tests: Add test for transform/content interaction

This commit adds a test case for issue 3661.

diff --git a/tests/detect-content-strip-whitespace-01/test.rules b/tests/detect-content-strip-whitespace-01/test.rules
new file mode 100644 (file)
index 0000000..c41dd06
--- /dev/null
+++ b/tests/detect-content-strip-whitespace-01/test.rules
@@ -0,0 +1,6 @@
+alert tcp any any -> any any (file.data; strip_whitespace; content:"has extra white   space"; sid:1;)
+alert tcp any any -> any any (file.data; strip_whitespace; content:"no-extra-whitespace"; sid:2;)
+alert tcp any any -> any any (file.data; strip_whitespace; content:"has-extra-whitespace-at-end "; sid:3;)
+alert tcp any any -> any any (file.data; strip_whitespace; content:" extra-whitespace-at-beginning"; sid:4;)
+alert tcp any any -> any any (file.data; strip_whitespace; content:"|53 75 72 69 63 61 74 61 0d|"; sid:5;)
+alert tcp any any -> any any (file.data; strip_whitespace; content:"|00 53 75 72 69 63 61 74 61|"; sid:6;)

diff --git a/tests/detect-content-strip-whitespace-01/test.yaml b/tests/detect-content-strip-whitespace-01/test.yaml
new file mode 100644 (file)
index 0000000..acd4e34
--- /dev/null
+++ b/tests/detect-content-strip-whitespace-01/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  min-version: 6
+
+  # No pcap required.
+  pcap: false
+
+exit-code: 1
+
+args:
+  - --engine-analysis
+
+checks:
+    - shell:
+        args: grep "incompatible with strip_whitespace" suricata.log | wc -l | xargs
+        expect: 4