From e175f28c6ac69dfc7f2416a24efa60e987320ad3 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 13 Oct 2023 16:18:56 +0200 Subject: [PATCH] tests: add bug 6402 test --- tests/bug-6402-01/input.pcap | Bin 0 -> 2265 bytes tests/bug-6402-01/test.rules | 9 +++++ tests/bug-6402-01/test.yaml | 70 +++++++++++++++++++++++++++++++++++ 3 files changed, 79 insertions(+) create mode 100644 tests/bug-6402-01/input.pcap create mode 100644 tests/bug-6402-01/test.rules create mode 100644 tests/bug-6402-01/test.yaml diff --git a/tests/bug-6402-01/input.pcap b/tests/bug-6402-01/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..ca3600287cadbdb372432c19c70bcb4a5c639b97 GIT binary patch literal 2265 zc-pnpUr1AN6bJC%@9v_vTi3D|?IF8Hm|AYTx>iWRL}pSB%9bzXHCv;i;Y6?fp(0n} zV>nZD1Vcp}q7O4j$cU19P)Z212MJ+41TMjc5X~q1{f^sYclTuvSGXdZJATghoa4f$ z*MkgV(asl(F!}yDM|A&L6VM3xnLf zRu{{aqhPzQ6Ek$x4;eVpqo!yLoJ>toJ<&&<}1lN!#@6B~+{e)jMPSM!KDgb>s| z9r4?cEu-oP&mc@5CXmO@f2ey?Pd`7vtTkNBCnEN6lw~-6mHXBUbq$70svcg~TWyu8 zx@MA!sXVSmh^h-FshG;y`9R+K*UnZVmk0K*?XGOwQU9oYcZJI1>c1NT3X;DQ)KYiF z)ZdfTkNo**sB1#)ko7B7)|N;&WPMDPwM^tn`#v1?k<2iLocpMnYK4CSS|RmUw6sex zZD*2pwre2`Z6M?WtwW{tMP5*?eMwWBi=(TSWbIkIQ#6UyPUi)aWRwKH+S{s>i;~$` zY9vp&R9a>c_{**CmXeB_?k4ht$Jlqi`Hot(QXDA0vZW_MP8uowR+GwokRvmVjnR{TVIoR7^XXq#fznNJD$q zdJVMQDy_T-YvsV2+FZQcy_wL~Q*CTSX0g;vg0J*8DP$Za&Iirza#3;LS4_>G#@kKt zDcnI>dY{WvSinHax%9xf6sZ<)jPw?Sb2*q;z<$~r)&9m=C`{^ywX{Pq?R1j%xqojO zTG`qNQy5iEp=uG%#gVI;LNGps$HR#!$W(mG?eTcUd)^k$4RQN6sK3~td)m(+?f#Us zdm-&YjkLp%_O3+Q0onuA4(YD7UWc@&QZ5vB!%?J4I}B-OlMCgO)27-et9!N`knPKq wZ2KVFqZ-*x5N*_#nVRjM4BfMJLAGyGvV~1>6soeFAmVZO@0Xd#wt any 6081 (msg:"geneve udp"; sid:2;) +pass udp any any -> any 6081 (sid:1;) +alert ip any any -> any any (msg:"all IP"; sid:5554;) +alert tcp any any -> any any (msg:"all TCP"; sid:5553;) +alert ip any any -> any any (msg:"IP Packet with 47 protocol"; ip_proto:47; sid:5555;) +alert ip any any -> any any (msg:"IP Packet with GRE protocol"; ip_proto:gre; sid:5556;) +alert icmp any any -> any any (msg:"ICMP"; sid:5557;) +alert http any any -> any any (http.uri; content:"/"; sid:666;) + diff --git a/tests/bug-6402-01/test.yaml b/tests/bug-6402-01/test.yaml new file mode 100644 index 000000000..b3d07b3c3 --- /dev/null +++ b/tests/bug-6402-01/test.yaml @@ -0,0 +1,70 @@ +args: +- --runmode=single + +checks: + - filter: + count: 2 + match: + event_type: flow + - filter: + count: 1 + match: + event_type: flow + proto: TCP + flow.alerted: true + - filter: + count: 1 + match: + event_type: flow + proto: UDP + flow.alerted: false + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 666 + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 5553 + - filter: + count: 14 + match: + event_type: alert + alert.signature_id: 5554 + - filter: + count: 12 + match: + event_type: alert + alert.signature_id: 5554 + proto: GRE + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 5554 + proto: TCP + - filter: + count: 12 + match: + event_type: alert + alert.signature_id: 5555 + - filter: + count: 12 + match: + event_type: alert + alert.signature_id: 5556 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 5557 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.state: "CLOSED" + fileinfo.size: 18 + + -- 2.47.2