Esp for testing with pcre.
Ticket: #7573.
--- /dev/null
+alert http any any -> any any (http.request_body; content:"one"; sid:1;)
+alert http any any -> any any (http.request_body; pcre:"/one/R"; sid:2;)
+alert http any any -> any any (http.request_body; content:"one"; pcre:"/one/R"; sid:3;)
--- /dev/null
+requires:
+ min-version: 7
+ pcap: false
+
+args:
+ - --engine-analysis
+
+checks:
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 1
+ mpm.buffer: "http_client_body"
+ mpm.pattern: "one"
+ # checks that all engines are toclient
+ engines[0].name: "http_client_body"
+ engines[0].direction: "toserver"
+ engines[0].app_proto: "http2"
+ engines[0].matches[0].name: "content"
+ engines[1].name: "http_client_body"
+ engines[1].direction: "toserver"
+ engines[1].app_proto: "http"
+ engines[1].matches[0].name: "content"
+ engines.__len: 2
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 2
+ # checks that all engines are toserver
+ engines[0].name: "http_client_body"
+ engines[0].direction: "toserver"
+ engines[0].app_proto: "http"
+ engines[0].matches[0].name: "pcre"
+ engines[1].name: "http_client_body"
+ engines[1].direction: "toserver"
+ engines[1].app_proto: "http2"
+ engines[1].matches[0].name: "pcre"
+ engines.__len: 2
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 3
+ mpm.buffer: "http_client_body"
+ mpm.pattern: "one"
+ # checks that all engines are toserver
+ engines[0].name: "http_client_body"
+ engines[0].direction: "toserver"
+ engines[0].app_proto: "http2"
+ engines[0].matches[0].name: "content"
+ engines[0].matches[1].name: "pcre"
+ engines[1].name: "http_client_body"
+ engines[1].direction: "toserver"
+ engines[1].app_proto: "http"
+ engines[1].matches[0].name: "content"
+ engines[1].matches[1].name: "pcre"
+ engines.__len: 2
alert http any any -> any any (http.response_body; content:"one"; sid:1;)
+alert http any any -> any any (http.response_body; pcre:"/one/R"; sid:2;)
+alert http any any -> any any (http.response_body; content:"one"; pcre:"/one/R"; sid:3;)
engines[0].name: "file_data"
engines[0].direction: "toclient"
engines[0].app_proto: "http2"
+ engines[0].matches[0].name: "content"
engines[1].name: "file_data"
engines[1].direction: "toclient"
engines[1].app_proto: "http"
+ engines[1].matches[0].name: "content"
+ engines.__len: 2
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 2
+ # checks that all engines are toclient
+ engines[0].name: "file_data"
+ engines[0].direction: "toclient"
+ engines[0].app_proto: "http"
+ engines[0].matches[0].name: "pcre"
+ engines[1].name: "file_data"
+ engines[1].direction: "toclient"
+ engines[1].app_proto: "http2"
+ engines[1].matches[0].name: "pcre"
+ engines.__len: 2
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ id: 3
+ mpm.buffer: "file_data"
+ mpm.pattern: "one"
+ # checks that all engines are toclient
+ engines[0].name: "file_data"
+ engines[0].direction: "toclient"
+ engines[0].app_proto: "http2"
+ engines[0].matches[0].name: "content"
+ engines[0].matches[1].name: "pcre"
+ engines[1].name: "file_data"
+ engines[1].direction: "toclient"
+ engines[1].app_proto: "http"
+ engines[1].matches[0].name: "content"
+ engines[1].matches[1].name: "pcre"
engines.__len: 2
projects / thirdparty / suricata-verify.git / commitdiff
