From b3ecbc43fda8534c0b921c5c9e8398f0d470c30d Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Mon, 18 Jan 2021 10:37:04 +0100
Subject: [PATCH] tests: add bug 990 test

---
 tests/bug-990/input.pcap | Bin 0 -> 123 bytes
 tests/bug-990/test.rules |   2 ++
 tests/bug-990/test.yaml  |  41 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 43 insertions(+)
 create mode 100644 tests/bug-990/input.pcap
 create mode 100644 tests/bug-990/test.rules
 create mode 100644 tests/bug-990/test.yaml

diff --git a/tests/bug-990/input.pcap b/tests/bug-990/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..d932ccee51d8bef190ac0ca876d1cad77c735769
GIT binary patch
literal 123
zc-p&ic+)~A1{MYcU}0bcl58HnK`u)f7=jrfn1R3l%=d>eKktS*OK~u`GBCKdJ#=7j
z5X>$-u)=lD0ky_g2Ocw+G8itOlJ^X#pAl+Sa(+rGOKx#W9%pW5a#4P9ep(50a(*sI
G0V4oY+90X`

literal 0
Hc-jL100001

diff --git a/tests/bug-990/test.rules b/tests/bug-990/test.rules
new file mode 100644
index 000000000..81f44a60a
--- /dev/null
+++ b/tests/bug-990/test.rules
@@ -0,0 +1,2 @@
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:8;)
+alert ip any any -> any any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:8;)
diff --git a/tests/bug-990/test.yaml b/tests/bug-990/test.yaml
new file mode 100644
index 000000000..4499ae802
--- /dev/null
+++ b/tests/bug-990/test.yaml
@@ -0,0 +1,41 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.38.129.234
+      dest_port: 53
+      dns.id: 28390
+      dns.rrname: code.msdn.microsoft.com
+      dns.rrtype: A
+      dns.tx_id: 0
+      dns.type: query
+      event_type: dns
+      pcap_cnt: 1
+      proto: UDP
+      src_ip: 192.168.69.156
+      src_port: 49379
+- filter:
+    count: 1
+    match:
+      app_proto: dns
+      dest_ip: 192.38.129.234
+      dest_port: 53
+      event_type: flow
+      flow.age: 0
+      flow.alerted: false
+      flow.bytes_toclient: 0
+      flow.bytes_toserver: 83
+      flow.pkts_toclient: 0
+      flow.pkts_toserver: 1
+      flow.reason: shutdown
+      flow.state: new
+      proto: UDP
+      src_ip: 192.168.69.156
+      src_port: 49379
-- 
2.47.2