From b4cc9b7458431c1f51085d3a3e78cce9a79670a4 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 20 Jun 2023 13:35:41 +0200
Subject: [PATCH] Adds test about http authentication with bearer

---
 tests/http-auth-bearer/README.md  |   8 ++++++++
 tests/http-auth-bearer/input.pcap | Bin 0 -> 1006 bytes
 tests/http-auth-bearer/test.rules |   1 +
 tests/http-auth-bearer/test.yaml  |   9 +++++++++
 4 files changed, 18 insertions(+)
 create mode 100644 tests/http-auth-bearer/README.md
 create mode 100644 tests/http-auth-bearer/input.pcap
 create mode 100644 tests/http-auth-bearer/test.rules
 create mode 100644 tests/http-auth-bearer/test.yaml

diff --git a/tests/http-auth-bearer/README.md b/tests/http-auth-bearer/README.md
new file mode 100644
index 000000000..3362997c3
--- /dev/null
+++ b/tests/http-auth-bearer/README.md
@@ -0,0 +1,8 @@
+# Description
+
+Test http auth bearer recognition
+https://redmine.openinfosecfoundation.org/issues/6162
+
+# PCAP
+
+The pcap comes from running htptopcap on data from libhtp test
diff --git a/tests/http-auth-bearer/input.pcap b/tests/http-auth-bearer/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..64c7cb914533c347e13a339df356ca0a62a36059
GIT binary patch
literal 1006
zc-p&ic+)~A1{MYcfUx8HCZ<GBWM*&yvO$;$h+P>N96-o{je((_fq@Z(uRF?n<ZN20
z0n)R9>Hq(KCP1|;_BR-rnb{Z_Ik-ZUb~=MiWrCPFn+P-IJ+3=0Y$`ntG*@$j5T==}
zSI!>?nF}*>Gtf*6pjj3OGfi-~Qxj<Ji3S0Q*Z+VnhPe-99>|=tM3@70+X;|a$mYP@
z1Tv?8GBZO9P=5=;oCdt^kpP-gg6bZ3*ANAL1&@%B0DVI}LoSc};u0%`^73-M)QZI1
zf}B*n<osMN$I_CF{G!aN#FEVXJSzpK)Wo9HB86PHcuPGe(==TZJwvZTUoI|?oAyp7
z$#11VzrDidw<kbzyny<>5azhyHAezyjuomoFkdMc85k(|dvift_;xbUu~-T;{T8lR
q{6@S_Z-HGXh~1}>Q%G{pZCvh|O{zJ9*v&aGg=l}>2AWldEd~Lv$^fze

literal 0
Hc-jL100001

diff --git a/tests/http-auth-bearer/test.rules b/tests/http-auth-bearer/test.rules
new file mode 100644
index 000000000..087e4afb4
--- /dev/null
+++ b/tests/http-auth-bearer/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"SURICATA HTTP Request unrecognized authorization method"; flow:established,to_server; app-layer-event:http.request_auth_unrecognized; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:1; rev:1;)
diff --git a/tests/http-auth-bearer/test.yaml b/tests/http-auth-bearer/test.yaml
new file mode 100644
index 000000000..8cff0798b
--- /dev/null
+++ b/tests/http-auth-bearer/test.yaml
@@ -0,0 +1,9 @@
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1
-- 
2.47.3