From 303c2da95999a374d5a808e11dab61bd3bcd80ae Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 7 May 2024 09:06:15 +0200
Subject: [PATCH] detect: add a test for protocol mismatch detection

Ticket: #4921
---
 tests/detect-app-layer-protocol-05/README.md  | 11 +++++++++++
 tests/detect-app-layer-protocol-05/test.rules |  1 +
 tests/detect-app-layer-protocol-05/test.yaml  | 11 +++++++++++
 3 files changed, 23 insertions(+)
 create mode 100644 tests/detect-app-layer-protocol-05/README.md
 create mode 100644 tests/detect-app-layer-protocol-05/test.rules
 create mode 100644 tests/detect-app-layer-protocol-05/test.yaml

diff --git a/tests/detect-app-layer-protocol-05/README.md b/tests/detect-app-layer-protocol-05/README.md
new file mode 100644
index 000000000..ad276369a
--- /dev/null
+++ b/tests/detect-app-layer-protocol-05/README.md
@@ -0,0 +1,11 @@
+# Test Purpose
+
+Test `app-layer-protocol` keyword with protocol mismatch
+
+## PCAP
+
+PCAP reused from proto-mismatch-http-ssh
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/4921
diff --git a/tests/detect-app-layer-protocol-05/test.rules b/tests/detect-app-layer-protocol-05/test.rules
new file mode 100644
index 000000000..150dd00d4
--- /dev/null
+++ b/tests/detect-app-layer-protocol-05/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"HTTP client to SSH server"; flow:to_client; app-layer-protocol:http1,to_server; app-layer-protocol:ssh,to_client; sid:1; )
diff --git a/tests/detect-app-layer-protocol-05/test.yaml b/tests/detect-app-layer-protocol-05/test.yaml
new file mode 100644
index 000000000..9ae49ce93
--- /dev/null
+++ b/tests/detect-app-layer-protocol-05/test.yaml
@@ -0,0 +1,11 @@
+pcap: ../output-eve-anomaly-02/input.pcap
+
+requires:
+  min-version: 8
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
-- 
2.47.2