From 76e7dc0f11388a9cae6ff76e5deee65c10ac19a7 Mon Sep 17 00:00:00 2001
From: Alice Akaki <akakialice@gmail.com>
Date: Mon, 23 Dec 2024 07:04:57 -0400
Subject: [PATCH] detect: add test for ldap operation keywords

Ticket: #7453
---
 tests/detect-ldap-operation/README.md  |  5 ++
 tests/detect-ldap-operation/test.rules | 12 ++++
 tests/detect-ldap-operation/test.yaml  | 85 ++++++++++++++++++++++++++
 3 files changed, 102 insertions(+)
 create mode 100644 tests/detect-ldap-operation/README.md
 create mode 100644 tests/detect-ldap-operation/test.rules
 create mode 100644 tests/detect-ldap-operation/test.yaml

diff --git a/tests/detect-ldap-operation/README.md b/tests/detect-ldap-operation/README.md
new file mode 100644
index 000000000..0491fcf36
--- /dev/null
+++ b/tests/detect-ldap-operation/README.md
@@ -0,0 +1,5 @@
+Test ldap.request.operation, ldap.responses.operation and ldap.responses.count keywords.
+
+PCAP from ../ldap-search/ldap.pcap
+
+Redmine ticket: https://redmine.openinfosecfoundation.org/issues/7453
\ No newline at end of file
diff --git a/tests/detect-ldap-operation/test.rules b/tests/detect-ldap-operation/test.rules
new file mode 100644
index 000000000..e70ec9c7f
--- /dev/null
+++ b/tests/detect-ldap-operation/test.rules
@@ -0,0 +1,12 @@
+alert tcp any any -> any any (msg:"Test search request number argument"; ldap.request.operation:3; sid:1;)
+alert tcp any any -> any any (msg:"Test search request str argument"; ldap.request.operation:search_request; sid:2;)
+alert tcp any any -> any any (msg:"Test search result entry"; ldap.responses.operation:search_result_entry; sid:3;)
+alert tcp any any -> any any (msg:"Test search result done"; ldap.responses.operation:search_result_done; sid:4;)
+alert tcp any any -> any any (msg:"Test search result done at index 1"; ldap.responses.operation:search_result_done,1; sid:5;)
+alert tcp any any -> any any (msg:"Test search result done at any index"; ldap.responses.operation:search_result_done,any; sid:6;)
+alert tcp any any -> any any (msg:"Test search result done at last index"; ldap.responses.operation:search_result_done,-1; sid:7;)
+alert tcp any any -> any any (msg:"Test number of LDAP responses is 2"; ldap.responses.count:2; sid:8;)
+alert tcp any any -> any any (msg:"Test number of LDAP responses is greater than 0"; ldap.responses.count:>0; sid:9;)
+alert tcp any any -> any any (msg:"Test search result done at index 0"; ldap.responses.operation:search_result_done,0; sid:10;)
+alert tcp any any -> any any (msg:"Test number of LDAP responses is 10"; ldap.responses.count:10; sid:11;)
+alert tcp any any -> any any (msg:"Test number of LDAP responses is greater than 2"; ldap.responses.count:>2; sid:12;)
\ No newline at end of file
diff --git a/tests/detect-ldap-operation/test.yaml b/tests/detect-ldap-operation/test.yaml
new file mode 100644
index 000000000..685754a53
--- /dev/null
+++ b/tests/detect-ldap-operation/test.yaml
@@ -0,0 +1,85 @@
+requires:
+  min-version: 8
+
+pcap: ../ldap-search/ldap.pcap
+
+args:
+  - -k none --set stream.inline=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 4
+        ldap.request.operation: search_request
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 4
+        ldap.request.operation: search_request
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 6
+        ldap.responses[0].operation: search_result_entry
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 8
+        ldap.responses[1].operation: search_result_done
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 8
+        ldap.responses[1].operation: search_result_done
+        alert.signature_id: 5
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 8
+        ldap.responses[1].operation: search_result_done
+        alert.signature_id: 6
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 8
+        ldap.responses[1].operation: search_result_done
+        alert.signature_id: 7
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 8
+        alert.signature_id: 8
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 9
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 10
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        pcap_cnt: 8
+        alert.signature_id: 11
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 12
\ No newline at end of file