tests: add stream_size prefilter tests

jufajardini · Jun 18, 2024 · ea37490 · ea37490
1 parent 4309798
commit ea37490
Show file tree

Hide file tree

Showing 6 changed files with 39 additions and 0 deletions.
diff --git a/tests/streamsize-keyword-02-prefilter/README.md b/tests/streamsize-keyword-02-prefilter/README.md
@@ -0,0 +1,3 @@
+# Description
+
+Test stream_size keyword as prefilter.
diff --git a/tests/streamsize-keyword-02-prefilter/test.rules b/tests/streamsize-keyword-02-prefilter/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (flow:established,to_server; stream_size:server,<,1111; prefilter; content: "EICAR"; sid:1234;)
diff --git a/tests/streamsize-keyword-02-prefilter/test.yaml b/tests/streamsize-keyword-02-prefilter/test.yaml
@@ -0,0 +1,15 @@
+pcap: ../smb-eicar-file/input.pcap
+
+requires:
+  min-version: 7
+
+# disables checksum verification
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1234
diff --git a/tests/streamsize-keyword-03-prefilter-pseudo/README.md b/tests/streamsize-keyword-03-prefilter-pseudo/README.md
@@ -0,0 +1,4 @@
+# Description
+
+Test stream_size keyword as prefilter on timeout packet
+
diff --git a/tests/streamsize-keyword-03-prefilter-pseudo/test.rules b/tests/streamsize-keyword-03-prefilter-pseudo/test.rules
@@ -0,0 +1,2 @@
+alert tls any any -> any any (msg:"SERVER HELLO DATA - to_client"; flow:established,to_client; tls.random; content:"|54 b8 f7 73|"; bsize:>1; stream_size:server,>,1111; prefilter; sid:1234;)
+
diff --git a/tests/streamsize-keyword-03-prefilter-pseudo/test.yaml b/tests/streamsize-keyword-03-prefilter-pseudo/test.yaml
@@ -0,0 +1,14 @@
+pcap: ../tls/tls-random-6989/input.pcap
+
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1234