From be969fd438843a522864bc57031ba4a4de5c7b2d Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Sun, 15 Jun 2025 11:02:16 -0400
Subject: [PATCH] test/analyzer: Add test for dsize info

Add a test that checks for dsize value information.
---
 tests/rules/dsize-8.0.0/README.md  |  11 +++
 tests/rules/dsize-8.0.0/test.rules |   8 ++
 tests/rules/dsize-8.0.0/test.yaml  | 115 +++++++++++++++++++++++++++++
 3 files changed, 134 insertions(+)
 create mode 100644 tests/rules/dsize-8.0.0/README.md
 create mode 100644 tests/rules/dsize-8.0.0/test.rules
 create mode 100644 tests/rules/dsize-8.0.0/test.yaml

diff --git a/tests/rules/dsize-8.0.0/README.md b/tests/rules/dsize-8.0.0/README.md
new file mode 100644
index 000000000..c3a35d81a
--- /dev/null
+++ b/tests/rules/dsize-8.0.0/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Engine analysis output for dsize drop rule.
+
+## PCAP
+
+Unneeded
+
+## Related tickets
+
+https://redmine.openinfosecfoundation.org/issues/6357
diff --git a/tests/rules/dsize-8.0.0/test.rules b/tests/rules/dsize-8.0.0/test.rules
new file mode 100644
index 000000000..c4a93b5d8
--- /dev/null
+++ b/tests/rules/dsize-8.0.0/test.rules
@@ -0,0 +1,8 @@
+drop http any any -> any any (dsize:0; sid:1;)
+drop http any any -> any any (dsize: > 0; sid:2;)
+drop http any any -> any any (dsize: >= 4096; sid:3;)
+drop http any any -> any any (dsize: 0-159; sid:4;)
+drop http any any -> any any (dsize: !0-159; sid:5;)
+drop http any any -> any any (dsize: < 100; sid:6;)
+drop http any any -> any any (dsize: <= 100; sid:7;)
+drop http any any -> any any (dsize:!0; sid:8;)
diff --git a/tests/rules/dsize-8.0.0/test.yaml b/tests/rules/dsize-8.0.0/test.yaml
new file mode 100644
index 000000000..2df65ceb1
--- /dev/null
+++ b/tests/rules/dsize-8.0.0/test.yaml
@@ -0,0 +1,115 @@
+requires:
+    min-version: 8.0.0
+    pcap: false
+
+args:
+    - --engine-analysis
+
+checks:
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 1
+      app_proto: "http_any"
+      requirements[0]: "no_payload"
+      requirements[1]: "flow"
+      pkt_engines[0].name: "packet"
+      pkt_engines[0].is_mpm: false
+      type: "pkt"
+      lists.packet.matches[0].name: "dsize"
+      lists.packet.matches[0].dsize.equal: 0
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 2
+      app_proto: "http_any"
+      requirements[0]: "payload"
+      requirements[1]: "flow"
+      pkt_engines[0].name: "packet"
+      pkt_engines[0].is_mpm: false
+      type: "pkt"
+      lists.packet.matches[0].name: "dsize"
+      lists.packet.matches[0].dsize.gt: 0
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 3
+      app_proto: "http_any"
+      requirements[0]: "payload"
+      requirements[1]: "flow"
+      pkt_engines[0].name: "packet"
+      pkt_engines[0].is_mpm: false
+      type: "pkt"
+      lists.packet.matches[0].name: "dsize"
+      lists.packet.matches[0].dsize.gte: 4096
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 4
+      app_proto: "http_any"
+      requirements[0]: "payload"
+      requirements[1]: "flow"
+      pkt_engines[0].name: "packet"
+      pkt_engines[0].is_mpm: false
+      type: "pkt"
+      lists.packet.matches[0].name: "dsize"
+      lists.packet.matches[0].dsize.range.min: 0
+      lists.packet.matches[0].dsize.range.max: 159
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 5
+      app_proto: "http_any"
+      requirements[0]: "flow"
+      requirements[1]: "real_pkt"
+      pkt_engines[0].name: "packet"
+      pkt_engines[0].is_mpm: false
+      type: "pkt"
+      lists.packet.matches[0].name: "dsize"
+      lists.packet.matches[0].dsize.negated_range.min: 0
+      lists.packet.matches[0].dsize.negated_range.max: 159
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 6
+      app_proto: "http_any"
+      requirements[0]: "flow"
+      requirements[1]: "real_pkt"
+      pkt_engines[0].name: "packet"
+      pkt_engines[0].is_mpm: false
+      type: "pkt"
+      lists.packet.matches[0].name: "dsize"
+      lists.packet.matches[0].dsize.lt: 100
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 7
+      app_proto: "http_any"
+      requirements[0]: "flow"
+      requirements[1]: "real_pkt"
+      pkt_engines[0].name: "packet"
+      pkt_engines[0].is_mpm: false
+      type: "pkt"
+      lists.packet.matches[0].name: "dsize"
+      lists.packet.matches[0].dsize.lte: 100
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 8
+      app_proto: "http_any"
+      requirements[0]: "payload"
+      requirements[1]: "flow"
+      requirements[2]: "real_pkt"
+      pkt_engines[0].name: "packet"
+      pkt_engines[0].is_mpm: false
+      type: "pkt"
+      lists.packet.matches[0].name: "dsize"
+      lists.packet.matches[0].dsize.diff: 0
-- 
2.47.3