add test for base64_data w fast_pattern

Bug 6859

diff --git a/tests/bug-6859/README.md b/tests/bug-6859/README.md
new file mode 100644 (file)
index 0000000..0ac9274
--- /dev/null
+++ b/tests/bug-6859/README.md
@@ -0,0 +1,9 @@
+# Test Description
+This test demonstrates that fast_pattern along with base64_data
+should lead to an Info message about it being an ineffective operation.
+
+## PCAP
+None
+
+## Related issues
+https://redmine.openinfosecfoundation.org/issues/6859

diff --git a/tests/bug-6859/test.rules b/tests/bug-6859/test.rules
new file mode 100644 (file)
index 0000000..4b72db7
--- /dev/null
+++ b/tests/bug-6859/test.rules
@@ -0,0 +1 @@
+alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"POST"; http.request_body; base64_decode:bytes 28; base64_data; content:"something"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;)

diff --git a/tests/bug-6859/test.yaml b/tests/bug-6859/test.yaml
new file mode 100644 (file)
index 0000000..a6e3fb6
--- /dev/null
+++ b/tests/bug-6859/test.yaml
@@ -0,0 +1,11 @@
+requires:
+  pcap: false
+  version: 7
+
+args:
+  - --engine-analysis
+
+checks:
+    - shell:
+        args: grep "fast_pattern is ineffective with base64_data" suricata.log | grep "Info" | wc -l
+        expect: 1