From 63d12f253d02c17e8c0546a04aaac5067f4fa25e Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 1 Oct 2019 10:37:00 +0200 Subject: [PATCH] Adds test for http post data decompression --- tests/http-post-data-decompression/README.md | 7 +++++++ tests/http-post-data-decompression/input.pcap | Bin 0 -> 1256 bytes tests/http-post-data-decompression/test.rules | 1 + tests/http-post-data-decompression/test.yaml | 11 +++++++++++ 4 files changed, 19 insertions(+) create mode 100644 tests/http-post-data-decompression/README.md create mode 100644 tests/http-post-data-decompression/input.pcap create mode 100644 tests/http-post-data-decompression/test.rules create mode 100644 tests/http-post-data-decompression/test.yaml diff --git a/tests/http-post-data-decompression/README.md b/tests/http-post-data-decompression/README.md new file mode 100644 index 000000000..4f0c1de76 --- /dev/null +++ b/tests/http-post-data-decompression/README.md @@ -0,0 +1,7 @@ +# Description + +Test http request post data decompression + +# PCAP + +The pcap and rule come from https://redmine.openinfosecfoundation.org/issues/2510 diff --git a/tests/http-post-data-decompression/input.pcap b/tests/http-post-data-decompression/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..22ac296774844a081fd17f154eb923f5cf6e8ad0 GIT binary patch literal 1256 zc-n>1PfXKL90%~X@i&b{Koiged3X|J?b>ZRswOZ+hk(pb;(-{b-D8~@UFkYuo{Uk! z5F-a~CJON)!Ds@gR}-TU1tEbLkARSvEaFAE8GLVJgUyLeUc0=$eD>@2_gj2BK4J#h zAaQMO0${?=Zx0LFxdj@W$G^z}dnzNpAK?4^y@7mC55URMTeYAzx8~rRr_nCF&=dq7 zac1s5IXrCE3*9#XFlXmXW}EY=qfg3~$i68nE04(KizzZT<9=KQfXFM4h)Q(enSv#* zU*lLG8ZPdEM%T7%YI*;P=sRT>MqQa|wvXP9)m)KQ^AOf2ZWMyGeJZZe6t9=aL@ZdP z!C@Q;S?Qu_|L7eeI%_kErC@DrFexq*(bLi@LRRrJnxa9sD0*0q;b_Vo3>gCCYIue_ z=45!AgW;@ryDfxtOPvp?_@x}y1MG3e;UMShWEp9Avx=>vsnbE#z(*|gsvPwCRi6NT z*Ztb|eiKrCh9W?_V|!1GXh?vPrUm@6WcY(B+h^(R?X`3T^==FPCqyjdr74;!AIt|o z-W9ZitdET|%`ay^%uTnt8>(l=#Oc|Frpiy#&sNRgLdV6<16y-L65G*()b84CIV7}0R&Mp&iFBaD^ww_5`vgH!-`Ol1EDTrQnr;3T#A#b(9mPVR7 zBN;f1OUPRdZC2PUMerNW2{~S{I|PRfo@*9qsuk(ikS@SFO_CMF@{FC~czC4kN?0|* zm4Bzr+tbrFP@lmnMt9%@lod%2A>&k=c-G=1A-nzXYEV(3R|=~U*d36(A;lk|DiUA6 z%S`vjX1Y9e0_U|7*G31<^Lx>k@L7m_uu67>&}`H*@5 literal 0 Hc-jL100001 diff --git a/tests/http-post-data-decompression/test.rules b/tests/http-post-data-decompression/test.rules new file mode 100644 index 000000000..6ca8c9f7e --- /dev/null +++ b/tests/http-post-data-decompression/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg: "GZIPPED REQUEST"; flow: established, to_server; content: "name"; http_client_body; nocase; sid: 1; rev: 1; ) diff --git a/tests/http-post-data-decompression/test.yaml b/tests/http-post-data-decompression/test.yaml new file mode 100644 index 000000000..823312db7 --- /dev/null +++ b/tests/http-post-data-decompression/test.yaml @@ -0,0 +1,11 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 7 + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 -- 2.47.2