From cfe6e055771695de0618f489dd659c6ab7788b94 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 20 Jun 2023 15:56:19 +0200
Subject: [PATCH] Adds a test about flow.pkts_toclient keyword

And the similar keywords about packets and bytes of a flow
---
 tests/detect-flow-pkts/README.md  | 10 ++++++++++
 tests/detect-flow-pkts/test.rules |  1 +
 tests/detect-flow-pkts/test.yaml  | 14 ++++++++++++++
 3 files changed, 25 insertions(+)
 create mode 100644 tests/detect-flow-pkts/README.md
 create mode 100644 tests/detect-flow-pkts/test.rules
 create mode 100644 tests/detect-flow-pkts/test.yaml

diff --git a/tests/detect-flow-pkts/README.md b/tests/detect-flow-pkts/README.md
new file mode 100644
index 000000000..6691a2c40
--- /dev/null
+++ b/tests/detect-flow-pkts/README.md
@@ -0,0 +1,10 @@
+Test
+====
+
+Test `flow.pkts_toclient` and alike (bytes, server) keywords
+
+PCAP
+====
+
+Pcap found in the Bro github https://github.com/bro/bro/blob/master/testing/btest/Traces/tunnels/Teredo.pcap
+
diff --git a/tests/detect-flow-pkts/test.rules b/tests/detect-flow-pkts/test.rules
new file mode 100644
index 000000000..d808c07d9
--- /dev/null
+++ b/tests/detect-flow-pkts/test.rules
@@ -0,0 +1 @@
+alert ip any any -> any any (msg:"Flow has 10 packets"; flow.pkts_toclient:10; flow.pkts_toserver:10; flow.bytes_toserver:<3000; flow.bytes_toclient:>8000; sid:1;)
diff --git a/tests/detect-flow-pkts/test.yaml b/tests/detect-flow-pkts/test.yaml
new file mode 100644
index 000000000..6e2df08b7
--- /dev/null
+++ b/tests/detect-flow-pkts/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 7
+
+pcap: ../decode-teredo-01/input.pcap
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1