From: Philippe Antoine <pantoine@oisf.net>
Date: Fri, 18 Apr 2025 14:42:57 +0000 (+0200)
Subject: detect: adds transactional rules with filesize
X-Git-Tag: suricata-7.0.11~71
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2bb8f2c42ed6a82706c2459ceb63b5191a4bdd9d;p=thirdparty%2Fsuricata-verify.git

detect: adds transactional rules with filesize

Ticket: 7665
---

diff --git a/tests/detect-bidir/test.rules b/tests/detect-bidir/test.rules
index 995ad40d9..11fdb4c2a 100644
--- a/tests/detect-bidir/test.rules
+++ b/tests/detect-bidir/test.rules
@@ -8,3 +8,6 @@ alert http any any => any any (msg:"disambiguated toserver"; sid: 12; http.uri;
 alert http any any => any any (msg:"disambiguated toclient, without other toclient"; sid: 13; http.uri; content: "/download"; http.connection: to_client; content: "eep";)
 alert http any any => any any (msg:"disambiguated both sides"; sid: 14; http.connection: to_client; content: "eep"; http.connection: to_server; content: "eep";)
 alert http any any => any any (msg:"toclient, followed by http.uri implicitly toserver"; sid: 15; http.connection: to_client; content: "eep"; http.uri; content: "/download"; )
+
+alert http any any => any any (msg:"matching uri and status and file size"; sid: 16; http.uri; content: "/download"; http.stat_code; content: "200"; filesize: to_client, <100;)
+alert http any any => any any (msg:"matching uri and status and file size"; sid: 17; http.uri; content: "/download"; http.stat_code; content: "200"; filesize: to_client, >100;)
diff --git a/tests/detect-bidir/test.yaml b/tests/detect-bidir/test.yaml
index 5a56f45ec..6787859c5 100644
--- a/tests/detect-bidir/test.yaml
+++ b/tests/detect-bidir/test.yaml
@@ -54,3 +54,13 @@ checks:
       match:
         event_type: alert
         alert.signature_id: 15
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 16
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 17