From: Victor Julien <victor@inliniac.net>
Date: Mon, 18 Jan 2021 09:48:14 +0000 (+0100)
Subject: tests: add issue 3267 test
X-Git-Tag: suricata-6.0.4~179
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1e12a025717f6c2ae33ab19849fabe8a19efd88f;p=thirdparty%2Fsuricata-verify.git

tests: add issue 3267 test
---

diff --git a/tests/issue-3267-tcphdr/tcphdr_http.pcap b/tests/issue-3267-tcphdr/tcphdr_http.pcap
new file mode 100644
index 000000000..0d7f70fbe
Binary files /dev/null and b/tests/issue-3267-tcphdr/tcphdr_http.pcap differ
diff --git a/tests/issue-3267-tcphdr/test.rules b/tests/issue-3267-tcphdr/test.rules
new file mode 100644
index 000000000..51bb0e4a3
--- /dev/null
+++ b/tests/issue-3267-tcphdr/test.rules
@@ -0,0 +1,4 @@
+alert tcp-pkt any any -> any 80 (msg:"tcp.hdr test1 SYN pkt 1"; tcp.hdr; content:"|00 50|"; offset:2; depth:2; tcp.hdr; content:"|80 c2 20 00|"; sid:1; rev:1;)
+alert tcp-pkt any any -> any 80 (msg:"tcp.hdr test2 SYN pkt 2"; tcp.hdr; content:"|00 00 00 00|"; offset:8; depth:4; sid:2; rev:1;)
+alert tcp-pkt any any -> any 80 (msg:"tcp.hdr test3 GET pkt 1"; content:"GET"; tcp.hdr; content:"|00 50|"; offset:2; depth:2; tcp.hdr; content:"|50 18|"; distance:8; within:2; sid:3; rev:1;)
+alert tcp-pkt any any -> any 80 (msg:"tcp.hdr test4 GET pkt 2"; content:"GET"; tcp.hdr; content:"|00 50|"; offset:2; depth:2; sid:4; rev:1;)
diff --git a/tests/issue-3267-tcphdr/test.yaml b/tests/issue-3267-tcphdr/test.yaml
new file mode 100644
index 000000000..430c86e57
--- /dev/null
+++ b/tests/issue-3267-tcphdr/test.yaml
@@ -0,0 +1,51 @@
+requires:
+  min-version: 5.0.0
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 1
+      dest_ip: 10.0.0.199
+      dest_port: 80
+      event_type: alert
+      pcap_cnt: 1
+      proto: TCP
+      src_ip: 10.0.0.111
+      src_port: 2904
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 2
+      dest_ip: 10.0.0.199
+      dest_port: 80
+      event_type: alert
+      pcap_cnt: 1
+      proto: TCP
+      src_ip: 10.0.0.111
+      src_port: 2904
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 3
+      dest_ip: 10.0.0.199
+      dest_port: 80
+      event_type: alert
+      pcap_cnt: 4
+      proto: TCP
+      src_ip: 10.0.0.111
+      src_port: 2904
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 4
+      dest_ip: 10.0.0.199
+      dest_port: 80
+      event_type: alert
+      pcap_cnt: 4
+      proto: TCP
+      src_ip: 10.0.0.111
+      src_port: 2904