tests: add tcp fastopen test

diff --git a/tests/tcp-fastopen-01/README.md b/tests/tcp-fastopen-01/README.md
new file mode 100644 (file)
index 0000000..2eaffa7
--- /dev/null
+++ b/tests/tcp-fastopen-01/README.md
@@ -0,0 +1,3 @@
+# PCAP
+
+https://redmine.openinfosecfoundation.org/issues/1203

diff --git a/tests/tcp-fastopen-01/test.rules b/tests/tcp-fastopen-01/test.rules
new file mode 100644 (file)
index 0000000..80f7223
--- /dev/null
+++ b/tests/tcp-fastopen-01/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any (content:"/etc/passwd"; http_uri; sid:1;)
+alert http any any -> any any (content:"/etc/passwd"; http_raw_uri; sid:2;)

diff --git a/tests/tcp-fastopen-01/test.yaml b/tests/tcp-fastopen-01/test.yaml
new file mode 100644 (file)
index 0000000..e02b6cd
--- /dev/null
+++ b/tests/tcp-fastopen-01/test.yaml
@@ -0,0 +1,43 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 5.0.0
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 2
+      match:
+        event_type: http
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.url: "/index.php"
+        http.http_user_agent: "Mozilla/5.0"
+        http.http_content_type: text/html
+        http.http_method: "GET"
+        http.protocol: "HTTP/1.0"
+        http.status: 302
+        http.redirect: "/index.php?page=main.php"
+        http.length: 0
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.url: "//index.php?page=../../../etc/passwd"
+        http.status: 200
+  - filter:
+      count: 2
+      match:
+        event_type: flow
+        proto: TCP

diff --git a/tests/tcp-fastopen-01/tfo.pcap b/tests/tcp-fastopen-01/tfo.pcap
new file mode 100644 (file)
index 0000000..2893440
Binary files /dev/null and b/tests/tcp-fastopen-01/tfo.pcap differ

diff --git a/tests/tcp-fastopen-02/README.md b/tests/tcp-fastopen-02/README.md
new file mode 100644 (file)
index 0000000..2eaffa7
--- /dev/null
+++ b/tests/tcp-fastopen-02/README.md
@@ -0,0 +1,3 @@
+# PCAP
+
+https://redmine.openinfosecfoundation.org/issues/1203

diff --git a/tests/tcp-fastopen-02/test.rules b/tests/tcp-fastopen-02/test.rules
new file mode 100644 (file)
index 0000000..80f7223
--- /dev/null
+++ b/tests/tcp-fastopen-02/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any (content:"/etc/passwd"; http_uri; sid:1;)
+alert http any any -> any any (content:"/etc/passwd"; http_raw_uri; sid:2;)

diff --git a/tests/tcp-fastopen-02/test.yaml b/tests/tcp-fastopen-02/test.yaml
new file mode 100644 (file)
index 0000000..e8aa728
--- /dev/null
+++ b/tests/tcp-fastopen-02/test.yaml
@@ -0,0 +1,46 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 5.0.0
+
+args:
+  - --simulate-ips
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 2
+      match:
+        event_type: http
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.url: "/index.php"
+        http.http_user_agent: "Mozilla/5.0"
+        http.http_content_type: text/html
+        http.http_method: "GET"
+        http.protocol: "HTTP/1.0"
+        http.status: 302
+        http.redirect: "/index.php?page=main.php"
+        http.length: 0
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.url: "//index.php?page=../../../etc/passwd"
+        http.status: 200
+  - filter:
+      count: 2
+      match:
+        event_type: flow
+        proto: TCP

diff --git a/tests/tcp-fastopen-02/tfo.pcap b/tests/tcp-fastopen-02/tfo.pcap
new file mode 100644 (file)
index 0000000..2893440
Binary files /dev/null and b/tests/tcp-fastopen-02/tfo.pcap differ

