tests: add test for issue 4376

diff --git a/tests/bug-4376/README.md b/tests/bug-4376/README.md
new file mode 100644 (file)
index 0000000..d45f753
--- /dev/null
+++ b/tests/bug-4376/README.md
@@ -0,0 +1 @@
+PCAP from https://redmine.openinfosecfoundation.org/issues/4376

diff --git a/tests/bug-4376/syn_retransmit_with_ts.pcap b/tests/bug-4376/syn_retransmit_with_ts.pcap
new file mode 100644 (file)
index 0000000..346a35e
Binary files /dev/null and b/tests/bug-4376/syn_retransmit_with_ts.pcap differ

diff --git a/tests/bug-4376/test.rules b/tests/bug-4376/test.rules
new file mode 100644 (file)
index 0000000..46c6c6e
--- /dev/null
+++ b/tests/bug-4376/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any (flow:to_server; http.host; content:"nx2500-242-4-server"; sid:1;)
+alert http any any -> any any (flow:to_client; http.stat_code; content:"200"; sid:2;)

diff --git a/tests/bug-4376/test.yaml b/tests/bug-4376/test.yaml
new file mode 100644 (file)
index 0000000..6eab896
--- /dev/null
+++ b/tests/bug-4376/test.yaml
@@ -0,0 +1,36 @@
+args:
+- -k none
+- --set vlan.use-for-tracking=false
+- --set app-layer.protocols.http.libhtp.default-config.response-body-limit=200kb
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        vlan[0]: 3136
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.filename: "/malware/ppt/mal/51f14eb6c874686e5f593132cf0f742d.ppt"
+        fileinfo.state: CLOSED
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.hostname: "nx2500-242-4-server"
+        http.status: 200
+        vlan[0]: 3136
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        tcp.state: closed
+        vlan[0]: 3136