tests: add test for bug 2917

diff --git a/tests/bug-2917/README.md b/tests/bug-2917/README.md
new file mode 100644 (file)
index 0000000..c87cc3f
--- /dev/null
+++ b/tests/bug-2917/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Engine analysis on the rules that cause the bug 2917
+
+## PCAP
+
+None

diff --git a/tests/bug-2917/test.rules b/tests/bug-2917/test.rules
new file mode 100644 (file)
index 0000000..87463a1
--- /dev/null
+++ b/tests/bug-2917/test.rules
@@ -0,0 +1,17 @@
+alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"TEST 1"; flow:to_server,established; content:"GET"; http_method; flowbits:set,test; sid:1;)
+
+# does not work - based on the original rules
+# Before commit https://github.com/oISF/suricata/commit/227d1d967a5902 which suppresses the error message
+# This rule is where one would see the error "Unable to find the sm in any of the sm lists"
+alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"TEST 2"; flowbits:isset,test; pcre:"/\s200\s/"; sid:2;)
+
+# works - removing the flowbit
+alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"TEST 3"; pcre:"/\s200\s/"; sid:3;)
+
+# works - sub pcre with content - this validates it something with the flowbit relationship?
+alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"TEST 4"; flowbits:isset,test; content:"|20|200|20|"; sid:4;)
+
+# works - add a buffer to the pcre
+alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"TEST 5"; flowbits:isset,test; pcre:"/200/S"; sid:5;)
+
+alert dns any any -> any any (msg:"DNS TEST"; isdataat:129 ; app-layer-event:dns.malformed_data; sid:1371257161; rev:1;)

