tests: add TCP async matching test

diff --git a/tests/tcp-async-01/README.md b/tests/tcp-async-01/README.md
new file mode 100644 (file)
index 0000000..dabca86
--- /dev/null
+++ b/tests/tcp-async-01/README.md
@@ -0,0 +1,7 @@
+# Description
+
+TCP async traffic with only the server to client side of a IMAP session
+
+# Pcap
+
+Pcap from https://github.com/mtimebombm/suricata/blob/master/imap-server.pcap

diff --git a/tests/tcp-async-01/input.pcap b/tests/tcp-async-01/input.pcap
new file mode 100644 (file)
index 0000000..154af08
Binary files /dev/null and b/tests/tcp-async-01/input.pcap differ

diff --git a/tests/tcp-async-01/test.rules b/tests/tcp-async-01/test.rules
new file mode 100644 (file)
index 0000000..6c37036
--- /dev/null
+++ b/tests/tcp-async-01/test.rules
@@ -0,0 +1,2 @@
+# look for a content match crossing packet payload boundaries
+alert tcp any 143 -> any any (content:"C6 OK ID completed|0d 0a|* 21 EXISTS|0d 0a|* 6 RECENT"; flow:to_client; sid:1;)

diff --git a/tests/tcp-async-01/test.yaml b/tests/tcp-async-01/test.yaml
new file mode 100644 (file)
index 0000000..4da0b84
--- /dev/null
+++ b/tests/tcp-async-01/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 5.0.0
+args:
+- --set stream.midstream=true
+- --set stream.async-oneside=true
+
+checks:
+
+  # Check that we only have one alert event type in eve.
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        src_port: 143
+
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        dest_port: 143