From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Sat, 22 Jun 2019 09:07:44 +0000 (+0530)
Subject: Add test for http_uri matching regression
X-Git-Tag: suricata-6.0.4~128
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=126a5b78b2f6ab0c675eccb64601dbe7eb63da57;p=thirdparty%2Fsuricata-verify.git

Add test for http_uri matching regression

Related to redmine ticket #78. This test has been added since uricontent
has been deprecated by http_uri.
---

diff --git a/tests/bug-78-http-uri/README b/tests/bug-78-http-uri/README
new file mode 100644
index 000000000..4532e3361
--- /dev/null
+++ b/tests/bug-78-http-uri/README
@@ -0,0 +1,4 @@
+This test is for regression matching with http_uri. In order to make suricata-verify more robust,
+it is good to add tests for issues that existed before suricata-verify did.
+There was a bug introduced in the early stages https://redmine.openinfosecfoundation.org/issues/78,
+the pcap and signature mentioned in the bug report has been used to create this test.
diff --git a/tests/bug-78-http-uri/input.pcap b/tests/bug-78-http-uri/input.pcap
new file mode 100644
index 000000000..6af7504c7
Binary files /dev/null and b/tests/bug-78-http-uri/input.pcap differ
diff --git a/tests/bug-78-http-uri/test.rules b/tests/bug-78-http-uri/test.rules
new file mode 100644
index 000000000..6de69fca0
--- /dev/null
+++ b/tests/bug-78-http-uri/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"msg escape tests"; content:"blah"; http_uri; sid: 100;)
diff --git a/tests/bug-78-http-uri/test.yaml b/tests/bug-78-http-uri/test.yaml
new file mode 100644
index 000000000..765abc885
--- /dev/null
+++ b/tests/bug-78-http-uri/test.yaml
@@ -0,0 +1,68 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+args:
+ - -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.signature: msg escape tests
+      alert.signature_id: 100
+      app_proto: http
+      dest_ip: 208.69.36.231
+      dest_port: 80
+      event_type: alert
+      flow:
+        bytes_toclient: 1588
+        bytes_toserver: 379
+        pkts_toclient: 2
+        pkts_toserver: 4
+        start: 2009-10-16T16:44:16.083524+0000
+      http:
+        hostname: www.google.com
+        http_content_type: text/html
+        http_method: GET
+        http_user_agent: Wget/1.11.4
+        length: 1194
+        protocol: HTTP/1.0
+        status: 404
+        url: /blah/
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 192.168.2.3
+      src_port: 37010
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      app_proto: http
+      dest_ip: 208.69.36.231
+      dest_port: 80
+      event_type: flow
+      flow:
+        age: 0
+        alerted: true
+        bytes_toclient: 5453
+        bytes_toserver: 607
+        end: 2009-10-16T16:44:16.185868+0000
+        pkts_toclient: 5
+        pkts_toserver: 8
+        reason: shutdown
+        start: 2009-10-16T16:44:16.083524+0000
+        state: closed
+      proto: TCP
+      src_ip: 192.168.2.3
+      src_port: 37010
+      tcp:
+        ack: true
+        psh: true
+        rst: true
+        state: closed
+        syn: true
+        tcp_flags: 1e
+        tcp_flags_tc: 1a
+        tcp_flags_ts: 1e