tests/tfo: add more tests

diff --git a/tests/tcp-fastopen-06/README.md b/tests/tcp-fastopen-06/README.md
new file mode 100644 (file)
index 0000000..6f5f40b
--- /dev/null
+++ b/tests/tcp-fastopen-06/README.md
@@ -0,0 +1 @@
+Pcap from https://redmine.openinfosecfoundation.org/issues/3522

diff --git a/tests/tcp-fastopen-06/local.rules b/tests/tcp-fastopen-06/local.rules
new file mode 100644 (file)
index 0000000..d613b7f
--- /dev/null
+++ b/tests/tcp-fastopen-06/local.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"WEB-ATTACKS /etc/passwd command attempt"; content:"/etc/passwd"; classtype:web-application-attack; sid:1328; rev:6;)

diff --git a/tests/tcp-fastopen-06/test.yaml b/tests/tcp-fastopen-06/test.yaml
new file mode 100644 (file)
index 0000000..72e08c3
--- /dev/null
+++ b/tests/tcp-fastopen-06/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 5.0.0
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1328
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.length: 1158
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        tcp.state: closed

diff --git a/tests/tcp-fastopen-06/tfo-s1.pcap b/tests/tcp-fastopen-06/tfo-s1.pcap
new file mode 100644 (file)
index 0000000..ce1cee8
Binary files /dev/null and b/tests/tcp-fastopen-06/tfo-s1.pcap differ

diff --git a/tests/tcp-fastopen-07/tcp_fastopen_segmentation.pcap b/tests/tcp-fastopen-07/tcp_fastopen_segmentation.pcap
new file mode 100644 (file)
index 0000000..8e2a189
Binary files /dev/null and b/tests/tcp-fastopen-07/tcp_fastopen_segmentation.pcap differ

diff --git a/tests/tcp-fastopen-07/test.rules b/tests/tcp-fastopen-07/test.rules
new file mode 100644 (file)
index 0000000..0761378
--- /dev/null
+++ b/tests/tcp-fastopen-07/test.rules
@@ -0,0 +1,16 @@
+alert tcp any any -> any any (msg:"tfo test1"; content:"d2"; sid:1;)
+alert tcp any any -> any any (msg:"tfo test2"; content:"d3"; sid:2;)
+alert tcp-pkt any any -> any any (msg:"tfo test3"; content:"d2"; sid:3;)
+alert tcp-pkt any any -> any any (msg:"tfo test4"; content:"d3"; sid:4;)
+alert tcp-stream any any -> any any (msg:"tfo test5"; content:"d2"; sid:5;)
+alert tcp-stream any any -> any any (msg:"tfo test6"; content:"d3"; sid:6;)
+alert tcp-stream any any -> any any (msg:"tfo test7"; content:"d2d3"; sid:7;)
+alert tcp any any -> any any (msg:"tfo test8"; content:"d2d3"; sid:8;)
+alert tcp any any -> any any (msg:"tfo test9"; http.uri; content:"d2d3"; sid:9;)
+alert tcp any any -> any any (msg:"tfo test10";  content:"GET"; sid:10;)
+alert tcp any any -> any any (msg:"tfo test11"; flags:S; content:"GET"; sid:11;)
+alert tcp any any -> any any (msg:"tfo test12"; http.method; content:"GET"; sid:12;)
+alert http any any -> any any (msg:"tfo test13"; http.method; content:"GET"; sid:13;)
+alert tcp any any -> any any (msg:"tfo test14"; http.user_agent; content:"czx"; sid:14;)
+alert tcp any any -> any any (msg:"tfo test15"; http.connection; content:"Keep-Alive"; sid:15;)
+alert tcp any any -> any any (msg:"tfo test16"; http.host; content:"10.0.0.61"; sid:16;)

