incomplete hex: test with strict content keyword

With strict content parsing, -T should fail out for version 6 and 7.

diff --git a/tests/content-incomplete-hex-t-version-6-strict/README.md b/tests/content-incomplete-hex-t-version-6-strict/README.md
new file mode 100644 (file)
index 0000000..ef27852
--- /dev/null
+++ b/tests/content-incomplete-hex-t-version-6-strict/README.md
@@ -0,0 +1,6 @@
+Tests the behaviour of -T when a rule contains incomplete hex.
+
+For Suricata 6.0.x, -T should pass unless
+--strict-rule-keywords=content is provided.
+
+For Suricata 7.0+, -T should fail.

diff --git a/tests/content-incomplete-hex-t-version-6-strict/suricata.yaml b/tests/content-incomplete-hex-t-version-6-strict/suricata.yaml
new file mode 100644 (file)
index 0000000..6917d85
--- /dev/null
+++ b/tests/content-incomplete-hex-t-version-6-strict/suricata.yaml
@@ -0,0 +1,2 @@
+%YAML 1.1
+---

diff --git a/tests/content-incomplete-hex-t-version-6-strict/test.rules b/tests/content-incomplete-hex-t-version-6-strict/test.rules
new file mode 100644 (file)
index 0000000..397a5f1
--- /dev/null
+++ b/tests/content-incomplete-hex-t-version-6-strict/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"incomplete hex test rule"; content:"|22 2 22|"; sid:12346; rev:1;)

diff --git a/tests/content-incomplete-hex-t-version-6-strict/test.yaml b/tests/content-incomplete-hex-t-version-6-strict/test.yaml
new file mode 100644 (file)
index 0000000..05de793
--- /dev/null
+++ b/tests/content-incomplete-hex-t-version-6-strict/test.yaml
@@ -0,0 +1,6 @@
+args:
+  - -T --strict-rule-keywords=content
+
+pcap: false
+
+exit-code: 1