tls/random: add tests for bug 6989

tests/tls/tls-random-6989/README.md

@@ -0,0 +1,11 @@
+# Test Description
+
+This test demonstrates that the TLS random buffer should match the correct direction.
+
+## PCAP
+
+Comes from the redmine ticket below.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6989

tests/tls/tls-random-6989/test.rules

@@ -0,0 +1,4 @@
+alert tls any any -> any any (msg:"CLIENT HELLO DATA - to_server"; flow:established,to_server; tls.random_time; content:"|54 b4 c9 7b|"; sid:1;)
+alert tls any any -> any any (msg:"CLIENT HELLO DATA - to_client"; flow:established,to_client; tls.random_time; content:"|54 b4 c9 7b|"; sid:2;)
+alert tls any any -> any any (msg:"SERVER HELLO DATA - to_server"; flow:established,to_server; tls.random_time; content:"|54 b8 f7 73|"; sid:3;)
+alert tls any any -> any any (msg:"SERVER HELLO DATA - to_client"; flow:established,to_client; tls.random_time; content:"|54 b8 f7 73|"; sid:4;)

tests/tls/tls-random-6989/test.yaml

@@ -0,0 +1,21 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.signature: CLIENT HELLO DATA - to_server
+      alert.signature_id: 1
+      direction: to_server
+      event_type: alert
+- filter:
+    count: 1
+    match:
+      alert.signature: SERVER HELLO DATA - to_client
+      alert.signature_id: 4
+      direction: to_client
+      event_type: alert