diff --git a/tests/tcp-fastopen-07/test.yaml b/tests/tcp-fastopen-07/test.yaml
new file mode 100644 (file)
index 0000000..c60dacc
--- /dev/null
+++ b/tests/tcp-fastopen-07/test.yaml
@@ -0,0 +1,114 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 5.0.0
+
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 5
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 6
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 7
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 9
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 10
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 11
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 12
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 13
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 14
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 15
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 16
+  - filter:
+      count: 2
+      match:
+        event_type: flow
+        proto: TCP
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        proto: TCP
+        dest_port: 80
+        tx_id: 0
+        http.hostname: "10.0.0.61"
+        http.url: "//a1a2a3a4a5a6a7a8a9a0b1b2b3b4b5b6b7b8b9b0c1c2c3c4c5c6c7c8c9c0d1d2d3d4d5d6d7d8d9d0"
+        http.http_user_agent: "czxt2s"
+        http.http_content_type: "text/html"
+        http.http_method: "GET"
+        http.protocol: "HTTP/1.1"
+        http.status: 404
+        http.length: 153
+  - filter:
+      count: 2
+      match:
+        event_type: flow
+        tcp.state: closed

diff --git a/tests/tcp-fastopen-08/tcp_fastopen_segmentation-s1.pcap b/tests/tcp-fastopen-08/tcp_fastopen_segmentation-s1.pcap
new file mode 100644 (file)
index 0000000..138e9c2
Binary files /dev/null and b/tests/tcp-fastopen-08/tcp_fastopen_segmentation-s1.pcap differ

diff --git a/tests/tcp-fastopen-08/test.rules b/tests/tcp-fastopen-08/test.rules
new file mode 100644 (file)
index 0000000..0761378
--- /dev/null
+++ b/tests/tcp-fastopen-08/test.rules
@@ -0,0 +1,16 @@
+alert tcp any any -> any any (msg:"tfo test1"; content:"d2"; sid:1;)
+alert tcp any any -> any any (msg:"tfo test2"; content:"d3"; sid:2;)
+alert tcp-pkt any any -> any any (msg:"tfo test3"; content:"d2"; sid:3;)
+alert tcp-pkt any any -> any any (msg:"tfo test4"; content:"d3"; sid:4;)
+alert tcp-stream any any -> any any (msg:"tfo test5"; content:"d2"; sid:5;)
+alert tcp-stream any any -> any any (msg:"tfo test6"; content:"d3"; sid:6;)
+alert tcp-stream any any -> any any (msg:"tfo test7"; content:"d2d3"; sid:7;)
+alert tcp any any -> any any (msg:"tfo test8"; content:"d2d3"; sid:8;)
+alert tcp any any -> any any (msg:"tfo test9"; http.uri; content:"d2d3"; sid:9;)
+alert tcp any any -> any any (msg:"tfo test10";  content:"GET"; sid:10;)
+alert tcp any any -> any any (msg:"tfo test11"; flags:S; content:"GET"; sid:11;)
+alert tcp any any -> any any (msg:"tfo test12"; http.method; content:"GET"; sid:12;)
+alert http any any -> any any (msg:"tfo test13"; http.method; content:"GET"; sid:13;)
+alert tcp any any -> any any (msg:"tfo test14"; http.user_agent; content:"czx"; sid:14;)
+alert tcp any any -> any any (msg:"tfo test15"; http.connection; content:"Keep-Alive"; sid:15;)
+alert tcp any any -> any any (msg:"tfo test16"; http.host; content:"10.0.0.61"; sid:16;)

diff --git a/tests/tcp-fastopen-08/test.yaml b/tests/tcp-fastopen-08/test.yaml
new file mode 100644 (file)
index 0000000..a4e2594
--- /dev/null
+++ b/tests/tcp-fastopen-08/test.yaml
@@ -0,0 +1,114 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 5.0.0
+
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 5
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 6
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 7
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 9
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 10
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 11
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 12
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 13
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 14
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 15
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 16
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        proto: TCP
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        proto: TCP
+        dest_port: 80
+        tx_id: 0
+        http.hostname: "10.0.0.61"
+        http.url: "//a1a2a3a4a5a6a7a8a9a0b1b2b3b4b5b6b7b8b9b0c1c2c3c4c5c6c7c8c9c0d1d2d3d4d5d6d7d8d9d0"
+        http.http_user_agent: "czxt2s"
+        http.http_content_type: "text/html"
+        http.http_method: "GET"
+        http.protocol: "HTTP/1.1"
+        http.status: 404
+        http.length: 153
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        tcp.state: closed