From 32051f5446bf89810cf5f5d3beeb04185d6cab62 Mon Sep 17 00:00:00 2001
From: Juliana Fajardini <jufajardini@gmail.com>
Date: Fri, 13 Sep 2024 18:27:50 -0300
Subject: [PATCH] rules/test: add app-layer-protocol negated test

To complement bug-7241 tests.
---
 tests/rules/app-layer-protocol/test.rules |  2 ++
 tests/rules/app-layer-protocol/test.yaml  | 24 +++++++++++++++++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 tests/rules/app-layer-protocol/test.rules
 create mode 100644 tests/rules/app-layer-protocol/test.yaml

diff --git a/tests/rules/app-layer-protocol/test.rules b/tests/rules/app-layer-protocol/test.rules
new file mode 100644
index 000000000..d97f65c90
--- /dev/null
+++ b/tests/rules/app-layer-protocol/test.rules
@@ -0,0 +1,2 @@
+drop tcp any any -> any any (flow:established; app-layer-protocol:!tls; sid:1;)
+drop tcp any any -> any any (flow:established; app-layer-protocol:!tls; prefilter; sid:2;)
diff --git a/tests/rules/app-layer-protocol/test.yaml b/tests/rules/app-layer-protocol/test.yaml
new file mode 100644
index 000000000..23b813282
--- /dev/null
+++ b/tests/rules/app-layer-protocol/test.yaml
@@ -0,0 +1,24 @@
+requires:
+    min-version: 7.0
+    pcap: false
+
+args:
+    - --engine-analysis
+    - --simulate-ips
+
+checks:
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 1
+      app_proto: "unknown"
+      not-has-key: "prefilter"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 2
+      app_proto: "unknown"
+      prefilter.buffer: "packet"
+      prefilter.name: app-layer-protocol
-- 
2.47.2