tests: add bug 5578 traffic test

diff --git a/tests/bug-5578-http-dsize-drop/README.md b/tests/bug-5578-http-dsize-drop/README.md
new file mode 100644 (file)
index 0000000..fbd1e57
--- /dev/null
+++ b/tests/bug-5578-http-dsize-drop/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+This test shows that a rule with packet properties should not lead to a flow drop.
+
+## PCAP
+
+Comes from pre-existing test `bug-4663`.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/5578

diff --git a/tests/bug-5578-http-dsize-drop/suricata.yaml b/tests/bug-5578-http-dsize-drop/suricata.yaml
new file mode 100644 (file)
index 0000000..c590ba5
--- /dev/null
+++ b/tests/bug-5578-http-dsize-drop/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: yes
+        - flow

diff --git a/tests/bug-5578-http-dsize-drop/test.rules b/tests/bug-5578-http-dsize-drop/test.rules
new file mode 100644 (file)
index 0000000..b5a9c0f
--- /dev/null
+++ b/tests/bug-5578-http-dsize-drop/test.rules
@@ -0,0 +1 @@
+drop http any any -> any any (dsize:0; sid:1;)

diff --git a/tests/bug-5578-http-dsize-drop/test.yaml b/tests/bug-5578-http-dsize-drop/test.yaml
new file mode 100644 (file)
index 0000000..55c3cda
--- /dev/null
+++ b/tests/bug-5578-http-dsize-drop/test.yaml
@@ -0,0 +1,33 @@
+requires:
+  min-version: 7
+
+pcap: ../bug-4663/input.pcap
+
+args:
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 421
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 421
+      match:
+        event_type: drop
+        drop.reason: rules
+  - filter:
+      count: 421
+      match:
+        event_type: drop
+  - filter:
+      count: 0
+      match:
+        event_type: flow
+        flow.action: drop
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        flow.state: closed