--- /dev/null
+# HTTP dump headers
+
+This test verifies that the flag outputs.eve-log.types.http.dump-all-headers set
+to "both" will make suricata dump all headers per HTTP transaction, for both
+requests and response.
+
+To simplify the test, the check will verify the length of the headers in the json
+object and the header name and value of one request header and one response
+header.
+
+The pcap file is downloaded from
+
+```
+https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=http.cap
+```
--- /dev/null
+#! /bin/sh
+
+. ${TOPDIR}/util/functions.sh
+
+# 9 request headers (2 rows per header + start and end of list).
+n=$(jq '.http.request_headers | length' eve.json)
+assert_eq 9 "$n"
+
+# Simplified test: check 1 request header
+# Arbitrary decision to check "Host": "www.ethereal.com"
+n=$(jq ".http.request_headers[] | select(.name | contains(\"Host\")) | select(.value | contains(\"www.ethereal.com\"))" eve.json)
+test -n "$n"
+
+# 9 request headers (2 rows per header).
+n=$(jq '.http.response_headers | length ' eve.json)
+assert_eq 9 "$n"
+
+# Simplified test: check 1 response header
+# Arbitrary decision to check "Content-Length": "18070"
+n=$(jq ".http.response_headers[] | select(.name | contains(\"Content-Length\")) | select(.value | contains(\"18070\"))" eve.json)
+test -n "$n"
projects / thirdparty / suricata-verify.git / commitdiff
