bug-4877: add test for stream-tcp-reassembly issue

diff --git a/tests/bug-4877/input.pcap b/tests/bug-4877/input.pcap
new file mode 100644 (file)
index 0000000..6e99038
Binary files /dev/null and b/tests/bug-4877/input.pcap differ

diff --git a/tests/bug-4877/suricata.yaml b/tests/bug-4877/suricata.yaml
new file mode 100644 (file)
index 0000000..f6812cd
--- /dev/null
+++ b/tests/bug-4877/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - files
+  - file-store:
+      version: 2
+      enabled: yes
+      force-filestore: yes
+      stream-depth: 0

diff --git a/tests/bug-4877/test.rules b/tests/bug-4877/test.rules
new file mode 100644 (file)
index 0000000..c1c7b65
--- /dev/null
+++ b/tests/bug-4877/test.rules
@@ -0,0 +1,2 @@
+alert ftp-data any any -> any any (msg:"FILE FTP signature: windows executable"; flow:established; content: "MZ"; within:2; filestore; noalert; sid:1; rev:1;)
+alert ftp-data any any -> any any (msg:"FILE FTP signature: pdf document"; flow:established; content: "%PDF-"; within:1024; filestore; noalert; sid:2; rev:1;)

diff --git a/tests/bug-4877/test.yaml b/tests/bug-4877/test.yaml
new file mode 100644 (file)
index 0000000..56f4c86
--- /dev/null
+++ b/tests/bug-4877/test.yaml
@@ -0,0 +1,76 @@
+requires:
+  features:
+    - HAVE_NSS
+
+args:
+- -k none --runmode=single
+
+checks:
+- filter:
+    count: 1
+    match:
+      app_proto: ftp-data
+      dest_ip: 192.168.100.16
+      dest_port: 42987
+      event_type: fileinfo
+      fileinfo.filename: test.pdf
+      fileinfo.gaps: false
+      fileinfo.sha256: 7d400735ff3054837da5d92a10ad2faa8b6825f100dc167a6b008e753015b382
+      fileinfo.size: 118196
+      fileinfo.state: CLOSED
+      fileinfo.stored: true
+      fileinfo.tx_id: 0
+      proto: TCP
+      src_ip: 192.168.100.230
+      src_port: 20
+- filter:
+    count: 1
+    match:
+      app_proto: ftp-data
+      dest_ip: 192.168.100.230
+      dest_port: 20
+      event_type: fileinfo
+      fileinfo.filename: test.pdf
+      fileinfo.gaps: false
+      fileinfo.sha256: 7d400735ff3054837da5d92a10ad2faa8b6825f100dc167a6b008e753015b382
+      fileinfo.size: 118196
+      fileinfo.state: CLOSED
+      fileinfo.stored: true
+      fileinfo.tx_id: 0
+      proto: TCP
+      src_ip: 192.168.100.16
+      src_port: 52407
+- filter:
+    count: 1
+    match:
+      app_proto: ftp-data
+      dest_ip: 192.168.100.230
+      dest_port: 20
+      event_type: fileinfo
+      fileinfo.filename: notepad.exe
+      fileinfo.gaps: false
+      fileinfo.sha256: fefeac4c10bbe237cc6c861229ecaacbd2a366ac4fbd04a3862b62bd7a778093
+      fileinfo.size: 69120
+      fileinfo.state: CLOSED
+      fileinfo.stored: true
+      fileinfo.tx_id: 0
+      proto: TCP
+      src_ip: 192.168.100.16
+      src_port: 48902
+- filter:
+    count: 1
+    match:
+      app_proto: ftp-data
+      dest_ip: 192.168.100.16
+      dest_port: 57829
+      event_type: fileinfo
+      fileinfo.filename: notepad.exe
+      fileinfo.gaps: false
+      fileinfo.sha256: fefeac4c10bbe237cc6c861229ecaacbd2a366ac4fbd04a3862b62bd7a778093
+      fileinfo.size: 69120
+      fileinfo.state: CLOSED
+      fileinfo.stored: true
+      fileinfo.tx_id: 0
+      proto: TCP
+      src_ip: 192.168.100.230
+      src_port: 20

diff --git a/tests/decode-teredo-01/test.yaml b/tests/decode-teredo-01/test.yaml
index 1f506bcd6240c75d5a8d9c86aa11830237409c04..499114a995a8bbb1f17ef837c4e3045c07dfb120 100644 (file)
--- a/tests/decode-teredo-01/test.yaml
+++ b/tests/decode-teredo-01/test.yaml
@@ -298,7 +298,7 @@ checks:
       http.protocol: HTTP/1.1
       http.status: 200
       http.url: /
-      pcap_cnt: 75
+      pcap_cnt: 74
       proto: TCP
       src_ip: 192.168.2.16
       src_port: 1580

