From 160533cdf582b73695db3e63f9ae5a7216105e92 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Sun, 24 Aug 2025 22:02:28 +0200
Subject: [PATCH] http: test no anomaly for identity Content encoding

Ticket: 7843
---
 tests/http-encoding-identity/README.md  |  13 +++++++++++++
 tests/http-encoding-identity/server.go  |  24 ++++++++++++++++++++++++
 tests/http-encoding-identity/test.pcap  | Bin 0 -> 1140 bytes
 tests/http-encoding-identity/test.rules |   1 +
 tests/http-encoding-identity/test.yaml  |  16 ++++++++++++++++
 5 files changed, 54 insertions(+)
 create mode 100644 tests/http-encoding-identity/README.md
 create mode 100644 tests/http-encoding-identity/server.go
 create mode 100644 tests/http-encoding-identity/test.pcap
 create mode 100644 tests/http-encoding-identity/test.rules
 create mode 100644 tests/http-encoding-identity/test.yaml

diff --git a/tests/http-encoding-identity/README.md b/tests/http-encoding-identity/README.md
new file mode 100644
index 000000000..a9db9bc2e
--- /dev/null
+++ b/tests/http-encoding-identity/README.md
@@ -0,0 +1,13 @@
+# Test Description
+
+Test HTTP Content-encoding identity
+
+# Ticket
+
+https://redmine.openinfosecfoundation.org/issues/7843
+
+# Pcap
+
+Crafted with:
+- `go run server.go`
+- `curl -i -v 127.0.0.1:8080/`
diff --git a/tests/http-encoding-identity/server.go b/tests/http-encoding-identity/server.go
new file mode 100644
index 000000000..b2938896f
--- /dev/null
+++ b/tests/http-encoding-identity/server.go
@@ -0,0 +1,24 @@
+package main
+
+import (
+	"fmt"
+	"net/http"
+)
+
+func main() {
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Server", "Jetty")
+		w.Header().Set("Content-encoding", "identity")
+		content := "identity content-encoding works"
+		_, _ = w.Write([]byte(content))
+	})
+
+	server := &http.Server{
+		Addr:    "0.0.0.0:8080",
+		Handler: handler,
+	}
+
+	fmt.Printf("Listening [0.0.0.0:8080]...\n")
+	err := server.ListenAndServe()
+	fmt.Printf("lol %s", err)
+}
diff --git a/tests/http-encoding-identity/test.pcap b/tests/http-encoding-identity/test.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..d8a9fb9d8fd93cc2329150f57786610f70a94d88
GIT binary patch
literal 1140
zc-p&ic+)~A1{MYcfUvm>)@G=PaWJ?5*&xgW#I6hs4j|;f#=ua|z`zK?KN#dEhzQQO
z2hy{F>Hq(KCP1|;_BR-rnb{Z_Ik@g_sb>P4$^<d9ng}!HC;VXGZ>kjnntOkP5T=>6
z=j(rg%!QfR4m8sOXqE-SOcNaLybm;2xIsYT^*;@uAk=*z^FZeG6JZY2ZNeb4kj;U)
z31rS|pgC<o{cQ+yn((?u0%%Sds(ajBLlpECJVHVO^bPe4dAU6Di%YB&42{h741mzk
z%EG|HfR`(@IJHREF+DX8D3@GXl%sF1XKJAblyFQ=PAvcmYUyk7a`AG3T*V|#itlFX
z0)6)io9`@v=9~lSKZh{q6kc;AfadH&H3#M|1tS9k1%Gc|F6aEb5}+@1UGtLjQ!?|?
ztrRj-fc(soN?xwu)S|M~A}a;2)DjTaC9x#cN+F~)RY$?dOu?}<9cYM=se*xpm65rX
zsi}gyZwSIXpVYkck_;;aV?$6dz|2%ghDxVGty3t^FUl?k`OZh2*t9fL7wE&4z)*UL
sEiFAI)f_?W=KLW()>Z<|(!&*NViF{pBZ%D`H3_2qr3W-?6}IpJ0MRH7zyJUM

literal 0
Hc-jL100001

diff --git a/tests/http-encoding-identity/test.rules b/tests/http-encoding-identity/test.rules
new file mode 100644
index 000000000..eeabf8761
--- /dev/null
+++ b/tests/http-encoding-identity/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"identity"; file.data; content: "identity content-encoding works" ; sid:1;)
diff --git a/tests/http-encoding-identity/test.yaml b/tests/http-encoding-identity/test.yaml
new file mode 100644
index 000000000..da6cf35cb
--- /dev/null
+++ b/tests/http-encoding-identity/test.yaml
@@ -0,0 +1,16 @@
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      min-version: 8.0.1
+      count: 0
+      match:
+        event_type: anomaly
+        anomaly.event: ABNORMAL_CE_HEADER
+
-- 
2.47.3