fs;gwk0DlwaBvEB(qOdm;uKfAl)iC7{k9JN&HD_4WDzescJg#y)0l-7NHlD72q
z4esmqde8K4;-1+CzTQ&r8AM#IMQlu{)Z*Vfq3$;%)HI-WOl>0zckfjaY6eje@mw}S
zE(6%*AjFRsRuFM4S3!J0(*LZy^(rdgf@?N8R(H*2D%Y&$BJi|rbX8ZE<ag$(Qjt1N
zNqa&<tCM9n;RNRLciEQy{h9kW+~D61@W|Udm!oz5ok2vVM#vz54F(}Tzg8Bm*C0L^
z$}T$Kk-1NxENnSnR~9%bmIXxqP;C{tg;nn7TMd4m19W$4E4laOOmpNSUWB~XPWaQv
zwf&gzE+VFPHgI(j74O||k;>_p5w&vf60$5F8~Q(7w5VWPmaCK%85$o-{yVFiQkFV-
zL8GhyU}Yr^ZB39o$CeyWsg5MmGAuZTfU{*K0gbN*D>)MmC?%ocNYdDNppvPAR!ZsV
z?oOr@E=ud55{g2O78oLRD?PH}3mm6rSO;04NUleTClnk?<J6W^s^*!*#U_2D2<p3`
z!GJ3}MawcIqo@Uf>jtRrfyRe?gFkB0HCYLH?}f&PHQ>J7w8QgMBomjhbD?IBFE{Ne
z+E#f2Hzl$A(i0+5DwSdybt#4=iM=wx&43gXYpTBCAu9+E^fi%h@W(+1F?0tLF1ZK$
zFt|rIbK+5$6o;t^b<6evxLWgW-Nu|q?!^vc%~!TPQ}U&z4LOs#=;~A)`v6K}ua}Fx
z%;1CPqV16h$7KcaS*jIubLYDCtmN+uh@F+SG<2(<m;QTg5|m6<2I^Q>gU+7yJYC~)
z#6ZTCs=4(wKfCinAIs|0i~(AK>%;w%Q%Y^raVh2NpQMJv1jnVW51v?~RfRWCI<=~B
zKOAs&)^oT%B#69QsX9}`g&K7az7{@f*?-|gXJ@A(<*fpf_;R&oI8NTDk*cGCz<jCM
zF<5Nh@miJd2mHe@_Dgg5UOEHi`|%~aQod)g;3DE5UaOCn@E#%_KU817m(K9=4Sx<U
zUaT+Qh!`)m<QU={Zw7EY3x5tCUn(|pw973yzRx-KHgG%(s9)g+_Tp?E$Jze?=hxAA

literal 0
Hc-jL100001

diff --git a/tests/detect-engine-proto/test.rules b/tests/detect-engine-proto/test.rules
new file mode 100644
index 000000000..a4c742c67
--- /dev/null
+++ b/tests/detect-engine-proto/test.rules
@@ -0,0 +1,4 @@
+alert udp any any -> any any (msg:"Not tcp"; flow:to_server; sid:1;)
+alert ip any any -> any any (msg:"IP"; flow:to_server; sid:2;)
+alert tcp any any -> any any (msg:"TCP"; flow:to_server; sid:3;)
+alert http any any -> any any (msg:"http"; flow:to_server; sid:4;)
diff --git a/tests/detect-engine-proto/test.yaml b/tests/detect-engine-proto/test.yaml
new file mode 100644
index 000000000..ba4d1584e
--- /dev/null
+++ b/tests/detect-engine-proto/test.yaml
@@ -0,0 +1,36 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: http
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 7
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 7
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 4
+- filter:
+    count: 2
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
-- 
2.47.2