From: Ilya Bakhtin <ilya.bakhtin@gmail.com>
Date: Sat, 1 Aug 2020 17:26:41 +0000 (+0200)
Subject: stream/tcp: Test verifies the behavior when direction of TCP flow is changed by the... 
X-Git-Tag: suricata-6.0.4~121
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=24e49fa5c9c10fb5bed3f921c5766e68a4a83bbf;p=thirdparty%2Fsuricata-verify.git

stream/tcp: Test verifies the behavior when direction of TCP flow is changed by the probing parser

pcap file contains 2 http transactions. The request is missing for the first one.
The second transaction is fully complete. So eve.json must contain one and only anomaly event.

Also common flow details are verified.
It must be http, to port 80 with specified number of bytes_toclient and bytes_toserver
---

diff --git a/tests/tcp-stream-after-swap/README.md b/tests/tcp-stream-after-swap/README.md
new file mode 100644
index 000000000..40f0e6120
--- /dev/null
+++ b/tests/tcp-stream-after-swap/README.md
@@ -0,0 +1,13 @@
+# Description
+
+Test verifies the behavior when direction of TCP flow is changed by the probing parser.
+Probing parser may change the direction of flow processing packet that contains payload.
+This payload must be added to the proper direction stream.
+
+Also common flow details are verified.
+It must be http, to port 80 with specified number of bytes_toclient and bytes_toserver
+
+# PCAP
+
+pcap file contains 2 http transactions. The request is missing for the first one.
+The second transaction is fully complete. So eve.json must contain one and only anomaly event.
diff --git a/tests/tcp-stream-after-swap/http-start-from-response.pcap b/tests/tcp-stream-after-swap/http-start-from-response.pcap
new file mode 100644
index 000000000..21ecfe715
Binary files /dev/null and b/tests/tcp-stream-after-swap/http-start-from-response.pcap differ
diff --git a/tests/tcp-stream-after-swap/test.yaml b/tests/tcp-stream-after-swap/test.yaml
new file mode 100644
index 000000000..ae2ec36ba
--- /dev/null
+++ b/tests/tcp-stream-after-swap/test.yaml
@@ -0,0 +1,24 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 5.0.0
+
+# disables checksum verification, and uses midstream
+args:
+- -k none --set stream.midstream=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: anomaly
+        anomaly.event: "UNABLE_TO_MATCH_RESPONSE_TO_REQUEST"
+
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        app_proto: http
+        dest_port: 80
+        flow.bytes_toserver: 608
+        flow.bytes_toclient: 1037