From 56a79c4add728806286e04d167e86e3c64574327 Mon Sep 17 00:00:00 2001
From: Nancy Enos <nicymimz@gmail.com>
Date: Thu, 24 Oct 2024 10:38:47 +0300
Subject: [PATCH] tests: add rule type check for tcp-window

Ticket: 6352
---
 tests/rules/tcp_window/test.rules |  2 ++
 tests/rules/tcp_window/test.yaml  | 25 +++++++++++++++++++++++++
 2 files changed, 27 insertions(+)
 create mode 100644 tests/rules/tcp_window/test.rules
 create mode 100644 tests/rules/tcp_window/test.yaml

diff --git a/tests/rules/tcp_window/test.rules b/tests/rules/tcp_window/test.rules
new file mode 100644
index 000000000..646a45139
--- /dev/null
+++ b/tests/rules/tcp_window/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (msg:"TCP window size"; window:30336; sid:1;)
+alert tcp any any -> any any (msg:"TCP window size"; tcp.window:!1024; sid:2;)
\ No newline at end of file
diff --git a/tests/rules/tcp_window/test.yaml b/tests/rules/tcp_window/test.yaml
new file mode 100644
index 000000000..49cabd16a
--- /dev/null
+++ b/tests/rules/tcp_window/test.yaml
@@ -0,0 +1,25 @@
+requires:
+    min-version: 8.0
+    pcap: false
+
+args:
+    - --engine-analysis
+
+checks:
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 1
+      lists.packet.matches[0].name: "tcp.window"
+      lists.packet.matches[0].window.size: 30336
+      lists.packet.matches[0].window.negated: false
+
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 2
+      lists.packet.matches[0].name: "tcp.window"
+      lists.packet.matches[0].window.size: 1024
+      lists.packet.matches[0].window.negated: true
\ No newline at end of file