flow/pkt: add test for either dir

OISF · Dec 3, 2024 · 2b8f35a · 2b8f35a
1 parent a1e0152
commit 2b8f35a
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 0 deletions.
diff --git a/tests/detect-flow-pkts-either/README.md b/tests/detect-flow-pkts-either/README.md
@@ -0,0 +1,13 @@
+Test
+====
+
+Test `flow.pkts:either`.. and `flow.bytes:either`.. keywords
+
+PCAP
+====
+
+From existing s-v test.
+
+Related tickets
+==============
+https://redmine.openinfosecfoundation.org/issues/5646
diff --git a/tests/detect-flow-pkts-either/test.rules b/tests/detect-flow-pkts-either/test.rules
@@ -0,0 +1 @@
+alert ip any any -> any any (msg:"Flow has more than 3000 bytes and 10 pkts in either direction";flow.pkts:either,=10;flow.bytes:either,>3000; sid:1;)
diff --git a/tests/detect-flow-pkts-either/test.yaml b/tests/detect-flow-pkts-either/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 8
+
+pcap: ../decode-teredo-01/input.pcap
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 1
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		alert ip any any -> any any (msg:"Flow has more than 3000 bytes and 10 pkts in either direction";flow.pkts:either,=10;flow.bytes:either,>3000; sid:1;)