diff --git a/tests/tcp-fastopen-03/README.md b/tests/tcp-fastopen-03/README.md
new file mode 100644 (file)
index 0000000..2eaffa7
--- /dev/null
+++ b/tests/tcp-fastopen-03/README.md
@@ -0,0 +1,3 @@
+# PCAP
+
+https://redmine.openinfosecfoundation.org/issues/1203

diff --git a/tests/tcp-fastopen-03/test.rules b/tests/tcp-fastopen-03/test.rules
new file mode 100644 (file)
index 0000000..80f7223
--- /dev/null
+++ b/tests/tcp-fastopen-03/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any (content:"/etc/passwd"; http_uri; sid:1;)
+alert http any any -> any any (content:"/etc/passwd"; http_raw_uri; sid:2;)

diff --git a/tests/tcp-fastopen-03/test.yaml b/tests/tcp-fastopen-03/test.yaml
new file mode 100644 (file)
index 0000000..5762952
--- /dev/null
+++ b/tests/tcp-fastopen-03/test.yaml
@@ -0,0 +1,46 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 5.0.0
+
+args:
+  - --set stream.midstream=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 2
+      match:
+        event_type: http
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.url: "/index.php"
+        http.http_user_agent: "Mozilla/5.0"
+        http.http_content_type: text/html
+        http.http_method: "GET"
+        http.protocol: "HTTP/1.0"
+        http.status: 302
+        http.redirect: "/index.php?page=main.php"
+        http.length: 0
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.url: "//index.php?page=../../../etc/passwd"
+        http.status: 200
+  - filter:
+      count: 2
+      match:
+        event_type: flow
+        proto: TCP

diff --git a/tests/tcp-fastopen-03/tfo.pcap b/tests/tcp-fastopen-03/tfo.pcap
new file mode 100644 (file)
index 0000000..006783f
Binary files /dev/null and b/tests/tcp-fastopen-03/tfo.pcap differ

diff --git a/tests/tcp-fastopen-04/test.rules b/tests/tcp-fastopen-04/test.rules
new file mode 100644 (file)
index 0000000..28347d0
--- /dev/null
+++ b/tests/tcp-fastopen-04/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (content:"Hello!"; sid:1;)

diff --git a/tests/tcp-fastopen-04/test.yaml b/tests/tcp-fastopen-04/test.yaml
new file mode 100644 (file)
index 0000000..eccfc0c
--- /dev/null
+++ b/tests/tcp-fastopen-04/test.yaml
@@ -0,0 +1,19 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 5.0.0
+
+args:
+    - -k none
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 2
+      match:
+        event_type: flow
+        proto: TCP

diff --git a/tests/tcp-fastopen-04/tfo.pcap b/tests/tcp-fastopen-04/tfo.pcap
new file mode 100644 (file)
index 0000000..7d9c9b4
Binary files /dev/null and b/tests/tcp-fastopen-04/tfo.pcap differ

diff --git a/tests/tcp-fastopen-05/test.rules b/tests/tcp-fastopen-05/test.rules
new file mode 100644 (file)
index 0000000..28347d0
--- /dev/null
+++ b/tests/tcp-fastopen-05/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (content:"Hello!"; sid:1;)

diff --git a/tests/tcp-fastopen-05/test.yaml b/tests/tcp-fastopen-05/test.yaml
new file mode 100644 (file)
index 0000000..a892614
--- /dev/null
+++ b/tests/tcp-fastopen-05/test.yaml
@@ -0,0 +1,19 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 5.0.0
+
+args:
+  - -k none --simulate-ips
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 2
+      match:
+        event_type: flow
+        proto: TCP

diff --git a/tests/tcp-fastopen-05/tfo.pcap b/tests/tcp-fastopen-05/tfo.pcap
new file mode 100644 (file)
index 0000000..7d9c9b4
Binary files /dev/null and b/tests/tcp-fastopen-05/tfo.pcap differ