tests: add test for issue 6397

diff --git a/tests/rules/http_uri/test.rules b/tests/rules/http_uri/test.rules
index e4d3ac6537bfca7ed887e5ec5f44a26e2356107f..2fbc8b43f7bcf2aa63766c46c47af0e7ccb1387a 100644 (file)
--- a/tests/rules/http_uri/test.rules
+++ b/tests/rules/http_uri/test.rules
@@ -4,3 +4,5 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; urile
 alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.uri; content:".php?"; content:"=01&"; distance:4; within:4; fast_pattern; sid:4;)
 # urilen followed by "raw" content, make sure the urilen doesn't act as http.uri sticky buffer
 alert http1 any any -> any any (urilen:44; content:"abc"; sid:5;)
+# make sure there is a single uri list. Based on 2016816:3
+alert http $HOME_NET any -> $EXTERNAL_NET any (flow:to_server,established; content:"a"; fast_pattern:only; http_uri; content:"b"; http_uri; content:"Mozilla"; http_user_agent; pcre:"/^$/RV"; content:!"Referer|3a 20|"; http_header; pcre:"/abcdef$/Ui"; sid:6;)

diff --git a/tests/rules/http_uri/test.yaml b/tests/rules/http_uri/test.yaml
index 45bd5c59e87700905d07b31a482cbecd284309c6..42d0e7c017713b1d460e68c35ba7de4425e489a3 100644 (file)
--- a/tests/rules/http_uri/test.yaml
+++ b/tests/rules/http_uri/test.yaml
@@ -85,3 +85,17 @@ checks:
       engines[1].name: "http_uri"
       engines[1].app_proto: "http"
       engines[1].matches[0].name: "urilen"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 6
+      mpm.buffer: "http_uri"
+      mpm.pattern: "a"
+      engines[0].name: "http_uri"
+      engines[0].app_proto: "http"
+      engines[0].matches[0].name: "content"
+      engines[0].matches[1].name: "content"
+      engines[0].matches[2].name: "pcre"
+      engines[1].name: "http_user_agent"
+      engines[2].name: "http_header"