http2: add test with window keyword and index

Ticket: 7480

diff --git a/tests/http2-window-index/README.md b/tests/http2-window-index/README.md
new file mode 100644 (file)
index 0000000..2cbbeea
--- /dev/null
+++ b/tests/http2-window-index/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test http2 window keyword with index functionality
+
+# PCAP
+
+The pcap comes from https://wiki.wireshark.org/HTTP2

diff --git a/tests/http2-window-index/suricata.yaml b/tests/http2-window-index/suricata.yaml
new file mode 100644 (file)
index 0000000..eb2d079
--- /dev/null
+++ b/tests/http2-window-index/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: true
+      types:
+        - alert
+        - http2
+        - files
+
+app-layer:
+  protocols:
+    http2:
+      enabled: true

diff --git a/tests/http2-window-index/test.rules b/tests/http2-window-index/test.rules
new file mode 100644 (file)
index 0000000..fd65785
--- /dev/null
+++ b/tests/http2-window-index/test.rules
@@ -0,0 +1,16 @@
+# happens once
+alert http2 any any -> any any (http2.window:32768; sid:4; rev:1;)
+# happens many times because many txs do not have any http2.window
+alert http2 any any -> any any (http2.window:32768,all; sid:5; rev:1;)
+# does not happen as tx is 3 has http2.window:32768 and http2.window:32767
+alert http2 any any -> any any (http2.window:32768,all1; sid:6; rev:1;)
+# matches (range is exclusive)
+alert http2 any any -> any any (http2.window:32766-32769,all1; sid:7; rev:1;)
+# matches for stream id 5
+alert http2 any any -> any any (http2.window:>36000,nb>1; sid:8; rev:1;)
+# happens many times because many txs do not have any http2.window
+alert http2 any any -> any any (http2.window:32768,or_absent; sid:9; rev:1;)
+# tx does not have (at least) 3 windows
+alert http2 any any -> any any (http2.window:123,oob_or 2; sid:10; rev:1;)
+
+alert http2 any any -> any any (http2.window:>36000,nb>1,1:-1; sid:11; rev:1;)

diff --git a/tests/http2-window-index/test.yaml b/tests/http2-window-index/test.yaml
new file mode 100644 (file)
index 0000000..463f633
--- /dev/null
+++ b/tests/http2-window-index/test.yaml
@@ -0,0 +1,54 @@
+requires:
+  min-version: 9
+
+pcap: ../http2-keywords/input.pcap
+
+# disables checksum verification
+args:
+  - -k none
+
+checks:
+  # Check that there is one file event with content range.
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 28
+      match:
+        event_type: alert
+        alert.signature_id: 5
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 6
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 7
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8
+        http.http2.stream_id: 5
+  - filter:
+      # 28 + 1
+      count: 29
+      match:
+        event_type: alert
+        alert.signature_id: 9
+  - filter:
+      count: 34
+      match:
+        event_type: alert
+        alert.signature_id: 10
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 11
+        http.http2.stream_id: 5