From 24a222ca22ba30413e68fc288fd7ced12a995a81 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Fri, 3 Sep 2021 11:09:57 +0200
Subject: [PATCH] Adds http2 range test

---
 tests/http2-range/README.md        |  14 ++++++++++++++
 tests/http2-range/http2-range.pcap | Bin 0 -> 10775 bytes
 tests/http2-range/server.go        |  25 +++++++++++++++++++++++++
 tests/http2-range/test.yaml        |  21 +++++++++++++++++++++
 4 files changed, 60 insertions(+)
 create mode 100644 tests/http2-range/README.md
 create mode 100644 tests/http2-range/http2-range.pcap
 create mode 100644 tests/http2-range/server.go
 create mode 100644 tests/http2-range/test.yaml

diff --git a/tests/http2-range/README.md b/tests/http2-range/README.md
new file mode 100644
index 0000000..3ea272e
--- /dev/null
+++ b/tests/http2-range/README.md
@@ -0,0 +1,14 @@
+# Description
+
+Test http2 file extraction over multiple transactions with range header.
+# PCAP
+
+The pcap comes from running dummy HTTP1 and HTTP2 server with `go run server.go` with an eicar.txt file in the current directory containing the eicar file
+and in parallel as client(s) :
+```
+curl -H 'Range: bytes=0-10' --http2 127.0.0.1:8080/eicar
+curl -H 'Range: bytes=10-20' 127.0.0.1:8080/eicar
+curl -H 'Range: bytes=20-30' --http2 127.0.0.1:8080/eicar
+curl -H 'Range: bytes=30-40' 127.0.0.1:8080/eicar
+curl -H 'Range: bytes=40-68' --http2 127.0.0.1:8080/eicar
+```
diff --git a/tests/http2-range/http2-range.pcap b/tests/http2-range/http2-range.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..0f149a6ca7a4265bdd07a1fec35e5db6e1d2dbea
GIT binary patch
literal 10775
zc-qyOdrVvR6~})D5`o7f&O?K(2{(@>fyH1G+W`Xw$Kl~BP{%e&uxS?8xWowp0*=<I
zTLP#F8idE%X)S3pwq=p3ByG{uKMI;QZ7hFme{9WKX`rp@sx^;}sM)eqZIdbN9N&k3
z*SXjJT`84Tk{?38zMtRsoZq>}=L_%6{o<!-B!k4i_@Ae)nuBM{^T;mv8CM#tIznpk
zf9-NYP7tEQ^}%rA#Px<tR=j6AZE5Mg1>T!cGp|ceU#`<->Zh}hUyV`Ic;;;eX5qvK
z!#(p)W&+nXz4Afk#fA1ykSj8mfLRW#@;K9?qSFT4to{}Gi}$y}i-JDnAt$RMHAm2v
zg)EvQYC?_;IQQWGdvVTZN%iCdXHl-Fq0YyZh9jY1FW2bvxl7F@<{W)vcVE=bnag&R
znBbq;UT!Kk<>*`b!o5aEN4N{Fg^u-hmhLFAS@7+SP$=93FBX>;=jff?U0vZ&G}7H=
z=URF?dV}rZZ83D2(Ho9NBV8SRfZ{LMxkF_k*iLrU&N&=S4u@ms5r@O$;J;k4?>Tx;
zu&V>^dg|F|xUbq|G=r)fJ*Hxhwv>JWDZQbT(!=&Ve1B{Soad5q@`2MW=ZJaa%qBDE
z{Z1qrIs|cX?%wWbcc{CwPccV{IpM?lzMZ+^z5q#X2<x9p6?YjpZn)na=j=|($p=oY
zoa6SmxMIFY%1UC1_cn<-{{(z5aJ_N<6UzM84HDle=M%D0Xb<VI+DS$&5ooc8?>*R}
zjz^1II8?USCT(F&+#(}0wnNPl(IND@ow;n>s9mjWZfWCe1I~3N&TVa+3N_BAsyxyP
z_qWD5ElD}~z;Vergyak7v5c$`PUS9HPFCn@p?9y~Po=zywLo95fX$Ao6{xE!_2~+N
zk4l2AlHgmsVBvI09)G&~w23<o;y$LtT|+Q(BESJPu_bV-lXCKbW0rI9qe&;$@`)<u
zV?GYhoe9T`(OyGNV|8j_G7e_VEa%9Cg{zq}wiBR3N*VhJaIWMM@+#q%z<F6k*pMXb
zv?S~fFD#(L0@MwAo*)17<KqX0;rmH4T{}0v^z9d1-#tHkqu|0l_lsk{TVwK1?tQNF
zM{~hn{V=__%Xm05P2Yd~@85iz6php`wWXQO!NhBiy#3DV%jZs@)@!*$OU#RO4*;Eu
zs24e(=MvUuZc&QaC5st8o4-czFm(H^Ppo%8TI+BJKuZQbda>6DZj_y;Meu=ax_W5A
zUacI1GAG2q;R8RA4J>CuHOB%+&MB=NgEHqe_PCtD%2CVD4GT#<mW~uoOdY&muQrx?
zbbs9<j-|-lY9%aV>BvhTzVjd8HYkmy&z#qnAXj8stqk$<Ivap{haM-9gFNIsW@XAh
zYP*9hnj>mL&OYEw5q=4rSCZ<%v2<Ln=b?|KvdPhGGM2?A7?j(sE$lbwk1#rHn~jjQ
zI)3pST|rU~3@A%Ea*i}QmYHmvJJ=hI1UosH7NZcI7?3d*N}mu*Y?#E$#@*qrj_4uC
zk2(Gt9W@t=y3|$?zwCRq2d+lL&qPamI)jm}N-lIL*xMJ5Rv(K#Z7k2x?+*4wjZNL{
zk*6c!b~{(!8`;L0wsYQa4=5}%bEXQr$!a&5xP~TQj(%4#8diCe&2ACi#3$WhW3JgZ
zUi$FL0^M}!nsosO=E&F*I5o;izp@}E{r+}&(k*Rn|9-1wtNTC^BAc~I`-pBIw6saB
z9D_3FqK&mauY3foH`VI%H(EIcWzM_oalHwwt7`c<-OA8jPZv%Mtt)R*Yp?I;&kfS;
zb)l81y`EmR@zH$XHY>H)Gu&JMK(5HV(aI1nud^Ar1$0|P4)T!muU4k~qqYKM(Hv0|
za`OCy{Fm@c;C!A`54P8vay?&R*I#BbZkKxZ7QdF9R;;Ak2%Xb$KVh-`aSmnsMb1OA
z{V3<>e%6w!SP7C2(vLh{ayR`Xwe6=ll<gNeYPKKwpZZB^+t2fhCB9S6Ph$IVi@Sc3
z+V=BX)Ja=d6StsjKSFZ@%w=;BwX2oQDs7xPx)su#HQG2HHO{dBlLd)$C<`KTQrdpp
zXe7W~pdQ$4K&?Pu3=kIEkAepz!PZ2<l<i08kF|*#qfIO=?s9;nw*54Rvi<SW6Wlcd
z=h=^W44?tEV_w$A<gVi!%3a5^rsS?OmQAMT);vsiZD?aYi~#7pO+RY%VXSRqF74Y=
z%ny{d;I4~yIGsg1zPG8)<$S<hn>7jEyox>~TJRCA9D_1vvW>N9Hm?F!n_AJltCeF=
z=6u2)R~xWatL10xB*XYOS~y|6w0A~r{Hx#megi%JeSDH>{2M(ppE(2ES*7uB<C85f
zAXj95c9J1pUgs=uXX&vGImkl}ImMKJ)HaJOnj>n8jXb9q+%>I-a@V4sFV|gfHyJI`
zgjS;|?0xI$PYOD0#}Jddj&mq?Epon8cO8rR|HNJUhgfTN-}*E2SyOb=rEB)7AtrY{
ziVQL7qPrH8?sRyJUZ10Rm&1d|!`h@>pxXy6?JcbwgEHs0L#*|gbpco#)avtZS~&(~
z&Zq2gZ2;CqwftC4=u)@WvBHU>-_NX8Yp;{V=NIYr`aA;@VjP>8^V)&CMyb6v{d&rd
zT#-2e%#`u+I@bWVl5UI0L0;@*l7S;=t3(#f5j7#_FThFZu4z4#yB76)h26EqWVDrw
zZRD1=oXUPlN9S~ZzmCOS$2pX{7C8^mU5EOaOKt%q4bqQ1U2;DFPD*!8b0~K$a+100
zmw}(sUGw~ZOMIuCpTb?g($9RtgSd^_37-W{N|zp!I-4y?wI)hUaOpqOByLvrcP?7o
zYuY#kYMi^kVXz=^4rM_^4wJji8(=Na*#g+?oLYf?eL%<Ju2JwgNw76haDuxo)Fy74
zcGtAHEx=*;+ck=tmc*G8#Zm71F>S(T5`^6ph4~nS$vBkl7dbLvp#kRln*r#Cg!-#Q
zC~__V=PcZRHqMz$%E63{$~lCz$!-4#+Wv2({jo~(U)9ShlKK7__S4ufG3Q%HcNQUw
zmB{%eaE`$JN8+3g<)D4*q@V+dL9gX~zh{@x(d={Wb$MF6Mqi!RXRLSau3NvU@mr0>
z`Uid!@CR)n?4i$%4&jkOjU0nAr)iM2j(mH7wNb5(j%wu?lsTj9acu;aM=3x511)%>
A)Bpeg

