From 8c3aefc693529763e290d407f2942124f8f08d81 Mon Sep 17 00:00:00 2001
From: Haleema Khan <hsadia538@gmail.com>
Date: Sat, 22 Oct 2022 08:53:55 +0500
Subject: [PATCH] detect-itype: add tests

Ticket: #5590
---
 tests/detect-itype/README.md  |  11 +++++++++++
 tests/detect-itype/test.pcap  | Bin 0 -> 17124 bytes
 tests/detect-itype/test.rules |   4 ++++
 tests/detect-itype/test.yaml  |  24 ++++++++++++++++++++++++
 4 files changed, 39 insertions(+)
 create mode 100644 tests/detect-itype/README.md
 create mode 100644 tests/detect-itype/test.pcap
 create mode 100644 tests/detect-itype/test.rules
 create mode 100644 tests/detect-itype/test.yaml

diff --git a/tests/detect-itype/README.md b/tests/detect-itype/README.md
new file mode 100644
index 000000000..ecf9001d0
--- /dev/null
+++ b/tests/detect-itype/README.md
@@ -0,0 +1,11 @@
+Description
+===========
+Test ICMP itype rule keyword.
+
+PCAP
+====
+PCAP comes from the redmine ticket [5590](https://redmine.openinfosecfoundation.org/issues/5590)
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/5590
\ No newline at end of file
diff --git a/tests/detect-itype/test.pcap b/tests/detect-itype/test.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..f84ec757b141af541d6a4598142a42d105bd5d14
GIT binary patch
literal 17124
zc-p1gcTm+=7QpfM5EN1DiXtXFOKgeJ7+u{Mqp>AwCYy<~uI^f}MKO_px*;I;Sg>Q?
zSVDAdYb;=tswg(Fp%fb`NK={(QLKB;_0F98*ZGb2I)mds$M1Z2@BPZXzn7L65$<Gj
zw$UGFn;rhX<lSoMnV+iKM!~=FC$oR|kn|zN`!5gNw7}KY$7UOp{c8_f4}1E~gdO(E
z@Z;`ki+^;!kIjyg`2XyLY5Y^GcAdKQ>NoIc*vPZ7SCe<%^>#FE*1W}gEnBs2)As!j
z+I`r*!$%!I?$r4&IJYd2if>wPx^IfZcG{r0egoF9YO|d%DyG6*+GN&PA&djaxV0RL
zPN}kZbn@F5W2UgiB4Hd##@$B6G?=^O&lzt=pfN3sjJuvdu~M2W#`wQ|F*blR4);Oh
zx?D0w7!}iDu7Wk@%td2r0vQ+LZ`C<n7O!a(vv^~&Fb0!xg;6mB=HhwdOJVFs#-op+
z=#n9e;TpvmyfH->r;;(rsCXHFtE@5CTNs;@adR0ID_@qyV;aRs);Pjj7+a8WyHW89
z%su9facI1>fQ*arC|Bi*ET-ucdE+!Ru1zB2Dx>06m@DOtMZ!3QjG+&q=z3Ka(>02T
zym7lQZX#otQSlngm9xgY<!HQkKrudmV%2M!zg3*O$r?v4L*tr*iqWWe9p>(^#{Ai6
zOgTozRrjIjc3l>eG>SJ^qfZDLSDz;12BTso%oXuQ@m@_)-m5F_L9tq<ES}LQUS^G>
z>Iq{9GOjl&-hjEYtg&DV8ZU&CaepZktKX2tT^hx;yfFZct5V4rZB)Ez`8pOH6~;Ma
zTwVf2_nWeqtWiA28b@~*#wui7XH>iebA`O|nlSp3aal1GYuqv@9^s9>h0#vNwMNA(
z%j4>uR5YIVC*$lQDAvr9#SD!if9@F58jUNx$QWu=%!au<)_8X@8qY<Macv<KYh}w~
zf<|#SZ}dZBSOyt48x?QETncL}oPx%)DP-Js7mBrS%i=zb;uPK(E{t2rxW}lNV|jio
z3>L;DGA_LX#X32%cuJ$VgE#IF#*JiLV^qwAxeKhZXaX9~Tqom(0w~tamBlEH;%eR~
z?ybU<d#kNR#XOk1$Q%8HF`bO-^PyNTPxFoy=a#U>v9V}e5lY5zqhdbHW%I@aVVq0G
zMR`!HpRf7O!MTmBah!)Rwj<+8qhbNfJ!Fl=ebJcwij329q1d267E?8f2Y6#UVe}y5
zJfq?rn9Jmi(}nS*a=n@ZMUOkOctoSfU(1c#g2v^)E7z+=#k-c*0L78QxPpvJZbPx*
zUCq04oIAuD&k1878CM$>3t?`~EY4W+A2cTIB4g1-C^jmT#nH3gzWBG<obkKyXk2!K
zjE{_pMKCv+HI{Z3#u{X-NP(hfkt`0<D0bkDQNp-{jP{Er#bTJ7#~V+e@$?Kb=3Rhd
z<6>F-PNUe1HI5hS085p1fD)r(37)N3<Gt#_*oBN)=b`9TB8w9>ivMDb6PgKQQ!?H$
zDwe|BG~Ot#S5GO|t3~Ia*rZezM`#pB^2VoVT=JFjc{D2Cvwj_8gfWzix6VTGoqMwA
zt5F=r8ht0Daq%TG78n)p!`wLD_*57NlF<o^@7|Ziz8b~9v&M;CgwdUhZbroiFt?C3
