From c7f4465ac6dad410ab58e04e37697095698383ef Mon Sep 17 00:00:00 2001
From: Sam Muhammed <ghostinthehive.vx@gmail.com>
Date: Thu, 10 Feb 2022 17:20:12 +0200
Subject: [PATCH] nfs: Add detection rules for NFS3_READDIRPLUS

Improve S-V test for NFS3PROC_READDIRPLUS
related to Suri@ 03906010a
---
 tests/nfs3-readdirplus/test.rules |  2 ++
 tests/nfs3-readdirplus/test.yaml  | 12 ++++++++++++
 2 files changed, 14 insertions(+)
 create mode 100644 tests/nfs3-readdirplus/test.rules

diff --git a/tests/nfs3-readdirplus/test.rules b/tests/nfs3-readdirplus/test.rules
new file mode 100644
index 000000000..fc0961b8b
--- /dev/null
+++ b/tests/nfs3-readdirplus/test.rules
@@ -0,0 +1,2 @@
+alert nfs any any -> any any (nfs_version:3; flow:to_server; nfs_procedure:17; sid:1;)
+alert nfs any any -> any any (flow:to_client; content:"|2e 2e|"; sid:2;)
diff --git a/tests/nfs3-readdirplus/test.yaml b/tests/nfs3-readdirplus/test.yaml
index dbaefbd2b..17972dedc 100644
--- a/tests/nfs3-readdirplus/test.yaml
+++ b/tests/nfs3-readdirplus/test.yaml
@@ -31,3 +31,15 @@ checks:
         rpc.auth_type: UNIX
         rpc.creds.uid: 1000
         rpc.creds.gid: 1000
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        app_proto: nfs
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        app_proto: nfs
+        alert.signature_id: 2
-- 
2.47.2