From be7d4ecb22556be6a11cbb6a063d5affcc76912d Mon Sep 17 00:00:00 2001 From: Alice Akaki Date: Thu, 13 Feb 2025 17:04:29 -0400 Subject: [PATCH] detect: transaction cleaned before detection when stream.midstream=true Ticket: #7552 --- tests/bug-7552/bug-7552-01/README.md | 11 +++++++++++ tests/bug-7552/bug-7552-01/input.pcap | Bin 0 -> 281 bytes tests/bug-7552/bug-7552-01/test.rules | 1 + tests/bug-7552/bug-7552-01/test.yaml | 12 ++++++++++++ tests/bug-7552/bug-7552-02/README.md | 11 +++++++++++ tests/bug-7552/bug-7552-02/test.rules | 2 ++ tests/bug-7552/bug-7552-02/test.yaml | 14 ++++++++++++++ 7 files changed, 51 insertions(+) create mode 100644 tests/bug-7552/bug-7552-01/README.md create mode 100644 tests/bug-7552/bug-7552-01/input.pcap create mode 100644 tests/bug-7552/bug-7552-01/test.rules create mode 100644 tests/bug-7552/bug-7552-01/test.yaml create mode 100644 tests/bug-7552/bug-7552-02/README.md create mode 100644 tests/bug-7552/bug-7552-02/test.rules create mode 100644 tests/bug-7552/bug-7552-02/test.yaml diff --git a/tests/bug-7552/bug-7552-01/README.md b/tests/bug-7552/bug-7552-01/README.md new file mode 100644 index 000000000..5903ce2c5 --- /dev/null +++ b/tests/bug-7552/bug-7552-01/README.md @@ -0,0 +1,11 @@ +# Description + +Created when a bug was found - Transaction gets cleaned by +AppLayerParserTransactionsCleanup before detection is run in the to_client +direction when stream.midstream=true and first packet is to client direction. + +https://redmine.openinfosecfoundation.org/issues/7552 + +# PCAP + +PCAP created by selecting packets from ../http-gap-simple/input.pcap \ No newline at end of file diff --git a/tests/bug-7552/bug-7552-01/input.pcap b/tests/bug-7552/bug-7552-01/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..9d632dbe5c906bea055684432c28c77a69b63744 GIT binary patch literal 281 zc-p&ic+)~A1{MYcfUu|Y^TaDAFfgoSfM6ydc4c5#%D~{j;K0VfP|v`?2*UCcP9%1m zm77?4v`3;r!tnCHnLt5C4z9F22gE_xBP1k1-%!s$!N|Zs!QY#gD>${NEVal=!LcAQ zIU|*q%Q-(UFEzO&Ge6HtAvq_%7$Q`XnpdJ5Qdy8{rBISuQKFwwlAD8&@JY=}FUhb{ zFf`)j;^p#4&B@7E2uRH@$N_2wIlKhua0> any any (msg:"HTTP Stat Code Response"; http.stat_code; content:"200"; sid:1;) \ No newline at end of file diff --git a/tests/bug-7552/bug-7552-01/test.yaml b/tests/bug-7552/bug-7552-01/test.yaml new file mode 100644 index 000000000..3ef7235b6 --- /dev/null +++ b/tests/bug-7552/bug-7552-01/test.yaml @@ -0,0 +1,12 @@ +requires: + min-version: 8 + +args: + - -k none --set stream.midstream=true + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 diff --git a/tests/bug-7552/bug-7552-02/README.md b/tests/bug-7552/bug-7552-02/README.md new file mode 100644 index 000000000..e1f106382 --- /dev/null +++ b/tests/bug-7552/bug-7552-02/README.md @@ -0,0 +1,11 @@ +# Description + +Created when a bug was found - Transaction gets cleaned by +AppLayerParserTransactionsCleanup before detection is run in the to_client +direction when stream.midstream=true and first packet is to client direction. + +https://redmine.openinfosecfoundation.org/issues/7552 + +# PCAP + +PCAP from ../../ldap-unsolicited/ldap.pcap \ No newline at end of file diff --git a/tests/bug-7552/bug-7552-02/test.rules b/tests/bug-7552/bug-7552-02/test.rules new file mode 100644 index 000000000..c257317c1 --- /dev/null +++ b/tests/bug-7552/bug-7552-02/test.rules @@ -0,0 +1,2 @@ +# we want alert tcp instead od alert ldap to test one more edge case +alert tcp any any -> any any (msg:"Test LDAP response operation"; ldap.responses.operation:extended_response; sid:1;) \ No newline at end of file diff --git a/tests/bug-7552/bug-7552-02/test.yaml b/tests/bug-7552/bug-7552-02/test.yaml new file mode 100644 index 000000000..d949d4967 --- /dev/null +++ b/tests/bug-7552/bug-7552-02/test.yaml @@ -0,0 +1,14 @@ +requires: + min-version: 8 + +args: + - -k none --set stream.midstream=true + +pcap: ../../ldap-unsolicited/ldap.pcap + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 -- 2.47.2