tests: add pcre extraction tests

Based on detect-pcre-05.

diff --git a/tests/detect-pcre/detect-pcre-06/test.rules b/tests/detect-pcre/detect-pcre-06/test.rules
new file mode 100644 (file)
index 0000000..608d6c2
--- /dev/null
+++ b/tests/detect-pcre/detect-pcre-06/test.rules
@@ -0,0 +1,5 @@
+alert http any any -> any any (http.user_agent; pcre:"/^(?P<alert_ua>[a-zA-Z]+)/"; priority:1; sid:1;)
+alert http any any -> any any (http.user_agent; pcre:"/^([a-zA-Z]+).*Ubuntu\/(\d+\.\d).*Firefox\/(.*)/ ,alert:user_agent, flow:ubuntu, pkt:firefox"; sid:2;)
+# Shouldn't match
+alert http any any -> any any (msg:"pcre flowvar http header, user-agent, no match"; content:"User-Agent: "; http_header; pcre:"/(?P<alert_ua>.*)\r\n/HR"; content:"xyz"; http_header; priority:1; sid:3;)
+alert http any any -> any any (msg:"pcre flowvar http header, server, no match"; content:"Server: "; http_header; pcre:"/(?P<alert_ua>.*)\r\n/HR"; content:"xyz"; http_header; priority:3; sid:4;)

diff --git a/tests/detect-pcre/detect-pcre-06/test.yaml b/tests/detect-pcre/detect-pcre-06/test.yaml
new file mode 100644 (file)
index 0000000..080d8d7
--- /dev/null
+++ b/tests/detect-pcre/detect-pcre-06/test.yaml
@@ -0,0 +1,41 @@
+pcap: ../detect-pcre-05/input.pcap
+
+requires:
+  min-version: 8
+
+args:
+- --set stream.midstream=true
+
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      alert.extra.ua: Mozilla
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+      alert.extra.user_agent: Mozilla
+      metadata.flowvars[0].ubuntu: "8.1"
+      metadata.pktvars[0].firefox: "3.0.13"
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 4