diff --git a/tests/dnp3-del-measure/test.yaml b/tests/dnp3-del-measure/test.yaml
index 6bf445787065e6a9910bd39c7a332e09fc071af8..d4b300f3275232d76ae869b4cea730b08a97a77a 100644 (file)
--- a/tests/dnp3-del-measure/test.yaml
+++ b/tests/dnp3-del-measure/test.yaml
@@ -64,7 +64,7 @@ checks:
       dnp3.src: 2
       dnp3.type: response
       event_type: dnp3
-      pcap_cnt: 9
+      pcap_cnt: 7
       proto: TCP
       src_ip: 130.126.142.250
       src_port: 49413

diff --git a/tests/dnp3-en-spon/test.yaml b/tests/dnp3-en-spon/test.yaml
index ba53565914c2df0ed87ce8e149d1702360a02bb3..3efc7dff93df1530f6811c9a28e577a18e8f0e8d 100644 (file)
--- a/tests/dnp3-en-spon/test.yaml
+++ b/tests/dnp3-en-spon/test.yaml
@@ -77,7 +77,7 @@ checks:
       dnp3.src: 2
       dnp3.type: response
       event_type: dnp3
-      pcap_cnt: 9
+      pcap_cnt: 7
       proto: TCP
       src_ip: 130.126.142.250
       src_port: 50059

diff --git a/tests/dnp3-file-del/test.yaml b/tests/dnp3-file-del/test.yaml
index 75715cbb33a9db7bd2761b18ed22e98caeb5fef0..2ff06d3b470bcae140577a73edb746faedbac60a 100644 (file)
--- a/tests/dnp3-file-del/test.yaml
+++ b/tests/dnp3-file-del/test.yaml
@@ -92,7 +92,7 @@ checks:
       dnp3.src: 4
       dnp3.type: response
       event_type: dnp3
-      pcap_cnt: 9
+      pcap_cnt: 7
       proto: TCP
       src_ip: 130.126.142.250
       src_port: 50301

diff --git a/tests/dnp3-file-read/test.yaml b/tests/dnp3-file-read/test.yaml
index 70d8a033a3275dcfe9dfd34c9c5214003e8c42c2..4ad7b9bcb63bb0abd285b521913d71023b306013 100644 (file)
--- a/tests/dnp3-file-read/test.yaml
+++ b/tests/dnp3-file-read/test.yaml
@@ -337,7 +337,7 @@ checks:
       dnp3.src: 4
       dnp3.type: response
       event_type: dnp3
-      pcap_cnt: 29
+      pcap_cnt: 27
       proto: TCP
       src_ip: 130.126.142.250
       src_port: 50276

diff --git a/tests/dnp3-file-write/test.yaml b/tests/dnp3-file-write/test.yaml
index 2ed631dffc898dd19b2e0ef35f79f6ebcf173b13..b1a28128b79ad2efc9cf8367a366d89a477a8bdb 100644 (file)
--- a/tests/dnp3-file-write/test.yaml
+++ b/tests/dnp3-file-write/test.yaml
@@ -176,7 +176,7 @@ checks:
       dnp3.src: 4
       dnp3.type: response
       event_type: dnp3
-      pcap_cnt: 21
+      pcap_cnt: 19
       proto: TCP
       src_ip: 130.126.142.250
       src_port: 50300

diff --git a/tests/dnp3-select-operate/test.yaml b/tests/dnp3-select-operate/test.yaml
index 200401454f4a8012c5e034e867fcae16b338aa3f..555087e10afeb44b3b7c725484d87a9aaf0fa849 100644 (file)
--- a/tests/dnp3-select-operate/test.yaml
+++ b/tests/dnp3-select-operate/test.yaml
@@ -179,7 +179,7 @@ checks:
       dnp3.src: 2
       dnp3.type: response
       event_type: dnp3
-      pcap_cnt: 12
+      pcap_cnt: 10
       proto: TCP
       src_ip: 130.126.142.250
       src_port: 49404

diff --git a/tests/dnp3-write/test.yaml b/tests/dnp3-write/test.yaml
index d6413fe33209bec2c9d3b0a28bd0171de4772852..2edb15a7f8e0d72eb8bfca0783ad2eb4be7c7069 100644 (file)
--- a/tests/dnp3-write/test.yaml
+++ b/tests/dnp3-write/test.yaml
@@ -64,7 +64,7 @@ checks:
       dnp3.src: 2
       dnp3.type: response
       event_type: dnp3
-      pcap_cnt: 9
+      pcap_cnt: 7
       proto: TCP
       src_ip: 130.126.142.250
       src_port: 49411