detect/bytejump: Test from issue 4623

Issue: 4623

This commit uses the pcap and rules from issue 4623 to validate the
fixes.

diff --git a/tests/bug-4623/input.pcap b/tests/bug-4623/input.pcap
new file mode 100644 (file)
index 0000000..c4b2577
Binary files /dev/null and b/tests/bug-4623/input.pcap differ

diff --git a/tests/bug-4623/test.rules b/tests/bug-4623/test.rules
new file mode 100644 (file)
index 0000000..f77b248
--- /dev/null
+++ b/tests/bug-4623/test.rules
@@ -0,0 +1,8 @@
+#1. (success) the following signature matches up to the second last byte in the buffer in [random_tcp.pcap]. A negative post_offset is used and the following pcre matches up to the end of the buffer.
+drop tcp any any -> any any ( msg:"Test"; rev:1; content:"|3a 01 e8 ed 0f|"; byte_jump:0,0,relative,post_offset -7; pcre:"/^\x7c\xe0\x3a\x01\xe8\xed\x0f\x54/R"; sid:1; )
+
+#2. (success) we write a signature to match and move the pointer to the last byte, and we see that content does successfully match the last byte.
+drop tcp any any -> any any ( msg:"Test"; rev:1; content:"|01 e8 ed 0f 54|"; sid:2; )
+
+#3 (success) the following signature matches up to the last byte in the buffer as in 2. The same negative post_offset is used and we try to match values immediately after where the pointer should be. This signature does not match.
+drop tcp any any -> any any ( msg:"Test"; rev:1; content:"|01 e8 ed 0f 54|"; byte_jump:0,0,relative,post_offset -7; pcre:"/^\xe0\x3a\x01\xe8\xed\x0f\x54/R"; sid:3; )

diff --git a/tests/bug-4623/test.yaml b/tests/bug-4623/test.yaml
new file mode 100644 (file)
index 0000000..070b6e8
--- /dev/null
+++ b/tests/bug-4623/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 7.0.3
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+
+