Issue: 7390
Insure that both rules trigger alerts; the rules are equivalent with one
using a distance variable and the other a hard-coded value.
--- /dev/null
+# Test Description
+This test demonstrates that that both rules trigger. Without the fix for 7390, the rule a
+variable for distance would not trigger.
+
+## PCAP
+Using pcap from the redmine issue
+
+## Related issues
+https://redmine.openinfosecfoundation.org/issues/7390
--- /dev/null
+# This test uses a variable for distance
+alert tcp any any -> any 8080 (msg:"TEST #1: distance using variable"; flow:to_server; content:"Authorization:"; content:"5f71ycy"; distance:0; byte_extract:1,0,option_len,string,relative; content:!"|38|"; distance:option_len; within:1; content:"|37|"; distance:-1; within:1; content:"|49|"; distance:option_len; within:1; sid:1;)
+# This test uses a variable for distance
+alert tcp any any -> any 8080 (msg:"TEST #2: distance using scalar value"; flow:to_server; content:"Authorization:"; content:"5f71ycy"; distance:0; byte_extract:1,0,option_len,string,relative; content:!"|38|"; distance:7; within:1; content:"|37|"; distance:-1; within:1; content:"|49|"; distance:option_len; within:1; sid:2;)
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+ - -k none
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
projects / thirdparty / suricata-verify.git / commitdiff