literal 0
Hc-jL100001

diff --git a/tests/http2-range/server.go b/tests/http2-range/server.go
new file mode 100644
index 0000000..1abcb6a
--- /dev/null
+++ b/tests/http2-range/server.go
@@ -0,0 +1,25 @@
+package main
+
+import (
+	"fmt"
+	"golang.org/x/net/http2"
+	"golang.org/x/net/http2/h2c"
+	"net/http"
+)
+
+func main() {
+	h2s := &http2.Server{}
+
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		http.ServeFile(w, r, "eicar.txt")
+	})
+
+	server := &http.Server{
+		Addr:    "0.0.0.0:8080",
+		Handler: h2c.NewHandler(handler, h2s),
+	}
+
+	fmt.Printf("Listening [0.0.0.0:8080]...\n")
+	err := server.ListenAndServe()
+	fmt.Printf("lol %s", err)
+}
diff --git a/tests/http2-range/test.yaml b/tests/http2-range/test.yaml
new file mode 100644
index 0000000..a3b204d
--- /dev/null
+++ b/tests/http2-range/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 7.0.0
+
+# disables checksum verification
+args:
+  - -k none --set app-layer.protocols.http2.enabled=true
+
+checks:
+
+  # Check that there is one file event with total length.
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.size: 69
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly
-- 
2.47.3