From f295953ec7bf79ae56f6c15501c3f24db914180c Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Thu, 27 Apr 2023 11:52:07 +0200
Subject: [PATCH] detect: adds test with bsize:0

---
 tests/detect-bsize-0/README.md  |   9 +++++++++
 tests/detect-bsize-0/input.pcap | Bin 0 -> 1574 bytes
 tests/detect-bsize-0/test.rules |   2 ++
 tests/detect-bsize-0/test.yaml  |  17 +++++++++++++++++
 4 files changed, 28 insertions(+)
 create mode 100644 tests/detect-bsize-0/README.md
 create mode 100644 tests/detect-bsize-0/input.pcap
 create mode 100644 tests/detect-bsize-0/test.rules
 create mode 100644 tests/detect-bsize-0/test.yaml

diff --git a/tests/detect-bsize-0/README.md b/tests/detect-bsize-0/README.md
new file mode 100644
index 000000000..7274ec98d
--- /dev/null
+++ b/tests/detect-bsize-0/README.md
@@ -0,0 +1,9 @@
+# Description
+
+Test `bsize` keyword with 0 value
+cf https://redmine.openinfosecfoundation.org/issues/6025
+
+# PCAP
+
+Pcap crafted with dummy HTTP server anc nc client to have an empty user-agent
+
diff --git a/tests/detect-bsize-0/input.pcap b/tests/detect-bsize-0/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b8cfce03816a88e94ee47e8b5179474532607f11
GIT binary patch
literal 1574
zc-ocI&ui0Q7{Kwj?U)h?IPow9>C5m?!TzqajooZ%M~iHrBl`ogHd_k)W%?Ez4%CZY
z6vTlb;=vB2V=&i(D2Q!w;E-)M51#d~fwDtEkDJf4EzQF0XiHys33)$!^XARB)!J(_
z=_C5@U|tE|NQEArA~BfbFvA!nB#i%XKOy%BG2vKiS|dNlFFnIGE9SkuT_4=rcm2D`
zV(B-TPIC`dZ!het<^%IZ7p66`)|8@mE8xzroI7qVpMR1-S2N#$82~Gwo4yX6^WZMt
zKRftq*9I34`_Mz@Z5PgA+ag*=9j$2@oUaZGiNpH1?nF=Q83f0#^*s8ER(w>XPMQ$K
zn@+dG%^|x3Y!7*5W8T6`q^sa;-Qr0C)+cl))*-Ll&I@RH&*Nw%@<k@lOg<@P6qs`8
zo|)i#>8lz0s=v{G2Tt~tsoP^$YxnuIzVa4YlSNszM`q+46F4-Vg4sh`-Pl%tjP84I
zDpm^#!up`@T<y?SZ?|36+LkV$#UZp|?dfGUj6q)-h@tb*W+5$D-_o6(6CDit(RMzg
zqn$G9b@{0%XA5~%QfKLeoJy;5lJQ(LpJT9<c5${K3zW%sm{Vcd%r%-+B(*5B;S!s+
z2Y7A_&I3#5a{_gi(mWTF7~C!@r7P6qr;&n6JuZ)zx`Kk&C3xL5J}&C^n4Ftoia@<V
zp5wWYL={z@9v%W{XykZP$SI9Dxc!}M*(}|D{S7HPmxP_%*1!Ixi?|CPz?od<dvgYk
sI@M2_Q(o`(Gnh+))il1@%_+3d`O~X2@PEg-(e-nol``%RKG){dKU<rTy#N3J

literal 0
Hc-jL100001

diff --git a/tests/detect-bsize-0/test.rules b/tests/detect-bsize-0/test.rules
new file mode 100644
index 000000000..5f76041dd
--- /dev/null
+++ b/tests/detect-bsize-0/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any (http.user_agent; bsize: 0; sid:46;)
+alert http any any -> any any (http.user_agent; content: !"u"; sid:47;)
diff --git a/tests/detect-bsize-0/test.yaml b/tests/detect-bsize-0/test.yaml
new file mode 100644
index 000000000..25de3e1da
--- /dev/null
+++ b/tests/detect-bsize-0/test.yaml
@@ -0,0 +1,17 @@
+requires:
+    min-version: 7
+
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 46
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 47
-- 
2.47.3