add test for bug 6617

diff --git a/tests/bug-6617/README.md b/tests/bug-6617/README.md
new file mode 100644 (file)
index 0000000..1a9631c
--- /dev/null
+++ b/tests/bug-6617/README.md
@@ -0,0 +1,13 @@
+# Test Description
+
+If the file transfer is happening in one direction, it should only
+be stored/logged in that direction when `filestore:flow, to_server`
+type of syntax defines the direction.
+
+## PCAP
+
+Comes from the test `filestore-v2.1-forced`.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6617

diff --git a/tests/bug-6617/suricata.yaml b/tests/bug-6617/suricata.yaml
new file mode 100644 (file)
index 0000000..d8c979c
--- /dev/null
+++ b/tests/bug-6617/suricata.yaml
@@ -0,0 +1,14 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - files
+        - alert
+        - http
+  - file-store:
+      version: 2
+      enabled: yes
+      stream-depth: 0

diff --git a/tests/bug-6617/test.rules b/tests/bug-6617/test.rules
new file mode 100644 (file)
index 0000000..2a837c1
--- /dev/null
+++ b/tests/bug-6617/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"Filestore toserver"; filestore:to_server,flow; sid:1; rev:1;)

diff --git a/tests/bug-6617/test.yaml b/tests/bug-6617/test.yaml
new file mode 100644 (file)
index 0000000..2aa9a47
--- /dev/null
+++ b/tests/bug-6617/test.yaml
@@ -0,0 +1,15 @@
+pcap: ../filestore-v2.1-forced/suricata-update-pdf.pcap
+
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+   count: 1
+   match:
+     event_type: fileinfo
+     fileinfo.sha256: 291389dc5926982448d90e551689ef857650c0ad4fa656841e687d984609ec02
+     fileinfo.stored: false