OISF · victorjulien · Nov 28, 2024 · Nov 28, 2024 · Nov 28, 2024 · Oct 7, 2024
diff --git a/tests/bug-5443/README.md b/tests/bug-5443/README.md
@@ -0,0 +1,4 @@
+PCAP
+====
+
+https://redmine.openinfosecfoundation.org/issues/5443
diff --git a/tests/bug-5443/input.pcap b/tests/bug-5443/input.pcap
diff --git a/tests/bug-5443/test.yaml b/tests/bug-5443/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  min-version: 7
+  #features:
+  #- TLC
+
+args:
+- -k none
+- --runmode=single
+- --set stream.midstream=true
+
+# 2 or 3 flows depending on tcp reuse behavior, see ticket 5843
+checks:
+  - filter:
+      lt-version: 7
+      count: 3
+      match:
+        event_type: flow
+  - filter:
+      min-version: 8
+      count: 3
+      match:
+        event_type: flow
diff --git a/tests/bug-5464-verdict-06/test.yaml b/tests/bug-5464-verdict-06/test.yaml
@@ -9,6 +9,22 @@ args:
 
 checks:
   - filter:
+      min-version: 8
+      count: 25
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        verdict.action: alert
+  - filter:
+      min-version: 8
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        verdict.action: alert
+        has-not-key: pcap_cnt
+  - filter:
+      lt-version: 7
       count: 28
       match:
         event_type: alert

diff --git a/tests/firewall/firewall-06-tls-sni-enforce/test.yaml b/tests/firewall/firewall-06-tls-sni-enforce/test.yaml
@@ -6,11 +6,24 @@ args:
 
 checks:
 - filter:
+    min-version: 8
+    count: 24
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    min-version: 8
+    count: 24
+    match:
+      event_type: alert
+- filter:
+    lt-version: 7
     count: 26
     match:
       event_type: alert
       alert.signature_id: 3
 - filter:
+    lt-version: 7
     count: 26
     match:
       event_type: alert
@@ -31,6 +44,13 @@ checks:
     match:
       event_type: drop
 - filter:
+    min-version: 8
+    count: 0
+    match:
+      event_type: alert
+      pkt_src: "stream (flow timeout)"
+- filter:
+    lt-version: 7
     count: 2
     match:
       event_type: alert

diff --git a/tests/tls-extra-alert-app/test.rules b/tests/tls-extra-alert-app/test.rules
@@ -0,0 +1,5 @@
+alert tcp any any -> any 443 (flow: to_server; flags: S,CE; flowbits:set, tls_tracker; flowbits: noalert; sid:09901001; )
+alert tcp any any -> any 443 (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901031; rev:1; msg:"TLS 1.2 Fatal Alert (outgoing packet)"; )
+alert tcp any 443 -> any any (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901032; rev:1; msg:"TLS 1.2 Fatal Alert (incoming packet)"; )
+alert tcp any any -> any 443 (app-layer-protocol:tls; flow: to_server; flowbits:isset, tls_error; sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; )
+alert tcp any 443 -> any any (app-layer-protocol:tls; flow: to_client; flowbits:isset, tls_error; sid:09901034; rev:1; msg:"Allow TLS error handling (incoming packet)"; )
diff --git a/tests/tls-extra-alert-app/test.yaml b/tests/tls-extra-alert-app/test.yaml
@@ -0,0 +1,19 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 9901033
+      pkt_src: wire/pcap
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      not-has-key: pcap_cnt
diff --git a/tests/tls-extra-alert-app3/test.rules b/tests/tls-extra-alert-app3/test.rules
@@ -0,0 +1,5 @@
+alert tcp any any -> any 443 (flow: to_server; flags: S,CE; flowbits:set, tls_tracker; flowbits: noalert; sid:09901001; )
+alert tcp any any -> any 443 (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901031; rev:1; msg:"TLS 1.2 Fatal Alert (outgoing packet)"; )
+alert tcp any 443 -> any any (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901032; rev:1; msg:"TLS 1.2 Fatal Alert (incoming packet)"; )
+alert tls any any -> any 443 (flow: to_server; flowbits:isset, tls_error; sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; )
+alert tls any 443 -> any any (flow: to_client; flowbits:isset, tls_error; sid:09901034; rev:1; msg:"Allow TLS error handling (incoming packet)"; )
diff --git a/tests/tls-extra-alert-app3/test.yaml b/tests/tls-extra-alert-app3/test.yaml
@@ -0,0 +1,19 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 9901033
+      pkt_src: wire/pcap
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      not-has-key: pcap_cnt
diff --git a/tests/tls-extra-alert-app4/test.rules b/tests/tls-extra-alert-app4/test.rules
@@ -0,0 +1,5 @@
+alert tcp any any -> any 443 (flow: to_server; flags: S,CE; flowbits:set, tls_tracker; flowbits: noalert; sid:09901001; )
+alert tcp any any -> any 443 (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901031; rev:1; msg:"TLS 1.2 Fatal Alert (outgoing packet)"; )
+alert tcp any 443 -> any any (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901032; rev:1; msg:"TLS 1.2 Fatal Alert (incoming packet)"; )
+alert tls any any -> any 443 (sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; )
+alert tls any 443 -> any any (sid:09901034; rev:1; msg:"Allow TLS error handling (incoming packet)"; )
diff --git a/tests/tls-extra-alert-app4/test.yaml b/tests/tls-extra-alert-app4/test.yaml
@@ -0,0 +1,19 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 9901033
+      pkt_src: wire/pcap
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      not-has-key: pcap_cnt
diff --git a/tests/tls-extra-alert-engine-analysis/README.md b/tests/tls-extra-alert-engine-analysis/README.md
@@ -0,0 +1,7 @@
+# Test Description
+
+engine analysis complementary test for tls-extra-alert.
+
+## Related issues
+
+None so far. State: Trying to establish what's the issue.
diff --git a/tests/tls-extra-alert-engine-analysis/test.rules b/tests/tls-extra-alert-engine-analysis/test.rules
@@ -0,0 +1,5 @@
+alert tcp any any -> any 443 (flow: to_server; flags: S,CE; flowbits:set, tls_tracker; flowbits: noalert; sid:09901001; )
+alert tcp any any -> any 443 (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901031; rev:1; msg:"TLS 1.2 Fatal Alert (outgoing packet)"; )
+alert tcp any 443 -> any any (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901032; rev:1; msg:"TLS 1.2 Fatal Alert (incoming packet)"; )
+alert tcp any any -> any 443 (flow: to_server; flowbits:isset, tls_error; sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; )
+alert tcp any 443 -> any any (flow: to_client; flowbits:isset, tls_error; sid:09901034; rev:1; msg:"Allow TLS error handling (incoming packet)"; )