tests: add test for bug-7199

More of a change in behavior than a bug, but important to be documented

Related to
Bug https://redmine.openinfosecfoundation.org/issues/7199

diff --git a/tests/bug-7199/README.md b/tests/bug-7199/README.md
new file mode 100644 (file)
index 0000000..b8ac429
--- /dev/null
+++ b/tests/bug-7199/README.md
@@ -0,0 +1,15 @@
+# Test
+
+Showcase change of behavior from Suricata-7.0.5 to Suricata-7.0.6.
+Before, a non-stream rule that matched traffic associated with an app-layer
+transaction would result in app-layer metadata being logged with the alert, if
+metadata was enabled. Starting with 7.0.6, this will only be achieved if the
+rule is an app-layer/stream one.
+
+### Pcap
+
+Packet capture resulting of a curl to suricata.io.
+
+### Ticket
+
+https://redmine.openinfosecfoundation.org/issues/7199

diff --git a/tests/bug-7199/TLPW-curl-http-suricata.pcap b/tests/bug-7199/TLPW-curl-http-suricata.pcap
new file mode 100644 (file)
index 0000000..144e4fc
Binary files /dev/null and b/tests/bug-7199/TLPW-curl-http-suricata.pcap differ

diff --git a/tests/bug-7199/suricata.yaml b/tests/bug-7199/suricata.yaml
new file mode 100644 (file)
index 0000000..0e4699a
--- /dev/null
+++ b/tests/bug-7199/suricata.yaml
@@ -0,0 +1,22 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert:
+            enabled: true
+            tagged-packets: true
+            metadata: true
+            http-body: true
+        - http:
+            extended: true
+            tagged-packets: true
+        - tls:
+            extended: true
+
+detect:
+  guess-applayer-tx: yes
\ No newline at end of file

diff --git a/tests/bug-7199/test.rules b/tests/bug-7199/test.rules
new file mode 100644 (file)
index 0000000..3df3608
--- /dev/null
+++ b/tests/bug-7199/test.rules
@@ -0,0 +1,3 @@
+reject ip any any -> any any (msg: "Reject by AntreaNetworkPolicy:default/ingress-allow-http-request-to-api-v2"; flow: to_server, established; sid: 1;)
+pass http any any -> any any (msg: "Allow http by AntreaNetworkPolicy:default/ingress-allow-http-request-to-api-v2"; http.uri; content:"/api/v2/"; startswith; http.method; content:"GET"; http.host; content:"foo.bar.com"; startswith; endswith; sid: 2;)
+alert http any any -> any any (msg: "Alert by AntreaNetworkPolicy:default/ingress-allow-http-request-to-api-v2"; http.uri; content:!"/api/v2/"; sid: 3;)

diff --git a/tests/bug-7199/test.yaml b/tests/bug-7199/test.yaml
new file mode 100644 (file)
index 0000000..510fe60
--- /dev/null
+++ b/tests/bug-7199/test.yaml
@@ -0,0 +1,33 @@
+requires:
+  features:
+    - LIBNET1.1
+
+args:
+- -k none
+- --set stream.midstream=true
+- --simulate-ips
+
+checks:
+    - filter:
+        count: 4
+        match:
+            event_type: alert
+            alert.signature_id: 1
+    - filter:
+        min-version: 8
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 1
+            has-key: http
+    - filter:
+        count: 0
+        match:
+            event_type: alert
+            alert.signature_id: 2
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 3
+            has-key: http