From 068193e0b2460d0f920ab19984b23110ed3bfd19 Mon Sep 17 00:00:00 2001
From: Alice Akaki <akakialice@gmail.com>
Date: Mon, 23 Dec 2024 07:04:57 -0400
Subject: [PATCH] detect: add test for ldap.request.operation

Ticket: #7453
---
 tests/detect-ldap-operation/README.md  |  3 +++
 tests/detect-ldap-operation/test.rules |  4 +++
 tests/detect-ldap-operation/test.yaml  | 36 ++++++++++++++++++++++++++
 3 files changed, 43 insertions(+)
 create mode 100644 tests/detect-ldap-operation/README.md
 create mode 100644 tests/detect-ldap-operation/test.rules
 create mode 100644 tests/detect-ldap-operation/test.yaml

diff --git a/tests/detect-ldap-operation/README.md b/tests/detect-ldap-operation/README.md
new file mode 100644
index 000000000..f3992221b
--- /dev/null
+++ b/tests/detect-ldap-operation/README.md
@@ -0,0 +1,3 @@
+Test ldap.request.operation and ldap.response.operation keywords.
+
+PCAP from ../ldap-search/ldap.pcap
\ No newline at end of file
diff --git a/tests/detect-ldap-operation/test.rules b/tests/detect-ldap-operation/test.rules
new file mode 100644
index 000000000..03427d9e1
--- /dev/null
+++ b/tests/detect-ldap-operation/test.rules
@@ -0,0 +1,4 @@
+alert tcp any any -> any any (msg:"Test LDAP search request number argument"; ldap.request.operation:3; sid:1;)
+alert tcp any any -> any any (msg:"Test LDAP search request str argument"; ldap.request.operation:search_request; sid:2;)
+alert tcp any any -> any any (msg:"Test LDAP search result entry"; ldap.responses.operation:search_result_entry; sid:3;)
+alert tcp any any -> any any (msg:"Test LDAP search result done"; ldap.responses.operation:search_result_done; sid:4;)
\ No newline at end of file
diff --git a/tests/detect-ldap-operation/test.yaml b/tests/detect-ldap-operation/test.yaml
new file mode 100644
index 000000000..11d3656a6
--- /dev/null
+++ b/tests/detect-ldap-operation/test.yaml
@@ -0,0 +1,36 @@
+requires:
+  min-version: 8
+
+pcap: ../ldap-search/ldap.pcap
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 7
+        ldap.request.operation: search_request
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 7
+        ldap.request.operation: search_request
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 8
+        ldap.responses[0].operation: search_result_entry
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ldap.responses[1].operation: search_result_done
+        alert.signature_id: 4
\ No newline at end of file