applayer: add tests for ticket 7044

diff --git a/tests/truncate-applayer-test-01/README.md b/tests/truncate-applayer-test-01/README.md
new file mode 100644 (file)
index 0000000..9c66a9d
--- /dev/null
+++ b/tests/truncate-applayer-test-01/README.md
@@ -0,0 +1,18 @@
+# Test Description
+
+This test demonstrates that if the stream reassembly depth is reached on one direction,
+it does not block the other side.
+For the given PCAP, to server direction reaches the depth and stops processing leading
+to no alert having been logged for a valid to server request in the stream which would
+be processed in case there was no depth (sid: 2).
+However, this does not stall the packets in other direction from being the processed,
+the response to the same request is still processed and a corresponding alert is logged
+(sid: 1).
+
+## PCAP
+
+tshark.dev
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/7044

diff --git a/tests/truncate-applayer-test-01/input.pcap b/tests/truncate-applayer-test-01/input.pcap
new file mode 100644 (file)
index 0000000..2f7f928
Binary files /dev/null and b/tests/truncate-applayer-test-01/input.pcap differ

diff --git a/tests/truncate-applayer-test-01/test.rules b/tests/truncate-applayer-test-01/test.rules
new file mode 100644 (file)
index 0000000..384b434
--- /dev/null
+++ b/tests/truncate-applayer-test-01/test.rules
@@ -0,0 +1,3 @@
+alert dcerpc any any -> any any (msg:"Test Alert 1"; sid:1; flow:established,to_client; dcerpc.stub_data; bsize:2124;)
+alert dcerpc any any -> any any (msg:"Test Alert 2"; sid:2; flow:established,to_server; dcerpc.stub_data; bsize:2148; dcerpc.opnum: 9;)
+

diff --git a/tests/truncate-applayer-test-01/test.yaml b/tests/truncate-applayer-test-01/test.yaml
new file mode 100644 (file)
index 0000000..eaf82ee
--- /dev/null
+++ b/tests/truncate-applayer-test-01/test.yaml
@@ -0,0 +1,26 @@
+args:
+  - -k none --set stream.reassembly.depth=8kb
+
+requires:
+  min-version: 7
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      pcap_cnt: 46
+- filter:
+    count: 0    # because of the depth constraints
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+     count: 1
+     match:
+       event_type: dcerpc
+       pcap_cnt: 40
+       dcerpc.request: "REQUEST_LOST"
+       dcerpc.response: "RESPONSE"
+       dcerpc.call_id: 5360

diff --git a/tests/truncate-applayer-test-02/README.md b/tests/truncate-applayer-test-02/README.md
new file mode 100644 (file)
index 0000000..fb5f2c3
--- /dev/null
+++ b/tests/truncate-applayer-test-02/README.md
@@ -0,0 +1,12 @@
+# Test Description
+
+This test demonstrates that the pcap is properly parsed and assessed in case
+there was ample stream reassembly depth (default in this case).
+
+## PCAP
+
+tshark.dev
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/7044

diff --git a/tests/truncate-applayer-test-02/test.rules b/tests/truncate-applayer-test-02/test.rules
new file mode 100644 (file)
index 0000000..384b434
--- /dev/null
+++ b/tests/truncate-applayer-test-02/test.rules
@@ -0,0 +1,3 @@
+alert dcerpc any any -> any any (msg:"Test Alert 1"; sid:1; flow:established,to_client; dcerpc.stub_data; bsize:2124;)
+alert dcerpc any any -> any any (msg:"Test Alert 2"; sid:2; flow:established,to_server; dcerpc.stub_data; bsize:2148; dcerpc.opnum: 9;)
+

diff --git a/tests/truncate-applayer-test-02/test.yaml b/tests/truncate-applayer-test-02/test.yaml
new file mode 100644 (file)
index 0000000..bec464e
--- /dev/null
+++ b/tests/truncate-applayer-test-02/test.yaml
@@ -0,0 +1,24 @@
+pcap: ../truncate-applayer-test-01/input.pcap
+
+args:
+  - -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+     count: 1
+     match:
+       event_type: dcerpc
+       pcap_cnt: 40
+       dcerpc.request: "REQUEST"
+       dcerpc.response: "RESPONSE"
+       dcerpc.call_id: 5360