rules/test: add app-layer-protocol negated test

To complement bug-7241 tests.
jufajardini · Sep 16, 2024 · 32051f5 · 32051f5
1 parent a51c90b
commit 32051f5
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/tests/rules/app-layer-protocol/test.rules b/tests/rules/app-layer-protocol/test.rules
@@ -0,0 +1,2 @@
+drop tcp any any -> any any (flow:established; app-layer-protocol:!tls; sid:1;)
+drop tcp any any -> any any (flow:established; app-layer-protocol:!tls; prefilter; sid:2;)
diff --git a/tests/rules/app-layer-protocol/test.yaml b/tests/rules/app-layer-protocol/test.yaml
@@ -0,0 +1,24 @@
+requires:
+    min-version: 7.0
+    pcap: false
+
+args:
+    - --engine-analysis
+    - --simulate-ips
+
+checks:
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 1
+      app_proto: "unknown"
+      not-has-key: "prefilter"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 2
+      app_proto: "unknown"
+      prefilter.buffer: "packet"
+      prefilter.name: app-layer-protocol