From dac801fef10455609966028feb0f2a3034115fd0 Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Thu, 4 Jun 2026 10:05:47 +0530 Subject: [PATCH] flowbits: add test for toggle for 7 and 8 --- tests/flowbits-toggle-pre-9/test.rules | 10 ++++++++++ tests/flowbits-toggle-pre-9/test.yaml | 22 ++++++++++++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 tests/flowbits-toggle-pre-9/test.rules create mode 100644 tests/flowbits-toggle-pre-9/test.yaml diff --git a/tests/flowbits-toggle-pre-9/test.rules b/tests/flowbits-toggle-pre-9/test.rules new file mode 100644 index 000000000..4d904c6d2 --- /dev/null +++ b/tests/flowbits-toggle-pre-9/test.rules @@ -0,0 +1,10 @@ +alert tcp any any -> any any (flow:to_client; content:"HTTP"; flowbits:toggle,rare; flowbits:toggle,common; sid:11;) +alert tcp any any -> any any (dsize:10; flowbits:set,never; flowbits:toggle,common; sid:12;) +alert tcp any any -> any any (flowbits:isset,never; sid:21;) +alert tcp any any -> any any (flowbits:isset,common; dsize:259; sid:22;) +alert tcp any any -> any any (flowbits:isset,never; dsize:10; sid:23;) +alert tcp any any -> any any (flowbits:isset,rare; dsize:11; sid:24;) +alert tcp any any -> any any (flowbits:isset,rare; ack:3308437468; sid:25;) +alert tcp any any -> any any (priority:10; dsize:11; sid:31;) +alert tcp any any -> any any (priority:10; dsize:10; sid:32;) +alert tcp any any -> any any (priority:10; ack:3308437468; sid:33;) diff --git a/tests/flowbits-toggle-pre-9/test.yaml b/tests/flowbits-toggle-pre-9/test.yaml new file mode 100644 index 000000000..37bfbbd87 --- /dev/null +++ b/tests/flowbits-toggle-pre-9/test.yaml @@ -0,0 +1,22 @@ +requires: + lt-version: 9 + +pcap: ../flowbit-oring/input.pcap + +args: + - -k none + - --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 11 +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 22 -- 2.47.3