From 0e41b39093a99df8d823459fced2bdfea42bc905 Mon Sep 17 00:00:00 2001 From: Daniel Olatunji Date: Wed, 31 Jan 2024 16:37:54 +0100 Subject: [PATCH] tests: add rule to check for tcp/ack Related to Issue: 6354 --- tests/rules/tcp_ack/README.md | 2 ++ tests/rules/tcp_ack/test.rules | 3 +++ tests/rules/tcp_ack/test.yaml | 28 ++++++++++++++++++++++++++++ 3 files changed, 33 insertions(+) create mode 100644 tests/rules/tcp_ack/README.md create mode 100644 tests/rules/tcp_ack/test.rules create mode 100644 tests/rules/tcp_ack/test.yaml diff --git a/tests/rules/tcp_ack/README.md b/tests/rules/tcp_ack/README.md new file mode 100644 index 000000000..051dbbed2 --- /dev/null +++ b/tests/rules/tcp_ack/README.md @@ -0,0 +1,2 @@ +## Description +Rule test for tcp-ack keyword engine-analysis output; includes the test.yaml and test.rules files. \ No newline at end of file diff --git a/tests/rules/tcp_ack/test.rules b/tests/rules/tcp_ack/test.rules new file mode 100644 index 000000000..c6212635a --- /dev/null +++ b/tests/rules/tcp_ack/test.rules @@ -0,0 +1,3 @@ +alert tcp any any -> any any (msg:"Testing ack"; ack:782; sid:1;) +alert tcp any any -> any any (msg:"Testing ack"; ack:15; sid:2;) +alert tcp any any -> any any (msg:"Testing ack"; ack:437528; sid:3;) \ No newline at end of file diff --git a/tests/rules/tcp_ack/test.yaml b/tests/rules/tcp_ack/test.yaml new file mode 100644 index 000000000..806629d66 --- /dev/null +++ b/tests/rules/tcp_ack/test.yaml @@ -0,0 +1,28 @@ +requires: + min-version: 8.0 + pcap: false + +args: + - --engine-analysis + +checks: +- filter: + filename: rules.json + count: 1 + match: + id: 1 + lists.packet.matches[0].name: "tcp.ack" + lists.packet.matches[0].ack.number: 782 +- filter: + filename: rules.json + count: 1 + match: + id: 2 + lists.packet.matches[0].ack.number: 15 +- filter: + filename: rules.json + count: 1 + match: + id: 3 + lists.packet.matches[0].name: "tcp.ack" + lists.packet.matches[0].ack.number: 437528 \ No newline at end of file -- 2.47.2