tests: add tests for smb.version keyword

Signed-off-by: jason taylor <[email protected]>

tests/smb-version-keyword-invalid/README.md

@@ -0,0 +1,4 @@
+TEST
+====
+
+Test invalid smb.version keyword syntax in signature

tests/smb-version-keyword-invalid/test.rules

@@ -0,0 +1 @@
+alert smb any any -> any any (msg:"Two smb version declarations"; flow:established; smb.version:2; smb.version:1; sid:1;)

tests/smb-version-keyword-invalid/test.yaml

@@ -0,0 +1,14 @@
+requires:
+  min-version: 7
+
+args:
+- -k none
+
+pcap: ../smb-version-keyword/input.pcap
+
+checks:
+- shell:
+    args: grep "Can't use 2 or more smb.version declarations" suricata.log | wc -l | xargs
+    expect: 1
+
+exit-code: 1

tests/smb-version-keyword/README.md

@@ -0,0 +1,4 @@
+TEST
+====
+
+Test smb.version keyword

tests/smb-version-keyword/test.rules

@@ -0,0 +1,2 @@
+alert smb any any -> any any (msg:"SMBv1 Request"; flow:established; smb.version:1; sid:1;)
+alert smb any any -> any any (msg:"SMBv2 Request"; flow:established; smb.version:2; sid:2;)

tests/smb-version-keyword/test.yaml

@@ -0,0 +1,17 @@
+requires:
+  min-version: 7
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 14
+    match:
+      event_type: alert
+      alert.signature_id: 2