http: adds test with HTTP not being 0.9

Ticket: 6643

If the request is junk, and the response is valid HTTP/1.1,
we should handle the response as HTTP/1.1, not HTTP 0.9

diff --git a/tests/http-not09-file/README.md b/tests/http-not09-file/README.md
new file mode 100644 (file)
index 0000000..6e9151d
--- /dev/null
+++ b/tests/http-not09-file/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test that we parse junk request and HTTP response not as HTTP/0.9
+
+## PCAP
+
+TLPW1 163.44.181.249_80-10.6.29.102_49190-11ff4.pcap
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6643

diff --git a/tests/http-not09-file/input.pcap b/tests/http-not09-file/input.pcap
new file mode 100644 (file)
index 0000000..c1e5934
Binary files /dev/null and b/tests/http-not09-file/input.pcap differ

diff --git a/tests/http-not09-file/test.rules b/tests/http-not09-file/test.rules
new file mode 100644 (file)
index 0000000..9311e86
--- /dev/null
+++ b/tests/http-not09-file/test.rules
@@ -0,0 +1,4 @@
+# should match
+alert http any any -> any any (http.response_line; content:"HTTP/1.1 400"; sid:1;)
+# should not match as it is the response line, not yet the response body
+alert http any any -> any any (file.data; content:"HTTP/1.1 400"; sid:2;)

diff --git a/tests/http-not09-file/test.yaml b/tests/http-not09-file/test.yaml
new file mode 100644 (file)
index 0000000..cea043e
--- /dev/null
+++ b/tests/http-not09-file/test.yaml
@@ -0,0 +1,19 @@
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.size: 166
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2