WIP pkt:flow_start hook test

victorjulien · Feb 26, 2025 · 1e1194c · 1e1194c
1 parent 15de63c
commit 1e1194c
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 0 deletions.
diff --git a/tests/rule-hooks/pkt-hook-flow-start-01/test.rules b/tests/rule-hooks/pkt-hook-flow-start-01/test.rules
@@ -0,0 +1,5 @@
+alert tcp:flow_start any any -> any any (seq:123; sid:1;)
+alert tcp:flow_start any any -> any any (dsize:0; sid:2;)
+alert tcp:flow_start any any -> any any (sid:3;)
+alert ip:flow_start any any -> any any (sid:4;)
+alert ip:flow_start any any -> any any (flow:to_server; sid:5;)
diff --git a/tests/rule-hooks/pkt-hook-flow-start-01/test.yaml b/tests/rule-hooks/pkt-hook-flow-start-01/test.yaml
@@ -0,0 +1,33 @@
+pcap: ../http-body-hook-01/input.pcap
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: http
+      http.url: "/~regit/ids-suricata-esiea.pdf"
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 4
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 5