flowbits: add test for toggle for 7 and 8

diff --git a/tests/flowbits-toggle-pre-9/test.rules b/tests/flowbits-toggle-pre-9/test.rules
new file mode 100644 (file)
index 0000000..4d904c6
--- /dev/null
+++ b/tests/flowbits-toggle-pre-9/test.rules
@@ -0,0 +1,10 @@
+alert tcp any any -> any any (flow:to_client; content:"HTTP"; flowbits:toggle,rare; flowbits:toggle,common; sid:11;)
+alert tcp any any -> any any (dsize:10; flowbits:set,never; flowbits:toggle,common; sid:12;)
+alert tcp any any -> any any (flowbits:isset,never; sid:21;)
+alert tcp any any -> any any (flowbits:isset,common;  dsize:259; sid:22;)
+alert tcp any any -> any any (flowbits:isset,never;  dsize:10; sid:23;)
+alert tcp any any -> any any (flowbits:isset,rare;  dsize:11; sid:24;)
+alert tcp any any -> any any (flowbits:isset,rare;  ack:3308437468; sid:25;)
+alert tcp any any -> any any (priority:10; dsize:11; sid:31;)
+alert tcp any any -> any any (priority:10; dsize:10; sid:32;)
+alert tcp any any -> any any (priority:10; ack:3308437468; sid:33;)

diff --git a/tests/flowbits-toggle-pre-9/test.yaml b/tests/flowbits-toggle-pre-9/test.yaml
new file mode 100644 (file)
index 0000000..37bfbbd
--- /dev/null
+++ b/tests/flowbits-toggle-pre-9/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  lt-version: 9
+
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 11
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 22