pcap file contains 2 http transactions. The request is missing for the first one.
The second transaction is fully complete. So eve.json must contain one and only anomaly event.
Also common flow details are verified.
It must be http, to port 80 with specified number of bytes_toclient and bytes_toserver
--- /dev/null
+# Description
+
+Test verifies the behavior when direction of TCP flow is changed by the probing parser.
+Probing parser may change the direction of flow processing packet that contains payload.
+This payload must be added to the proper direction stream.
+
+Also common flow details are verified.
+It must be http, to port 80 with specified number of bytes_toclient and bytes_toserver
+
+# PCAP
+
+pcap file contains 2 http transactions. The request is missing for the first one.
+The second transaction is fully complete. So eve.json must contain one and only anomaly event.
--- /dev/null
+requires:
+ features:
+ - HAVE_LIBJANSSON
+ min-version: 5.0.0
+
+# disables checksum verification, and uses midstream
+args:
+- -k none --set stream.midstream=true
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: anomaly
+ anomaly.event: "UNABLE_TO_MATCH_RESPONSE_TO_REQUEST"
+
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ app_proto: http
+ dest_port: 80
+ flow.bytes_toserver: 608
+ flow.bytes_toclient: 1037
projects / thirdparty / suricata-verify.git / commitdiff