diff --git a/tests/bug-2917/test.yaml b/tests/bug-2917/test.yaml
new file mode 100644 (file)
index 0000000..e1c0fd7
--- /dev/null
+++ b/tests/bug-2917/test.yaml
@@ -0,0 +1,215 @@
+requires:
+  min-version: 7
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 1
+        gid: 1
+        rev: 0
+        msg: TEST 1
+        app_proto: http
+        requirements[0]: flow
+        flags[0]: sp_any
+        flags[1]: applayer
+        flags[2]: toserver
+        flags[3]: prefilter
+        pkt_engines[0].name: packet
+        pkt_engines[0].is_mpm: false
+        engines[0].name: http_method
+        engines[0].direction: toserver
+        engines[0].is_mpm: true
+        engines[0].app_proto: http
+        engines[0].progress: 1
+        engines[0].matches[0].name: content
+        engines[0].matches[0].content.pattern: GET
+        engines[0].matches[0].content.length: 3
+        engines[0].matches[0].content.nocase: false
+        engines[0].matches[0].content.negated: false
+        engines[0].matches[0].content.starts_with: false
+        engines[0].matches[0].content.ends_with: false
+        engines[0].matches[0].content.is_mpm: true
+        engines[0].matches[0].content.no_double_inspect: true
+        engines[0].matches[0].content.fast_pattern: false
+        engines[0].matches[0].content.relative_next: false
+        lists.packet.matches[0].name: flow
+        lists.postmatch.matches[0].name: flowbits
+        mpm.buffer: http_method
+        mpm.pattern: GET
+        mpm.length: 3
+        mpm.nocase: false
+        mpm.negated: false
+        mpm.starts_with: false
+        mpm.ends_with: false
+        mpm.is_mpm: true
+        mpm.no_double_inspect: true
+        mpm.fast_pattern: false
+        mpm.relative_next: false
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 2
+        gid: 1
+        rev: 0
+        msg: TEST 2
+        app_proto: http_any
+        requirements[0]: payload
+        requirements[1]: flow
+        flags[0]: dp_any
+        flags[1]: applayer
+        flags[2]: need_stream
+        flags[3]: need_flowvar
+        flags[4]: toserver
+        flags[5]: toclient
+        pkt_engines[0].name: payload
+        pkt_engines[0].is_mpm: false
+        pkt_engines[1].name: packet
+        pkt_engines[1].is_mpm: false
+        lists.packet.matches[0].name: flowbits
+        lists.payload.matches[0].name: pcre
+        lists.payload.matches[0].pcre.relative: false
+        lists.payload.matches[0].pcre.relative_next: false
+        lists.payload.matches[0].pcre.nocase: false
+        lists.payload.matches[0].pcre.negated: false
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 4
+        gid: 1
+        rev: 0
+        msg: TEST 4
+        app_proto: http_any
+        requirements[0]: payload
+        requirements[1]: flow
+        flags[0]: dp_any
+        flags[1]: applayer
+        flags[2]: need_stream
+        flags[3]: need_flowvar
+        flags[4]: toserver
+        flags[5]: toclient
+        flags[6]: prefilter
+        pkt_engines[0].name: payload
+        pkt_engines[0].is_mpm: true
+        pkt_engines[1].name: packet
+        pkt_engines[1].is_mpm: false
+        lists.packet.matches[0].name: flowbits
+        lists.payload.matches[0].name: content
+        lists.payload.matches[0].content.pattern: '|20|200|20|'
+        lists.payload.matches[0].content.length: 5
+        lists.payload.matches[0].content.nocase: false
+        lists.payload.matches[0].content.negated: false
+        lists.payload.matches[0].content.starts_with: false
+        lists.payload.matches[0].content.ends_with: false
+        lists.payload.matches[0].content.is_mpm: true
+        lists.payload.matches[0].content.no_double_inspect: true
+        lists.payload.matches[0].content.fast_pattern: false
+        lists.payload.matches[0].content.relative_next: false
+        mpm.buffer: payload
+        mpm.pattern: '|20|200|20|'
+        mpm.length: 5
+        mpm.nocase: false
+        mpm.negated: false
+        mpm.starts_with: false
+        mpm.ends_with: false
+        mpm.is_mpm: true
+        mpm.no_double_inspect: true
+        mpm.fast_pattern: false
+        mpm.relative_next: false
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 5
+        gid: 1
+        rev: 0
+        msg: TEST 5
+        app_proto: http
+        requirements[0]: flow
+        flags[0]: dp_any
+        flags[1]: applayer
+        flags[2]: need_flowvar
+        flags[3]: toclient
+        pkt_engines[0].name: packet
+        pkt_engines[0].is_mpm: false
+        engines[0].name: http_stat_code
+        engines[0].direction: toclient
+        engines[0].is_mpm: false
+        engines[0].app_proto: http
+        engines[0].progress: 1
+        engines[0].matches[0].name: pcre
+        engines[0].matches[0].pcre.relative: false
+        engines[0].matches[0].pcre.relative_next: false
+        engines[0].matches[0].pcre.nocase: false
+        engines[0].matches[0].pcre.negated: false
+        lists.packet.matches[0].name: flowbits
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 3
+        gid: 1
+        rev: 0
+        msg: TEST 3
+        app_proto: http_any
+        requirements[0]: payload
+        requirements[1]: flow
+        flags[0]: dp_any
+        flags[1]: applayer
+        flags[2]: need_stream
+        flags[3]: toserver
+        flags[4]: toclient
+        pkt_engines[0].name: payload
+        pkt_engines[0].is_mpm: false
+        lists.payload.matches[0].name: pcre
+        lists.payload.matches[0].pcre.relative: false
+        lists.payload.matches[0].pcre.relative_next: false
+        lists.payload.matches[0].pcre.nocase: false
+        lists.payload.matches[0].pcre.negated: false
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 1371257161
+        gid: 1
+        rev: 1
+        msg: DNS TEST
+        app_proto: dns
+        requirements[0]: payload
+        requirements[1]: flow
+        flags[0]: src_any
+        flags[1]: dst_any
+        flags[2]: sp_any
+        flags[3]: dp_any
+        flags[4]: applayer
+        flags[5]: need_stream
+        flags[6]: toserver
+        flags[7]: toclient
+        engines[0].name: app-layer-events
+        engines[0].direction: toserver
+        engines[0].is_mpm: false
+        engines[0].progress: 0
+        engines[0].matches[0].name: app-layer-event
+        engines[1].name: app-layer-events
+        engines[1].direction: toclient
+        engines[1].is_mpm: false
+        engines[1].progress: 0
+        engines[1].matches[0].name: app-layer-event
+        engines[2].name: stream
+        engines[2].direction: toserver
+        engines[2].is_mpm: false
+        engines[2].progress: 0
+        engines[2].matches[0].name: isdataat
+        engines[3].name: stream
+        engines[3].direction: toclient
+        engines[3].is_mpm: false
+        engines[3].progress: 0
+        engines[3].matches[0].name: isdataat