From: Juliana Fajardini Date: Thu, 29 May 2025 01:39:46 +0000 (-0300) Subject: tests/rules: add test for bug 5177 X-Git-Tag: suricata-7.0.11~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=92a91a30902de58e6683865955d1412cf5df5c22;p=thirdparty%2Fsuricata-verify.git tests/rules: add test for bug 5177 The engine analyzer issues the same note about using new rule buffers regardless of the rule usage of new buffer or the old ones. This test is just to showcase this. Bug #5177 --- diff --git a/tests/rules/bug-5177/bug-5177.rules b/tests/rules/bug-5177/bug-5177.rules new file mode 100644 index 000000000..37544fe19 --- /dev/null +++ b/tests/rules/bug-5177/bug-5177.rules @@ -0,0 +1,2 @@ +alert http any any -> any any (http.request_line; content:"GET /index.html HTTP/1.0"; sid:61;) +alert http any any -> any any (http_request_line; content:"GET /index.html HTTP/1.0"; sid:62;) diff --git a/tests/rules/bug-5177/test.yaml b/tests/rules/bug-5177/test.yaml new file mode 100644 index 000000000..65f46e0bd --- /dev/null +++ b/tests/rules/bug-5177/test.yaml @@ -0,0 +1,24 @@ +requires: + min-version: 8 + pcap: false + +args: +- --engine-analysis + +checks: + - filter: + filename: rules.json + count: 1 + match: + id: 61 + raw: "alert http any any -> any any (http.request_line; content:\"GET /index.html HTTP/1.0\"; sid:61;)" + notes[0]: "pattern looks like it inspects HTTP, use http.request_line or http.method and http.uri instead for improved performance" + notes[1]: "pattern looks like it inspects HTTP, use http.request_line or http.method and http.uri instead for improved performance" + - filter: + filename: rules.json + count: 1 + match: + id: 62 + raw: "alert http any any -> any any (http_request_line; content:\"GET /index.html HTTP/1.0\"; sid:62;)" + notes[0]: "pattern looks like it inspects HTTP, use http.request_line or http.method and http.uri instead for improved performance" + notes[1]: "pattern looks like it inspects HTTP, use http.request_line or http.method and http.uri instead for improved performance"