From 288e4033f5d58f285260ebcfde388f3bd74e22ac Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 16 Apr 2024 22:55:38 +0200 Subject: [PATCH] http: adds test about decompression Ticket: 6959 --- tests/http-encoding-gzip-uncompressed/README.md | 12 ++++++++++++ tests/http-encoding-gzip-uncompressed/input.pcap | Bin 0 -> 1320 bytes tests/http-encoding-gzip-uncompressed/test.rules | 1 + tests/http-encoding-gzip-uncompressed/test.yaml | 9 +++++++++ 4 files changed, 22 insertions(+) create mode 100644 tests/http-encoding-gzip-uncompressed/README.md create mode 100644 tests/http-encoding-gzip-uncompressed/input.pcap create mode 100644 tests/http-encoding-gzip-uncompressed/test.rules create mode 100644 tests/http-encoding-gzip-uncompressed/test.yaml diff --git a/tests/http-encoding-gzip-uncompressed/README.md b/tests/http-encoding-gzip-uncompressed/README.md new file mode 100644 index 000000000..f5db8febe --- /dev/null +++ b/tests/http-encoding-gzip-uncompressed/README.md @@ -0,0 +1,12 @@ +# Test Description + +Test that we do not wrongly decompress if we have encoding gzip but clear text + +## PCAP + +From https://redmine.openinfosecfoundation.org/issues/6959 + + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6959 diff --git a/tests/http-encoding-gzip-uncompressed/input.pcap b/tests/http-encoding-gzip-uncompressed/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..dd66e9b6df4228e33ff137708ed7804c6222a1cc GIT binary patch literal 1320 zc-noG(Tm(f9LICjilhYBq9B6oxcG2|+w9C_GLy+6n9XE*Xlqw)udhc;(%raw$-0|6 z)>A8T_*PJSvTDEs7#&`&1D74+tXEN2S_2xwT!Zgwe1_#vr4F!l-53=-Q1c`zWHQIS-McoH-FxL>H14s>-SPhLP@Hg-M*oO zv5Et&gNgztl*R2SMPJx>&pcO+|2o-te9v4Cs7P8BML`qF)lUuWTcs`I*GD$|jaz?) ztoqbWNtxN1P4o6Ahf~B^sJBIE>Q8M_iY%Wet^ur>VV%o0_5*LJnK|hVcBF(eL zE2BI!^rcZUta}|Lae)Z?YiX~6O=LnadnCTvO}P` zn)c(yu~uslJ0`X37OS&5LWc}}As;E4I+Qt1vvC?`qn;V%E3She+|4LUqA~>+ypSY= zy4O$F{*~#GB>0C`6WO)!qy|9zi+?s-$<7ma~ zu7;zoT3(w7?k=h!lbJ-##>rY5CCh27<}4dhhB=06BTAgwn`Ku&yg2p7+YdZ;=J@vc zE4Mb=AMNR|MEU%5>5V@&C*Jt%lA-;ev}II2f8)1Pk7ggsm&Ns6Z+!8OH$J#8MR_Co zQPb}D0AL7#p$pYZ7sz2c2P_Cg5~+ENRf$}ix&(v6N8A4|Ajah0YWK=&hm&fzhGAzV zbis>xJqn|4S^sjVmyluJcR_adM=&0w!(`-wc6W6SKm?u-Gk`dQ077^7o$PPuP2>c^ zfy@t}XOpIHp+GR3bDL2?m=7%nLMUuYVgdz{mLmvhVx^%-3K38qK%09$lG2l$6GR|w zG7E9asqaY}d!ArS^-V}i{dS~koF^G!l0(jgWQ-EZZQ)_dk%S-zV_RU4JA?#?Qtk_6 z(Eu@JLnp9&hX^cuWR>}H>NzSgESS@jN-2>oq$fC)ffq literal 0 Hc-jL100001 diff --git a/tests/http-encoding-gzip-uncompressed/test.rules b/tests/http-encoding-gzip-uncompressed/test.rules new file mode 100644 index 000000000..8cda46105 --- /dev/null +++ b/tests/http-encoding-gzip-uncompressed/test.rules @@ -0,0 +1 @@ +alert http $HOME_NET any -> $EXTERNAL_NET 8100 (msg:"ET MOBILE_MALWARE Android Dropper Checkin Activity (POST)"; flow:established,to_server; http.request_body; content:"|22|sdk_version|22 3a|"; content:"|22|app_package|22 3a 22|"; distance:0; content:"|22|app_version|22 3a 22|"; distance:0; content:"|22|device_id|22 3a 22|"; distance:0; classtype:trojan-activity; sid:2038629; rev:1;) diff --git a/tests/http-encoding-gzip-uncompressed/test.yaml b/tests/http-encoding-gzip-uncompressed/test.yaml new file mode 100644 index 000000000..4b5bb4bc8 --- /dev/null +++ b/tests/http-encoding-gzip-uncompressed/test.yaml @@ -0,0 +1,9 @@ +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2038629 -- 2.47.3