From: Philippe Antoine Date: Thu, 18 Sep 2025 09:13:17 +0000 (+0200) Subject: http2: add test with window keyword and index X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F2659%2Fhead;p=thirdparty%2Fsuricata-verify.git http2: add test with window keyword and index Ticket: 7480 --- diff --git a/tests/http2-window-index/README.md b/tests/http2-window-index/README.md new file mode 100644 index 000000000..2cbbeea65 --- /dev/null +++ b/tests/http2-window-index/README.md @@ -0,0 +1,7 @@ +# Description + +Test http2 window keyword with index functionality + +# PCAP + +The pcap comes from https://wiki.wireshark.org/HTTP2 diff --git a/tests/http2-window-index/suricata.yaml b/tests/http2-window-index/suricata.yaml new file mode 100644 index 000000000..eb2d0794b --- /dev/null +++ b/tests/http2-window-index/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: true + types: + - alert + - http2 + - files + +app-layer: + protocols: + http2: + enabled: true diff --git a/tests/http2-window-index/test.rules b/tests/http2-window-index/test.rules new file mode 100644 index 000000000..fd65785d4 --- /dev/null +++ b/tests/http2-window-index/test.rules @@ -0,0 +1,16 @@ +# happens once +alert http2 any any -> any any (http2.window:32768; sid:4; rev:1;) +# happens many times because many txs do not have any http2.window +alert http2 any any -> any any (http2.window:32768,all; sid:5; rev:1;) +# does not happen as tx is 3 has http2.window:32768 and http2.window:32767 +alert http2 any any -> any any (http2.window:32768,all1; sid:6; rev:1;) +# matches (range is exclusive) +alert http2 any any -> any any (http2.window:32766-32769,all1; sid:7; rev:1;) +# matches for stream id 5 +alert http2 any any -> any any (http2.window:>36000,nb>1; sid:8; rev:1;) +# happens many times because many txs do not have any http2.window +alert http2 any any -> any any (http2.window:32768,or_absent; sid:9; rev:1;) +# tx does not have (at least) 3 windows +alert http2 any any -> any any (http2.window:123,oob_or 2; sid:10; rev:1;) + +alert http2 any any -> any any (http2.window:>36000,nb>1,1:-1; sid:11; rev:1;) diff --git a/tests/http2-window-index/test.yaml b/tests/http2-window-index/test.yaml new file mode 100644 index 000000000..463f633c2 --- /dev/null +++ b/tests/http2-window-index/test.yaml @@ -0,0 +1,54 @@ +requires: + min-version: 9 + +pcap: ../http2-keywords/input.pcap + +# disables checksum verification +args: + - -k none + +checks: + # Check that there is one file event with content range. + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 28 + match: + event_type: alert + alert.signature_id: 5 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 6 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 7 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 8 + http.http2.stream_id: 5 + - filter: + # 28 + 1 + count: 29 + match: + event_type: alert + alert.signature_id: 9 + - filter: + count: 34 + match: + event_type: alert + alert.signature_id: 10 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 11 + http.http2.stream_id: 5