detect: add a test for protocol mismatch detection

catenacyber · victorjulien · commit 303c2da95999 · 2024-05-15T17:03:53.000+02:00
Ticket: #4921
diff --git a/tests/detect-app-layer-protocol-05/README.md b/tests/detect-app-layer-protocol-05/README.md
@@ -0,0 +1,11 @@
+# Test Purpose
+
+Test `app-layer-protocol` keyword with protocol mismatch
+
+## PCAP
+
+PCAP reused from proto-mismatch-http-ssh
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/4921
diff --git a/tests/detect-app-layer-protocol-05/test.rules b/tests/detect-app-layer-protocol-05/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"HTTP client to SSH server"; flow:to_client; app-layer-protocol:http1,to_server; app-layer-protocol:ssh,to_client; sid:1; )
diff --git a/tests/detect-app-layer-protocol-05/test.yaml b/tests/detect-app-layer-protocol-05/test.yaml
@@ -0,0 +1,11 @@
+pcap: ../output-eve-anomaly-02/input.pcap
+
+requires:
+  min-version: 8
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+alert tcp any any -> any any (msg:"HTTP client to SSH server"; flow:to_client; app-layer-protocol:http1,to_server; app-layer-protocol:ssh,to_client; sid:1; )`