z-rt1AliSF6H5rQD4`gwYMsX-_oQTFn*T|S{RD1|?lX#=pn>(rO%{@<oqT`_~4$vs}
z=8XlyIGl`?l1++_U@n+7KG=%J6Tgu$=QI?XK9a>z8pY3f;|pQ@l8i-0#WI+i$r>Nd
zN8|B$<=k-!ip|Poag0VWkTrfEjmFT$%DKa+_!#DX;f=|{7(~XKC!yH<u`G_&D9&V!
zKXetw>SW9}DwgAJAZvVd2#twLl<S-mP;5~yi^DXEzPxcP8W(0M*EvSTCongQHI}s$
z#wKLEejJMLJ(0z68bu%8m@13`WXv%tKD9Qcpz+ugGTumpV#}wRcL7hW->c7su|FB}
zjEWU_^~f3@Hy1{4GCny5#a0!v_=QHXJ!_n_7mW+nkny!q@fpkw;*Da>>Zr12WyfOc
zXR`RIMzJezye^EsWUOjbd=7K|yfI4{$B;2I0g7#&%c74)aWHSZA&le6m}^vgVR`N-
z7taGED9;0&KLW+JFEp>LaIOz)^gDsZ`7_CwVN`sHM>*bjSQzJ#vG_0)-+w8KUuzT_
zu*M(T3uApUmKhaa!Q2?u_+$|pk3^HPEFOv<ywbc2z`3@(v9mDNB;yOC;%k_j&Kt$K
z<A`$Z$c%$xyVsg$WSncm8~dSg-YezvXjHU0S`A&y8lN6S<Kd-bJQ)kc4{;Jp0UE_`
zcw?9_Mw0QoQPJ+OS_i1`62?}_F((F!?d`HSL8CZ`HTw4yMrY-iV^nm4x%IqJJogx{
zJogwI4aE*lvKXvUoWmLeK0)IzZe&a}DprEI1+4K|U198?ypB;&{HT&cZzZsj<?9&G
zLl|9@*U_lx40DTk<2p3P?Iz=?Ls0DKEQ>#A6#aOk*bA7e>;+sfD!N!6bDsASMmrf3
z4?^){7g_vKqsXsW;bX>N>_)~jM#ai7w~053b-7q&T`u8ID0Zr>d6dJs(Y!GZjdK=~
z@w8E~io<Fz;6*wbWBkaNd;p4_t7v{YaPA+haf(eC`;hUHQPI_5wGQx7taU^yYaJ<(
zP!y9`8mUp__dBK}p>g&!GF~w%R&`jdJ-+HDjILz75&^|7Rb_FoMzJGnoVo&yvks6k
z%c$t)u-fl<-3E<Oo@7kj55=x-viMJpVo%oi@2O~<nL@_vM#X9{H=j2?K;xlr$#`NP
z6#rUH7RPH8`90R3#-MRVHW|+u6|2MCQr2h_&jTDhrF>6kFBCtiE{lE|#cx?-pr<gl
zRlcWVRCIS(?RVI}M&qC5%6A|3K(U*<LvI(!-P$NVkJFXUW0Fy^2F%UnjT?n=hjI<@
z2NXZ8p?M_7xq-YfLm2&(YXGBSO_&Q~jZP!bcp#sQF}tDIy{6_n2j@aq<Iin{(UXkF
zjEc2j?pM}WNj!rT`I?OT{s+a+YRO`tMsWde%td2}4;iD3inU?xd)_FXd5D}z#*AH1
z>`_}5ztJf2`;S55yGYZN?;_naD%NpW?OQp!2xAXr9bhLEd)Cps>ZoIR-w}KgjlnaN
zbpWGcU6?E3jiqRe7)-_?JD~V^U0FP<QH)`Y(}trlsDO+<M#XwCw}v&kh~w&h<+!?k
zI~04>lf}sz#o@eB>{|sX`&Q9L#riO}fi+eRMdQ9$GDd8JV(<F0=&w<n$Q#A8WI@Wa
zWHCm?29|49RcZ-iCo)F=7m9rvXs#gP+-%+`t^tCSYk;FhMGwpS$13q?+^g&b#BGIQ
zUk``gt}f2;dpaTFyAMIicOQ-$6&pIN_B&jC(YQx>o;+p?6#F%F=<Rqmv^;l&h-c=1
zR-TzZW>jnhb1QjctS~CiS?&29ieEI+{B+<P|14R^VPTw4#)C#hPs_DOS8;E(XAl_=
zghTO5Pt7Z2oC{!$)5W<XP&s$R85JAj5r8#T72nhOL)p`b{SAu!8$0x#mchBNc;jVZ
toTRKF8x_4Q?;qXl!q{7RuWp9o056B$ZXnK$V2v}x{bQhV|9H@-_<vp`sU!dZ

literal 0
Hc-jL100001

diff --git a/tests/detect-itype/test.rules b/tests/detect-itype/test.rules
new file mode 100644
index 000000000..ea24b4c9d
--- /dev/null
+++ b/tests/detect-itype/test.rules
@@ -0,0 +1,4 @@
+alert icmp any any -> any any (itype:8; sid:1;)
+alert icmp any any -> any any (itype:<15; sid:2;)
+alert icmp any any -> any any (itype:>7; sid:3;)
+alert icmp any any -> any any (itype:7<>20; sid:4;)
\ No newline at end of file
diff --git a/tests/detect-itype/test.yaml b/tests/detect-itype/test.yaml
new file mode 100644
index 000000000..d9347e825
--- /dev/null
+++ b/tests/detect-itype/test.yaml
@@ -0,0 +1,24 @@
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 75
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 150
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 75
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 75
+      match:
+        event_type: alert
+        alert.signature_id: 4
\ No newline at end of file
-- 
2.47.2