From 745b64d31c21743af37da51680de9b3141272202 Mon Sep 17 00:00:00 2001
From: Jason Ish <jason.ish@oisf.net>
Date: Tue, 4 Aug 2020 16:29:34 -0600
Subject: [PATCH] rdp-protocol: test rdp metadata in alert

---
 tests/rdp-protocol/suricata.yaml | 1 +
 tests/rdp-protocol/test.rules    | 1 +
 tests/rdp-protocol/test.yaml     | 8 ++++++++
 3 files changed, 10 insertions(+)
 create mode 100644 tests/rdp-protocol/test.rules

diff --git a/tests/rdp-protocol/suricata.yaml b/tests/rdp-protocol/suricata.yaml
index 0bfabbc4b..7b5a5edd4 100644
--- a/tests/rdp-protocol/suricata.yaml
+++ b/tests/rdp-protocol/suricata.yaml
@@ -7,6 +7,7 @@ outputs:
       filetype: regular
       filename: eve.json
       types:
+        - alert
         - rdp
         - flow
 
diff --git a/tests/rdp-protocol/test.rules b/tests/rdp-protocol/test.rules
new file mode 100644
index 000000000..aaa2752c3
--- /dev/null
+++ b/tests/rdp-protocol/test.rules
@@ -0,0 +1 @@
+alert rdp any any -> any any (msg:"TEST RDP RULE"; sid:1; rev:1;)
diff --git a/tests/rdp-protocol/test.yaml b/tests/rdp-protocol/test.yaml
index 031f6ce7e..774388664 100644
--- a/tests/rdp-protocol/test.yaml
+++ b/tests/rdp-protocol/test.yaml
@@ -35,3 +35,11 @@ checks:
         rdp.channels[0]: "rdpdr"
         rdp.channels[1]: "cliprdr"
         rdp.channels[2]: "rdpsnd"
+  - filter:
+      count: 1
+      match:
+        event_type: "alert"
+        pcap_cnt: 5
+        rdp.tx_id: 0
+        rdp.event_type: "initial_request"
+        rdp.cookie: "A70067"
-- 
2.47.2