From e339de61ad6ef862d4b1df4d3a2683c247bc7067 Mon Sep 17 00:00:00 2001
From: Daniel Olatunji <danielolatunji20@outlook.com>
Date: Wed, 31 Jan 2024 16:29:16 +0100
Subject: [PATCH] tests: add rule to check for tcp_seq

Related to
Issue: 6353
---
 tests/rules/tcp-seq-keyword/README.md  |  2 ++
 tests/rules/tcp-seq-keyword/test.rules |  2 ++
 tests/rules/tcp-seq-keyword/test.yaml  | 21 +++++++++++++++++++++
 3 files changed, 25 insertions(+)
 create mode 100644 tests/rules/tcp-seq-keyword/README.md
 create mode 100644 tests/rules/tcp-seq-keyword/test.rules
 create mode 100644 tests/rules/tcp-seq-keyword/test.yaml

diff --git a/tests/rules/tcp-seq-keyword/README.md b/tests/rules/tcp-seq-keyword/README.md
new file mode 100644
index 000000000..5a8d4ad04
--- /dev/null
+++ b/tests/rules/tcp-seq-keyword/README.md
@@ -0,0 +1,2 @@
+## Description
+Rule test for tcp-seq keyword engine-analysis output; includes the test.yaml and test.rules files.
\ No newline at end of file
diff --git a/tests/rules/tcp-seq-keyword/test.rules b/tests/rules/tcp-seq-keyword/test.rules
new file mode 100644
index 000000000..2ac64f923
--- /dev/null
+++ b/tests/rules/tcp-seq-keyword/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (msg:"Testing seq"; seq:624; sid:1;)
+alert tcp any any -> any any (msg:"Testing seq"; seq:723833; sid:2;)
\ No newline at end of file
diff --git a/tests/rules/tcp-seq-keyword/test.yaml b/tests/rules/tcp-seq-keyword/test.yaml
new file mode 100644
index 000000000..d72a8a227
--- /dev/null
+++ b/tests/rules/tcp-seq-keyword/test.yaml
@@ -0,0 +1,21 @@
+requires:
+    min-version: 8.0
+    pcap: false
+
+args:
+    - --engine-analysis
+
+checks:
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 1
+      lists.packet.matches[0].name: "tcp.seq"
+      lists.packet.matches[0].seq.number: 624
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+        id: 2
+        lists.packet.matches[0].seq.number: 723833
\ No newline at end of file
-- 
2.47.2