detect: transaction cleaned before detection when stream.midstream=true

Ticket: #7552

diff --git a/tests/bug-7552/bug-7552-01/README.md b/tests/bug-7552/bug-7552-01/README.md
new file mode 100644 (file)
index 0000000..5903ce2
--- /dev/null
+++ b/tests/bug-7552/bug-7552-01/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Created when a bug was found - Transaction gets cleaned by
+AppLayerParserTransactionsCleanup before detection is run in the to_client
+direction when stream.midstream=true and first packet is to client direction.
+
+https://redmine.openinfosecfoundation.org/issues/7552
+
+# PCAP
+
+PCAP created by selecting packets from ../http-gap-simple/input.pcap
\ No newline at end of file

diff --git a/tests/bug-7552/bug-7552-01/input.pcap b/tests/bug-7552/bug-7552-01/input.pcap
new file mode 100644 (file)
index 0000000..9d632db
Binary files /dev/null and b/tests/bug-7552/bug-7552-01/input.pcap differ

diff --git a/tests/bug-7552/bug-7552-01/test.rules b/tests/bug-7552/bug-7552-01/test.rules
new file mode 100644 (file)
index 0000000..9e1ece7
--- /dev/null
+++ b/tests/bug-7552/bug-7552-01/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"HTTP Stat Code Response"; http.stat_code; content:"200"; sid:1;)
\ No newline at end of file

diff --git a/tests/bug-7552/bug-7552-01/test.yaml b/tests/bug-7552/bug-7552-01/test.yaml
new file mode 100644 (file)
index 0000000..3ef7235
--- /dev/null
+++ b/tests/bug-7552/bug-7552-01/test.yaml
@@ -0,0 +1,12 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none --set stream.midstream=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1

diff --git a/tests/bug-7552/bug-7552-02/README.md b/tests/bug-7552/bug-7552-02/README.md
new file mode 100644 (file)
index 0000000..e1f1063
--- /dev/null
+++ b/tests/bug-7552/bug-7552-02/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Created when a bug was found - Transaction gets cleaned by
+AppLayerParserTransactionsCleanup before detection is run in the to_client
+direction when stream.midstream=true and first packet is to client direction.
+
+https://redmine.openinfosecfoundation.org/issues/7552
+
+# PCAP
+
+PCAP from ../../ldap-unsolicited/ldap.pcap
\ No newline at end of file

diff --git a/tests/bug-7552/bug-7552-02/test.rules b/tests/bug-7552/bug-7552-02/test.rules
new file mode 100644 (file)
index 0000000..c257317
--- /dev/null
+++ b/tests/bug-7552/bug-7552-02/test.rules
@@ -0,0 +1,2 @@
+# we want alert tcp instead od alert ldap to test one more edge case
+alert tcp any any -> any any (msg:"Test LDAP response operation"; ldap.responses.operation:extended_response; sid:1;)
\ No newline at end of file

diff --git a/tests/bug-7552/bug-7552-02/test.yaml b/tests/bug-7552/bug-7552-02/test.yaml
new file mode 100644 (file)
index 0000000..d949d49
--- /dev/null
+++ b/tests/bug-7552/bug-7552-02/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none --set stream.midstream=true
+
+pcap: ../../ldap-unsolicited/ldap.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1