tests: showcase endswith, distance + within usage

Suricata docs state that `endswith` cannot be mixed with `offset`,
`within` or `distance` for the same pattern, but apparently, at least
from Suricata 7 on, this seems possible.

Tests created based on material and scenarios provided by Brandon
Murphy in the Redmine ticket.

Related to
Task #5030

diff --git a/tests/bug-docs-5030-01/35_bytes.pcap b/tests/bug-docs-5030-01/35_bytes.pcap
new file mode 100644 (file)
index 0000000..da63604
Binary files /dev/null and b/tests/bug-docs-5030-01/35_bytes.pcap differ

diff --git a/tests/bug-docs-5030-01/README.md b/tests/bug-docs-5030-01/README.md
new file mode 100644 (file)
index 0000000..984bb58
--- /dev/null
+++ b/tests/bug-docs-5030-01/README.md
@@ -0,0 +1,18 @@
+# Test
+
+Showcase the usage of `distance`, `within` and `endswith`, as proposed
+in https://redmine.openinfosecfoundation.org/issues/5030.
+
+## Behavior
+
+There should be an alert. "The distance and within effectively limit how much
+of a payload can be present while ensuring the packet still "endswith" the
+desired content." This happens for this pcap.
+
+## Pcap
+
+35_bytes.pcap Shared by Brandon Murphy in the aforementioned ticket.
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/5030

diff --git a/tests/bug-docs-5030-01/test.rules b/tests/bug-docs-5030-01/test.rules
new file mode 100644 (file)
index 0000000..57e1b61
--- /dev/null
+++ b/tests/bug-docs-5030-01/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"Test"; content:"yYYYYYYYYYYYYYYYY"; distance:9; within:29; endswith; sid:1;)

diff --git a/tests/bug-docs-5030-01/test.yaml b/tests/bug-docs-5030-01/test.yaml
new file mode 100644 (file)
index 0000000..b5452be
--- /dev/null
+++ b/tests/bug-docs-5030-01/test.yaml
@@ -0,0 +1,9 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+        event_type: alert
+        alert.signature_id: 1

diff --git a/tests/bug-docs-5030-02/39_bytes.pcap b/tests/bug-docs-5030-02/39_bytes.pcap
new file mode 100644 (file)
index 0000000..7965327
Binary files /dev/null and b/tests/bug-docs-5030-02/39_bytes.pcap differ

diff --git a/tests/bug-docs-5030-02/README.md b/tests/bug-docs-5030-02/README.md
new file mode 100644 (file)
index 0000000..c63bed0
--- /dev/null
+++ b/tests/bug-docs-5030-02/README.md
@@ -0,0 +1,19 @@
+# Test
+
+Showcase the usage of `distance`, `within` and `endswith`, as proposed
+in https://redmine.openinfosecfoundation.org/issues/5030.
+
+## Behavior
+
+There should be no alert. "The distance and within effectively limit how much
+of a payload can be present while ensuring the packet still "endswith" the
+desired content." As the content is greater than the 38 bytes limit (9+29) set
+by the rule, the signature isn't fired..
+
+## Pcap
+
+39_bytes.pcap shared by Brandon Murphy in the aforementioned ticket.
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/5030

diff --git a/tests/bug-docs-5030-02/test.rules b/tests/bug-docs-5030-02/test.rules
new file mode 100644 (file)
index 0000000..57e1b61
--- /dev/null
+++ b/tests/bug-docs-5030-02/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"Test"; content:"yYYYYYYYYYYYYYYYY"; distance:9; within:29; endswith; sid:1;)

diff --git a/tests/bug-docs-5030-02/test.yaml b/tests/bug-docs-5030-02/test.yaml
new file mode 100644 (file)
index 0000000..7e74da8
--- /dev/null
+++ b/tests/bug-docs-5030-02/test.yaml
@@ -0,0 +1,9 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+        event_type: alert
+        alert.signature_id: 1