detect/bytejump: Handle post_offset changes

Issue: 4624

Update test case and add one to reflect post_offset handling
differences. post_offset values that move before the buffer are treated
as though they move to the buffer start.

diff --git a/tests/detect-bytejump-05/README.md b/tests/detect-bytejump-05/README.md
new file mode 100644 (file)
index 0000000..76f3c80
--- /dev/null
+++ b/tests/detect-bytejump-05/README.md
@@ -0,0 +1 @@
+Tests using rules and pcap file from https://redmine.openinfosecfoundation.org/issues/4624

diff --git a/tests/detect-bytejump-05/input.pcap b/tests/detect-bytejump-05/input.pcap
new file mode 100644 (file)
index 0000000..c4b2577
Binary files /dev/null and b/tests/detect-bytejump-05/input.pcap differ

diff --git a/tests/detect-bytejump-05/test.rules b/tests/detect-bytejump-05/test.rules
new file mode 100644 (file)
index 0000000..e84a0de
--- /dev/null
+++ b/tests/detect-bytejump-05/test.rules
@@ -0,0 +1,3 @@
+drop tcp any any -> any any ( msg:"neg post_offset: buffer start"; rev:1; content:"|0A 95 00 20|"; byte_jump:0,0,relative,post_offset -8; pcre:"/\x4e\x53\x4c\x4f/R"; sid:1; )
+drop tcp any any -> any any ( msg:"neg post_offset: before buffer start #1"; rev:1; content:"|0A 95 00 20|"; byte_jump:0,0,relative,post_offset -10; pcre:"/\x4e\x53\x4c\x4f/R"; sid:2; )
+drop tcp any any -> any any ( msg:"neg post_offset: before buffer start #2"; rev:1; content:"|0A 95 00 20|"; byte_jump:0,0,relative,post_offset -10; sid:3; )

diff --git a/tests/detect-bytejump-05/test.yaml b/tests/detect-bytejump-05/test.yaml
new file mode 100644 (file)
index 0000000..4678506
--- /dev/null
+++ b/tests/detect-bytejump-05/test.yaml
@@ -0,0 +1,23 @@
+requires:
+    gt-version: 7.0.0
+
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3