Move checks about HTTP2 keywords in separate tests

so as to have min-version 7 for them

diff --git a/tests/http2-basic/test.rules b/tests/http2-basic/test.rules
index 499c11f780e39b24198612c0e94f774cc14af94a..d0866dadd512fa1ebcd52178239ee8862db5526b 100644 (file)
--- a/tests/http2-basic/test.rules
+++ b/tests/http2-basic/test.rules
@@ -2,9 +2,3 @@ alert http2 any any -> any any (http2.header; content:"agent: nghttp2"; sid:1; r
 alert http2 any any -> any any (http2.frametype:GOAWAY; sid:2; rev:1;)
 alert http2 any any -> any any (http2.settings:SETTINGS_HEADER_TABLE_SIZE>1000; sid:3; rev:1;)
 alert http2 any any -> any any (http2.window:34634; sid:4; rev:1;)
-
-alert http any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:10;)
-alert http1 any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:11;)
-alert http2 any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:12;)
-alert tcp any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:13;)
-alert ip any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:14;)

diff --git a/tests/http2-basic/test.yaml b/tests/http2-basic/test.yaml
index 21b3bf5594d629e5784df1abb5c81ba552913f62..0ffbc7e6ec83589609f7083d15512e05a8df7990 100644 (file)
--- a/tests/http2-basic/test.yaml
+++ b/tests/http2-basic/test.yaml
@@ -78,29 +78,3 @@ checks:
       count: 0
       match:
         event_type: anomaly
-  # HTTP generic keywords with HTTP2 traffic
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 10
-  - filter:
-      count: 0
-      match:
-        event_type: alert
-        alert.signature_id: 11
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 12
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 13
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 14

diff --git a/tests/http2-keywords/README.md b/tests/http2-keywords/README.md
new file mode 100644 (file)
index 0000000..3d75753
--- /dev/null
+++ b/tests/http2-keywords/README.md
@@ -0,0 +1,8 @@
+# Description
+
+Test http2 with HTTP keywords functionality
+
+# PCAP
+
+The pcap comes from https://wiki.wireshark.org/HTTP2
+It is the same as in http2-basic

diff --git a/tests/http2-keywords/input.pcap b/tests/http2-keywords/input.pcap
new file mode 100644 (file)
index 0000000..0e1ada8
Binary files /dev/null and b/tests/http2-keywords/input.pcap differ

diff --git a/tests/http2-keywords/suricata.yaml b/tests/http2-keywords/suricata.yaml
new file mode 100644 (file)
index 0000000..eb2d079
--- /dev/null
+++ b/tests/http2-keywords/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: true
+      types:
+        - alert
+        - http2
+        - files
+
+app-layer:
+  protocols:
+    http2:
+      enabled: true

diff --git a/tests/http2-keywords/test.rules b/tests/http2-keywords/test.rules
new file mode 100644 (file)
index 0000000..3941f88
--- /dev/null
+++ b/tests/http2-keywords/test.rules
@@ -0,0 +1,6 @@
+
+alert http any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:10;)
+alert http1 any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:11;)
+alert http2 any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:12;)
+alert tcp any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:13;)
+alert ip any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:14;)

diff --git a/tests/http2-keywords/test.yaml b/tests/http2-keywords/test.yaml
new file mode 100644 (file)
index 0000000..3cb66fb
--- /dev/null
+++ b/tests/http2-keywords/test.yaml
@@ -0,0 +1,36 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 7.0.0
+
+# disables checksum verification
+args:
+  - -k none
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 10
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 11
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 12
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 13
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 14

diff --git a/tests/http2-keywords2/README.md b/tests/http2-keywords2/README.md
new file mode 100644 (file)
index 0000000..94ae115
--- /dev/null
+++ b/tests/http2-keywords2/README.md
@@ -0,0 +1,8 @@
+# Description
+
+Test more HTTP2 traffic against HTTP keywords
+
+# PCAP
+
+The pcap comes from https://wiki.wireshark.org/HTTP2
+It is the same as in http2-upgrade

diff --git a/tests/http2-keywords2/input.pcap b/tests/http2-keywords2/input.pcap
new file mode 100644 (file)
index 0000000..a77847a
Binary files /dev/null and b/tests/http2-keywords2/input.pcap differ

diff --git a/tests/http2-keywords2/suricata.yaml b/tests/http2-keywords2/suricata.yaml
new file mode 100644 (file)
index 0000000..82124d6
--- /dev/null
+++ b/tests/http2-keywords2/suricata.yaml
@@ -0,0 +1,20 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert:
+            tagged-packets: yes
+        - http:
+            extended: yes
+        - http2
+        - files
+
+app-layer:
+  protocols:
+    http2:
+      enabled: yes

diff --git a/tests/http2-upgrade/test.rules b/tests/http2-keywords2/test.rules
similarity index 100%
rename from tests/http2-upgrade/test.rules
rename to tests/http2-keywords2/test.rules

diff --git a/tests/http2-keywords2/test.yaml b/tests/http2-keywords2/test.yaml
new file mode 100644 (file)
index 0000000..bed395a
--- /dev/null
+++ b/tests/http2-keywords2/test.yaml
@@ -0,0 +1,37 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 7.0.0
+
+# disables checksum verification
+args:
+  - -k none --set stream.midstream=true
+
+checks:
+
+# checks for http.uri keyword : 1 for HTTP1, 1 for mimicked HTTP2 response, so 2 for whole HTTP
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 10
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 11
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 12
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 20
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 21

diff --git a/tests/http2-upgrade/test.yaml b/tests/http2-upgrade/test.yaml
index 82be0b058d5417bb3604000725472b7a36e31207..0e24fb77825d7d91eee94ce9c68f578134ad0a0f 100644 (file)
--- a/tests/http2-upgrade/test.yaml
+++ b/tests/http2-upgrade/test.yaml
@@ -50,29 +50,3 @@ checks:
         http.http_method: "GET"
         http.url: "/humans.txt"
         http.status: 404
-# checks for http.uti keyword : 1 for HTTP1, 1 for mimicked HTTP2 response, so 2 for whole HTTP
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 10
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 11
-  - filter:
-      count: 2
-      match:
-        event_type: alert
-        alert.signature_id: 12
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 20
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 21