tests: add 2491 tests

diff --git a/tests/bug-2491-01/async-oneside-test.rules b/tests/bug-2491-01/async-oneside-test.rules
new file mode 100644 (file)
index 0000000..d9b1218
--- /dev/null
+++ b/tests/bug-2491-01/async-oneside-test.rules
@@ -0,0 +1,7 @@
+# Given a HTTP GET pcap with single sided traffic, missing the first syn, syn/ack, and suricata 4.0.4 from PPA
+
+# This rule fires all the time
+alert http any any -> any any (msg: "ALERT http to_server"; flow:to_server; content: "GET /i/94/"; sid:1; rev:1;)
+
+# This one only fires with async-oneside set to *false*
+alert http any any -> any any (msg: "ALERT http established and to_server"; flow:to_server,established; content: "GET /i/94/"; sid: 2; rev:1;)
\ No newline at end of file

diff --git a/tests/bug-2491-01/simple_http_download.onesided.pcap b/tests/bug-2491-01/simple_http_download.onesided.pcap
new file mode 100644 (file)
index 0000000..0881f6b
Binary files /dev/null and b/tests/bug-2491-01/simple_http_download.onesided.pcap differ

diff --git a/tests/bug-2491-01/test.yaml b/tests/bug-2491-01/test.yaml
new file mode 100644 (file)
index 0000000..0387bf3
--- /dev/null
+++ b/tests/bug-2491-01/test.yaml
@@ -0,0 +1,23 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+args:
+- --set stream.async-oneside=true
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+
+

diff --git a/tests/bug-2491-02/async-oneside-test.rules b/tests/bug-2491-02/async-oneside-test.rules
new file mode 100644 (file)
index 0000000..d9b1218
--- /dev/null
+++ b/tests/bug-2491-02/async-oneside-test.rules
@@ -0,0 +1,7 @@
+# Given a HTTP GET pcap with single sided traffic, missing the first syn, syn/ack, and suricata 4.0.4 from PPA
+
+# This rule fires all the time
+alert http any any -> any any (msg: "ALERT http to_server"; flow:to_server; content: "GET /i/94/"; sid:1; rev:1;)
+
+# This one only fires with async-oneside set to *false*
+alert http any any -> any any (msg: "ALERT http established and to_server"; flow:to_server,established; content: "GET /i/94/"; sid: 2; rev:1;)
\ No newline at end of file

diff --git a/tests/bug-2491-02/simple_http_download.onesided.nosyn.pcap b/tests/bug-2491-02/simple_http_download.onesided.nosyn.pcap
new file mode 100644 (file)
index 0000000..320c06d
Binary files /dev/null and b/tests/bug-2491-02/simple_http_download.onesided.nosyn.pcap differ

diff --git a/tests/bug-2491-02/test.yaml b/tests/bug-2491-02/test.yaml
new file mode 100644 (file)
index 0000000..370182f
--- /dev/null
+++ b/tests/bug-2491-02/test.yaml
@@ -0,0 +1,24 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+args:
+- --set stream.async-oneside=true
+- --set stream.midstream=true
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+
+