tests/http2: add 6.0.x version of http2-files

diff --git a/tests/http2-files-6/README.md b/tests/http2-files-6/README.md
new file mode 100644 (file)
index 0000000..e48b36b
--- /dev/null
+++ b/tests/http2-files-6/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test http2 files functionality
+
+# PCAP
+
+The pcap comes from https://wiki.wireshark.org/HTTP2

diff --git a/tests/http2-files-6/expected/fast.log b/tests/http2-files-6/expected/fast.log
new file mode 100644 (file)
index 0000000..6152138
--- /dev/null
+++ b/tests/http2-files-6/expected/fast.log
@@ -0,0 +1,13 @@
+08/02/2014-10:50:25.823699  [**] [1:6:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:3000 -> 0000:0000:0000:0000:0000:0000:0000:0001:56508
+08/02/2014-10:50:25.823699  [**] [1:7:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:3000 -> 0000:0000:0000:0000:0000:0000:0000:0001:56508
+08/02/2014-10:50:25.823699  [**] [1:8:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:3000 -> 0000:0000:0000:0000:0000:0000:0000:0001:56508
+08/02/2014-10:50:25.828791  [**] [1:3:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:56508 -> 0000:0000:0000:0000:0000:0000:0000:0001:3000
+08/02/2014-10:50:25.828986  [**] [1:7:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:3000 -> 0000:0000:0000:0000:0000:0000:0000:0001:56508
+08/02/2014-10:50:25.830473  [**] [1:7:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:3000 -> 0000:0000:0000:0000:0000:0000:0000:0001:56508
+08/02/2014-10:50:25.830473  [**] [1:7:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:3000 -> 0000:0000:0000:0000:0000:0000:0000:0001:56508
+08/02/2014-10:50:25.830719  [**] [1:7:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:3000 -> 0000:0000:0000:0000:0000:0000:0000:0001:56508
+08/02/2014-10:50:25.830719  [**] [1:7:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:3000 -> 0000:0000:0000:0000:0000:0000:0000:0001:56508
+08/02/2014-10:50:25.832311  [**] [1:4:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:56508 -> 0000:0000:0000:0000:0000:0000:0000:0001:3000
+08/02/2014-10:50:25.833220  [**] [1:4:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:56508 -> 0000:0000:0000:0000:0000:0000:0000:0001:3000
+08/02/2014-10:50:25.833365  [**] [1:5:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:3000 -> 0000:0000:0000:0000:0000:0000:0000:0001:56508
+08/02/2014-10:50:25.840964  [**] [1:2:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:56508 -> 0000:0000:0000:0000:0000:0000:0000:0001:3000

diff --git a/tests/http2-files-6/input.pcap b/tests/http2-files-6/input.pcap
new file mode 100644 (file)
index 0000000..0e1ada8
Binary files /dev/null and b/tests/http2-files-6/input.pcap differ

diff --git a/tests/http2-files-6/suricata.yaml b/tests/http2-files-6/suricata.yaml
new file mode 100644 (file)
index 0000000..b4d53ad
--- /dev/null
+++ b/tests/http2-files-6/suricata.yaml
@@ -0,0 +1,19 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: true
+      types:
+        - alert
+        - http2
+        - files:
+          force-magic: true
+          force-hash: [md5, sha1, sha256]
+  - fast:
+      enabled: yes
+
+app-layer:
+  protocols:
+    http2:
+      enabled: true

diff --git a/tests/http2-files-6/test.md5 b/tests/http2-files-6/test.md5
new file mode 100644 (file)
index 0000000..c7d859d
--- /dev/null
+++ b/tests/http2-files-6/test.md5
@@ -0,0 +1 @@
+15560fc6a1e4845498d8d952691afb11

diff --git a/tests/http2-files-6/test.rules b/tests/http2-files-6/test.rules
new file mode 100644 (file)
index 0000000..d1126b8
--- /dev/null
+++ b/tests/http2-files-6/test.rules
@@ -0,0 +1,7 @@
+alert http2 any any -> any any (http2.frametype:GOAWAY; sid:2; rev:1;)
+alert http2 any any -> any any (http2.settings:SETTINGS_HEADER_TABLE_SIZE>1000; sid:3; rev:1;)
+alert http2 any any -> any any (http2.window:34634; sid:4; rev:1;)
+alert http2 any any -> any any (flow:established,to_client; filemd5:test.md5; sid:5; rev:1;)
+alert http2 any any -> any any (file.data; content:"nghttp2 - HTTP/2 C Library"; sid:6; rev:1;)
+alert http2 any any -> any any (file.data; content:!"html"; startswith; sid:7; rev:1;)
+alert http2 any any -> any any (file.data; content:"|0a 0a|<!DOCTYPE"; startswith; sid:8; rev:1;)

diff --git a/tests/http2-files-6/test.yaml b/tests/http2-files-6/test.yaml
new file mode 100644 (file)
index 0000000..f61522b
--- /dev/null
+++ b/tests/http2-files-6/test.yaml
@@ -0,0 +1,98 @@
+requires:
+  features:
+    - HAVE_NSS
+    - HAVE_LIBJANSSON
+  min-version: 6.0.0
+
+# disables checksum verification
+args:
+  - -k none
+
+checks:
+
+  # Check that the output order is always the same (we want to ensure that
+  # alerts are stored in the same order, and this check should cover that)
+  - file-compare:
+      filename: fast.log
+      expected: expected/fast.log
+
+  # Check that there is one file event with content range.
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.http2.stream_id: 0
+        http.http2.response.settings[0].settings_id: "SETTINGSMAXCONCURRENTSTREAMS"
+        http.http2.response.settings[0].settings_value: 100
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.http2.stream_id: 0
+        http.http2.request.settings[1].settings_id: "SETTINGSINITIALWINDOWSIZE"
+        http.http2.request.settings[1].settings_value: 65535
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.http2.stream_id: 0
+        http.http2.request.error_code: "NOERROR"
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.length: 22617
+        http.status: 200
+        http.http_method: "GET"
+        http.url: "/doc/manual/html/index.html"
+        http.http_user_agent: "nghttp2/0.5.2-DEV"
+        http.version: "2"
+        http.http2.stream_id: 1
+        http.request_headers[0].name: ":authority"
+        http.request_headers[0].value: "localhost:3000"
+        http.request_headers[1].name: ":method"
+        http.request_headers[1].value: "GET"
+        http.request_headers[2].name: ":path"
+        http.request_headers[2].value: "/doc/manual/html/index.html"
+        http.response_headers[0].name: ":status"
+        http.response_headers[0].value: "200"
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 5
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 6
+  - filter:
+      count: 6
+      match:
+        event_type: alert
+        alert.signature_id: 7
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8
+  - filter:
+      count: 6
+      match:
+        event_type: fileinfo
+        fileinfo.state: CLOSED