From f8dc018dab133fe7bce3d0f28df6881468a8bb05 Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Fri, 23 Aug 2024 12:33:40 +0530 Subject: [PATCH 1/2] flow/pkts: update rules to new syntax --- tests/detect-flow-pkts/README.md | 2 +- tests/detect-flow-pkts/test.rules | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/detect-flow-pkts/README.md b/tests/detect-flow-pkts/README.md index 6691a2c40..2d9c13602 100644 --- a/tests/detect-flow-pkts/README.md +++ b/tests/detect-flow-pkts/README.md @@ -1,7 +1,7 @@ Test ==== -Test `flow.pkts_toclient` and alike (bytes, server) keywords +Test `flow.pkts:toclient`.. and alike (bytes, server) keywords PCAP ==== diff --git a/tests/detect-flow-pkts/test.rules b/tests/detect-flow-pkts/test.rules index d808c07d9..95a3a58a9 100644 --- a/tests/detect-flow-pkts/test.rules +++ b/tests/detect-flow-pkts/test.rules @@ -1 +1 @@ -alert ip any any -> any any (msg:"Flow has 10 packets"; flow.pkts_toclient:10; flow.pkts_toserver:10; flow.bytes_toserver:<3000; flow.bytes_toclient:>8000; sid:1;) +alert ip any any -> any any (msg:"Flow has 10 packets"; flow.pkts:toclient,=10; flow.pkts:toserver,=10; flow.bytes:toserver,<3000; flow.bytes:toclient,>8000; sid:1;) From fc16fb07c19818693da9942dc3fd0b9400b22535 Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Fri, 23 Aug 2024 12:36:50 +0530 Subject: [PATCH 2/2] flow/pkt: add test for either dir --- tests/detect-flow-pkts-either/README.md | 13 +++++++++++++ tests/detect-flow-pkts-either/test.rules | 1 + tests/detect-flow-pkts-either/test.yaml | 14 ++++++++++++++ tests/detect-flow-pkts/test.rules | 2 +- 4 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 tests/detect-flow-pkts-either/README.md create mode 100644 tests/detect-flow-pkts-either/test.rules create mode 100644 tests/detect-flow-pkts-either/test.yaml diff --git a/tests/detect-flow-pkts-either/README.md b/tests/detect-flow-pkts-either/README.md new file mode 100644 index 000000000..89bdf91cd --- /dev/null +++ b/tests/detect-flow-pkts-either/README.md @@ -0,0 +1,13 @@ +Test +==== + +Test `flow.pkts:either`.. and `flow.bytes:either`.. keywords + +PCAP +==== + +From existing s-v test. + +Related tickets +============== +https://redmine.openinfosecfoundation.org/issues/5646 diff --git a/tests/detect-flow-pkts-either/test.rules b/tests/detect-flow-pkts-either/test.rules new file mode 100644 index 000000000..cfd5a5e03 --- /dev/null +++ b/tests/detect-flow-pkts-either/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"Flow has more than 3000 bytes and 10 pkts in either direction";flow.pkts:either,=10;flow.bytes:either,>3000; sid:1;) diff --git a/tests/detect-flow-pkts-either/test.yaml b/tests/detect-flow-pkts-either/test.yaml new file mode 100644 index 000000000..1905ae7d7 --- /dev/null +++ b/tests/detect-flow-pkts-either/test.yaml @@ -0,0 +1,14 @@ +requires: + min-version: 8 + +pcap: ../decode-teredo-01/input.pcap + +args: +- -k none + +checks: +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1 diff --git a/tests/detect-flow-pkts/test.rules b/tests/detect-flow-pkts/test.rules index 95a3a58a9..a5d4a914a 100644 --- a/tests/detect-flow-pkts/test.rules +++ b/tests/detect-flow-pkts/test.rules @@ -1 +1 @@ -alert ip any any -> any any (msg:"Flow has 10 packets"; flow.pkts:toclient,=10; flow.pkts:toserver,=10; flow.bytes:toserver,<3000; flow.bytes:toclient,>8000; sid:1;) +alert ip any any -> any any (msg:"Flow has 10 packets"; flow.pkts:toclient,10; flow.pkts:toserver,=10; flow.bytes:toserver,<3000; flow.bytes:toclient,>8000; sid:1;)