tests: add frame ips test

diff --git a/tests/http-gap-simple-frames-ips/README.md b/tests/http-gap-simple-frames-ips/README.md
new file mode 100644 (file)
index 0000000..73de7ef
--- /dev/null
+++ b/tests/http-gap-simple-frames-ips/README.md
@@ -0,0 +1,13 @@
+# Description
+
+Test http gap handling
+
+This test case contains a single simple gap in response body with defined content-length
+
+# PCAP
+
+The pcap comes from running
+`python test/htptopcap.py toaddgap.txt`
+With the attached toaddgap.txt
+
+Then removing packet 17

diff --git a/tests/http-gap-simple-frames-ips/input.pcap b/tests/http-gap-simple-frames-ips/input.pcap
new file mode 100644 (file)
index 0000000..5edd0f1
Binary files /dev/null and b/tests/http-gap-simple-frames-ips/input.pcap differ

diff --git a/tests/http-gap-simple-frames-ips/suricata.yaml b/tests/http-gap-simple-frames-ips/suricata.yaml
new file mode 100644 (file)
index 0000000..3bcb3d6
--- /dev/null
+++ b/tests/http-gap-simple-frames-ips/suricata.yaml
@@ -0,0 +1,22 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert:
+            tagged-packets: yes
+        # app layer frames
+        - frame:
+            enabled: yes
+        - anomaly:
+            enabled: yes
+            types:
+              # decode: no
+              # stream: no
+              # applayer: yes
+            #packethdr: no
+        - http:
+            extended: yes
+        - files

diff --git a/tests/http-gap-simple-frames-ips/test.rules b/tests/http-gap-simple-frames-ips/test.rules
new file mode 100644 (file)
index 0000000..7199fa8
--- /dev/null
+++ b/tests/http-gap-simple-frames-ips/test.rules
@@ -0,0 +1,3 @@
+drop http any any -> any any (frame:http1.response; content:"|0d 0a|AAA"; sid:1;)
+# shouldn't match
+drop http any any -> any any (frame:http1.response; content:"|0d 0a|AAA"; endswith; sid:4;)

diff --git a/tests/http-gap-simple-frames-ips/test.yaml b/tests/http-gap-simple-frames-ips/test.yaml
new file mode 100644 (file)
index 0000000..8f41b1a
--- /dev/null
+++ b/tests/http-gap-simple-frames-ips/test.yaml
@@ -0,0 +1,69 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 7.0.0
+
+# disables checksum verification
+args:
+  - -k none
+  - --simulate-ips
+
+checks:
+
+  # Check that there is one file event with content range.
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.url: "/1"
+        http.status: 200
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.url: "/2"
+        http.status: 200
+  - filter:
+      count: 0
+      match:
+        event_type: http
+        http.url: "/3"
+        http.status: 200
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.size: 14
+        fileinfo.state: "CLOSED"
+        fileinfo.gaps: false
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.size: 14
+        fileinfo.filename: "/2"
+        fileinfo.state: "TRUNCATED"
+        fileinfo.gaps: false
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        pcap_cnt: 15
+        alert.action: "blocked"
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: frame
+        app_proto: http
+        frame.id: 2
+        frame.stream_offset: 0
+        frame.type: request
+        frame.length: 40
+        frame.direction: toserver
+        frame.tx_id: 0

diff --git a/tests/http-gap-simple-frames-ips/toaddgap.txt b/tests/http-gap-simple-frames-ips/toaddgap.txt
new file mode 100644 (file)
index 0000000..c6859ed
--- /dev/null
+++ b/tests/http-gap-simple-frames-ips/toaddgap.txt
@@ -0,0 +1,53 @@
+>>>
+GET /1 HTTP/1.0
+User-Agent: Mozilla
+
+
+<<<
+HTTP/1.0 200 OK
+Date: Mon, 31 Aug 2009 20:25:50 GMT
+Server: Apache
+Connection: close
+Content-Type: text/html
+Content-Length: 12
+
+
+<<<
+Hello World!
+
+>>>
+GET /2 HTTP/1.0
+User-Agent: Mozilla
+
+
+<<<
+HTTP/1.0 200 OK
+Server: Apache
+Connection: close
+Content-Type: text/html
+Content-Length: 70
+
+
+<<<
+AAAAAAAAAAAAAA
+<<<
+AAAAAAAAAAAAAA
+<<<
+AAAAAAAAAAAAAA
+<<<
+AAAAAAAAAAAAAA
+<<<
+AAAAAAAAAAAAAA
+>>>
+GET /3 HTTP/1.0
+User-Agent: Mozilla
+
+
+<<<
+HTTP/1.0 200 OK
+Server: Apache
+Connection: close
+Content-Type: text/html
+Content-Length: 12
+
+Hello People