From: Philippe Antoine <pantoine@oisf.net>
Date: Fri, 12 Apr 2024 10:56:17 +0000 (+0200)
Subject: http: test FP for http.response_body
X-Git-Tag: suricata-6.0.19~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0bd88a394c20c40ecc8bff967753aeaa1176e644;p=thirdparty%2Fsuricata-verify.git

http: test FP for http.response_body

Ticket: 6948

We should not match on request body
---

diff --git a/tests/http-post-data-decompression/test.rules b/tests/http-post-data-decompression/test.rules
index 6ca8c9f7e..cd676a807 100644
--- a/tests/http-post-data-decompression/test.rules
+++ b/tests/http-post-data-decompression/test.rules
@@ -1 +1,2 @@
 alert http any any -> any any (msg: "GZIPPED REQUEST"; flow: established, to_server; content: "name"; http_client_body; nocase; sid: 1; rev: 1; )
+alert http any any -> any any (msg: "not in response"; http.response_body; content: "name"; nocase; sid: 2; rev: 1; )
diff --git a/tests/http-post-data-decompression/test.yaml b/tests/http-post-data-decompression/test.yaml
index 823312db7..e1810bbec 100644
--- a/tests/http-post-data-decompression/test.yaml
+++ b/tests/http-post-data-decompression/test.yaml
@@ -9,3 +9,9 @@ checks:
       match:
         event_type: alert
         alert.signature_id: 1
+  - filter:
+      min-version: 8
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2