http: adds test with chunked as a token

Ticket: 6415

diff --git a/tests/http-chunked/README.md b/tests/http-chunked/README.md
new file mode 100644 (file)
index 0000000..35e629b
--- /dev/null
+++ b/tests/http-chunked/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test that we handle Transfer-Encoding when `chunked` is one token
+
+## PCAP
+
+From https://redmine.openinfosecfoundation.org/issues/6415
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6415

diff --git a/tests/http-chunked/input.pcap b/tests/http-chunked/input.pcap
new file mode 100644 (file)
index 0000000..298d3a5
Binary files /dev/null and b/tests/http-chunked/input.pcap differ

diff --git a/tests/http-chunked/test.rules b/tests/http-chunked/test.rules
new file mode 100644 (file)
index 0000000..a30fa6c
--- /dev/null
+++ b/tests/http-chunked/test.rules
@@ -0,0 +1,28 @@
+alert http any any -> any any (msg:"Test Usage of Unbuffered Content"; flow:established,to_server; content:"Host"; fast_pattern; classtype:web-application-attack; sid:11; rev:1;)
+alert http any any -> any any (msg:"Test Usage of Unbuffered Content"; flow:established,to_server; content:"Cookie"; fast_pattern; classtype:web-application-attack; sid:12; rev:1;)
+alert http any any -> any any (msg:"Test Usage of Unbuffered Content"; flow:established,to_server; content:"X-Qlik-User"; fast_pattern; classtype:web-application-attack; sid:13; rev:1;)
+alert http any any -> any any (msg:"Test Usage of Unbuffered Content"; flow:established,to_server; content:"User-Agent"; fast_pattern; classtype:web-application-attack; sid:14; rev:1;)
+alert http any any -> any any (msg:"Test Usage of Unbuffered Content"; flow:established,to_server; content:"Content-Length"; fast_pattern; classtype:web-application-attack; sid:15; rev:1;)
+alert http any any -> any any (msg:"Test Usage of Unbuffered Content"; flow:established,to_server; content:"Transfer-Encoding"; fast_pattern; classtype:web-application-attack; sid:16; rev:1;)
+
+alert http any any -> any any (msg:"Test Usage of http.header"; flow:established,to_server; http.header; content:"Host"; fast_pattern; classtype:web-application-attack; sid:21; rev:1;)
+# does not work cf http.cookie keyword and http.header doc expliciting this exclusion
+alert http any any -> any any (msg:"Test Usage of http.header"; flow:established,to_server; http.header; content:"Cookie"; fast_pattern; classtype:web-application-attack; sid:22; rev:1;)
+alert http any any -> any any (msg:"Test Usage of http.header"; flow:established,to_server; http.header; content:"X-Qlik-User"; fast_pattern; classtype:web-application-attack; sid:23; rev:1;)
+alert http any any -> any any (msg:"Test Usage of http.header"; flow:established,to_server; http.header; content:"User-Agent"; fast_pattern; classtype:web-application-attack; sid:24; rev:1;)
+alert http any any -> any any (msg:"Test Usage of http.header"; flow:established,to_server; http.header; content:"Content-Length"; fast_pattern; classtype:web-application-attack; sid:25; rev:1;)
+alert http any any -> any any (msg:"Test Usage of http.header"; flow:established,to_server; http.header; content:"Transfer-Encoding"; fast_pattern; classtype:web-application-attack; sid:26; rev:1;)
+
+alert http any any -> any any (msg:"Test Usage of http.header.raw"; flow:established,to_server; http.header.raw; content:"Host"; fast_pattern; classtype:web-application-attack; sid:31; rev:1;)
+alert http any any -> any any (msg:"Test Usage of http.header.raw"; flow:established,to_server; http.header.raw; content:"Cookie"; fast_pattern; classtype:web-application-attack; sid:32; rev:1;)
+alert http any any -> any any (msg:"Test Usage of http.header.raw"; flow:established,to_server; http.header.raw; content:"X-Qlik-User"; fast_pattern; classtype:web-application-attack; sid:33; rev:1;)
+alert http any any -> any any (msg:"Test Usage of http.header.raw"; flow:established,to_server; http.header.raw; content:"User-Agent"; fast_pattern; classtype:web-application-attack; sid:34; rev:1;)
+alert http any any -> any any (msg:"Test Usage of http.header.raw"; flow:established,to_server; http.header.raw; content:"Content-Length"; fast_pattern; classtype:web-application-attack; sid:35; rev:1;)
+alert http any any -> any any (msg:"Test Usage of http.header.raw"; flow:established,to_server; http.header.raw; content:"Transfer-Encoding"; fast_pattern; classtype:web-application-attack; sid:36; rev:1;)
+
+alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"Host"; fast_pattern; classtype:web-application-attack; sid:41; rev:1;)
+alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"Cookie"; fast_pattern; classtype:web-application-attack; sid:42; rev:1;)
+alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"X-Qlik-User"; fast_pattern; classtype:web-application-attack; sid:43; rev:1;)
+alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"User-Agent"; fast_pattern; classtype:web-application-attack; sid:44; rev:1;)
+alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"Content-Length"; fast_pattern; classtype:web-application-attack; sid:45; rev:1;)
+alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"Transfer-Encoding"; fast_pattern; classtype:web-application-attack; sid:46; rev:1;)

diff --git a/tests/http-chunked/test.yaml b/tests/http-chunked/test.yaml
new file mode 100644 (file)
index 0000000..c8b043e
--- /dev/null
+++ b/tests/http-chunked/test.yaml
@@ -0,0 +1,122 @@
+requires:
+  min-version: 7
+
+args:
+  - -k none --set packet-alert-max=32
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 11
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 12
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 13
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 14
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 15
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 16
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 21
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 23
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 24
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 25
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 26
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 31
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 32
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 33
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 34
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 35
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 36
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 41
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 42
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 43
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 44
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 45
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 46