From: Philippe Antoine <pantoine@oisf.net>
Date: Wed, 14 Aug 2024 14:25:17 +0000 (+0200)
Subject: http2: add test for frames
X-Git-Tag: suricata-7.0.7~20
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=267fc562481abf11f04df5bd4fcb47bed8b921df;p=thirdparty%2Fsuricata-verify.git

http2: add test for frames

Ticket: 5743
---

diff --git a/tests/http2-frames/README.md b/tests/http2-frames/README.md
new file mode 100644
index 000000000..2e9836c32
--- /dev/null
+++ b/tests/http2-frames/README.md
@@ -0,0 +1,9 @@
+# Description
+
+Test HTTP2 frames
+
+https://redmine.openinfosecfoundation.org/issues/5743
+
+# PCAP
+
+The pcap is reused from another test
diff --git a/tests/http2-frames/test.rules b/tests/http2-frames/test.rules
new file mode 100644
index 000000000..47b1f4154
--- /dev/null
+++ b/tests/http2-frames/test.rules
@@ -0,0 +1 @@
+alert http2 any any -> any any (frame:http2.hdr; content:"|00 00 04 08 00|"; flow:to_server; sid:1;)
diff --git a/tests/http2-frames/test.yaml b/tests/http2-frames/test.yaml
new file mode 100644
index 000000000..4e835921c
--- /dev/null
+++ b/tests/http2-frames/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  min-version: 8
+
+# disables checksum verification
+args:
+  - -k none --set stream.midstream=true
+
+pcap:  ../http2-keywords2/input.pcap
+
+checks:
+# checks for http.uri keyword : 1 for HTTP1, 1 for mimicked HTTP2 response, so 2 for whole HTTP
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1