tests: add http_uri parsing test

diff --git a/tests/rules/http_uri/test.rules b/tests/rules/http_uri/test.rules
new file mode 100644 (file)
index 0000000..e4d3ac6
--- /dev/null
+++ b/tests/rules/http_uri/test.rules
@@ -0,0 +1,6 @@
+alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; urilen:<70; http.uri; content:".php?"; content:"=01&"; distance:4; within:4; fast_pattern; sid:1;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.uri; bsize:<70; content:".php?"; content:"=01&"; distance:4; within:4; fast_pattern; sid:2;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; urilen:<70; http.uri; content:".php?"; content:"=01&"; distance:4; within:4; sid:3;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.uri; content:".php?"; content:"=01&"; distance:4; within:4; fast_pattern; sid:4;)
+# urilen followed by "raw" content, make sure the urilen doesn't act as http.uri sticky buffer
+alert http1 any any -> any any (urilen:44; content:"abc"; sid:5;)

diff --git a/tests/rules/http_uri/test.yaml b/tests/rules/http_uri/test.yaml
new file mode 100644 (file)
index 0000000..45bd5c5
--- /dev/null
+++ b/tests/rules/http_uri/test.yaml
@@ -0,0 +1,87 @@
+requires:
+    min-version: 7.0.0
+    pcap: false
+
+args:
+    - --engine-analysis
+
+checks:
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 1
+      mpm.buffer: "http_uri"
+      mpm.pattern: "=01&"
+      engines[0].name: "http_uri"
+      engines[0].app_proto: "http2"
+      engines[0].matches[0].name: "urilen"
+      engines[0].matches[1].name: "content"
+      engines[0].matches[2].name: "content"
+      engines[1].name: "http_uri"
+      engines[1].app_proto: "http"
+      engines[1].matches[0].name: "urilen"
+      engines[1].matches[1].name: "content"
+      engines[1].matches[2].name: "content"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 2
+      mpm.buffer: "http_uri"
+      mpm.pattern: "=01&"
+      engines[0].name: "http_uri"
+      engines[0].app_proto: "http2"
+      engines[0].matches[0].name: "bsize"
+      engines[0].matches[1].name: "content"
+      engines[0].matches[2].name: "content"
+      engines[1].name: "http_uri"
+      engines[1].app_proto: "http"
+      engines[1].matches[0].name: "bsize"
+      engines[1].matches[1].name: "content"
+      engines[1].matches[2].name: "content"
+- filter:
+    filename: rules.json
+    filename: rules.json
+    count: 1
+    match:
+      id: 3
+      mpm.buffer: "http_uri"
+      mpm.pattern: ".php?"
+      engines[0].name: "http_uri"
+      engines[0].app_proto: "http2"
+      engines[0].matches[0].name: "urilen"
+      engines[0].matches[1].name: "content"
+      engines[0].matches[2].name: "content"
+      engines[1].name: "http_uri"
+      engines[1].app_proto: "http"
+      engines[1].matches[0].name: "urilen"
+      engines[1].matches[1].name: "content"
+      engines[1].matches[2].name: "content"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 4
+      mpm.buffer: "http_uri"
+      mpm.pattern: "=01&"
+      engines[0].name: "http_uri"
+      engines[0].app_proto: "http2"
+      engines[0].matches[0].name: "content"
+      engines[0].matches[1].name: "content"
+      engines[1].name: "http_uri"
+      engines[1].app_proto: "http"
+      engines[1].matches[0].name: "content"
+      engines[1].matches[1].name: "content"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 5
+      mpm.buffer: "payload"
+      mpm.pattern: "abc"
+      engines[0].name: "stream"
+      engines[0].matches[0].name: "content"
+      engines[1].name: "http_uri"
+      engines[1].app_proto: "http"
+      engines[1].matches[0].name: "urilen"