Related to redmine ticket #78. This test has been added since uricontent
has been deprecated by http_uri.
--- /dev/null
+This test is for regression matching with http_uri. In order to make suricata-verify more robust,
+it is good to add tests for issues that existed before suricata-verify did.
+There was a bug introduced in the early stages https://redmine.openinfosecfoundation.org/issues/78,
+the pcap and signature mentioned in the bug report has been used to create this test.
--- /dev/null
+alert tcp any any -> any any (msg:"msg escape tests"; content:"blah"; http_uri; sid: 100;)
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+
+args:
+ - -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ alert.action: allowed
+ alert.signature: msg escape tests
+ alert.signature_id: 100
+ app_proto: http
+ dest_ip: 208.69.36.231
+ dest_port: 80
+ event_type: alert
+ flow:
+ bytes_toclient: 1588
+ bytes_toserver: 379
+ pkts_toclient: 2
+ pkts_toserver: 4
+ start: 2009-10-16T16:44:16.083524+0000
+ http:
+ hostname: www.google.com
+ http_content_type: text/html
+ http_method: GET
+ http_user_agent: Wget/1.11.4
+ length: 1194
+ protocol: HTTP/1.0
+ status: 404
+ url: /blah/
+ pcap_cnt: 6
+ proto: TCP
+ src_ip: 192.168.2.3
+ src_port: 37010
+ tx_id: 0
+- filter:
+ count: 1
+ match:
+ app_proto: http
+ dest_ip: 208.69.36.231
+ dest_port: 80
+ event_type: flow
+ flow:
+ age: 0
+ alerted: true
+ bytes_toclient: 5453
+ bytes_toserver: 607
+ end: 2009-10-16T16:44:16.185868+0000
+ pkts_toclient: 5
+ pkts_toserver: 8
+ reason: shutdown
+ start: 2009-10-16T16:44:16.083524+0000
+ state: closed
+ proto: TCP
+ src_ip: 192.168.2.3
+ src_port: 37010
+ tcp:
+ ack: true
+ psh: true
+ rst: true
+ state: closed
+ syn: true
+ tcp_flags: 1e
+ tcp_flags_tc: 1a
+ tcp_flags_ts: 1e
projects / thirdparty / suricata-verify.git / commitdiff
