From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 15 Oct 2024 12:41:16 +0000 (+0200)
Subject: prefilter/multibuf: test with multiple packets
X-Git-Tag: suricata-7.0.8~33
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3beefd391d769b6a45eae11f0d2d42ca04a55ffb;p=thirdparty%2Fsuricata-verify.git

prefilter/multibuf: test with multiple packets

Ticket: 7326
---

diff --git a/tests/prefilter-multibuf-multipkts/README.md b/tests/prefilter-multibuf-multipkts/README.md
new file mode 100644
index 000000000..bfc4b75fe
--- /dev/null
+++ b/tests/prefilter-multibuf-multipkts/README.md
@@ -0,0 +1,12 @@
+Test
+====
+
+Test that multibuffer is prefiltered the right way, even if occurences of buffers
+are spanned over multiple packets, and the first try does not match.
+
+https://redmine.openinfosecfoundation.org/issues/7326
+
+PCAP
+====
+
+Pcap crafted with some http server and some python client that delays or not the writing of the headers
diff --git a/tests/prefilter-multibuf-multipkts/input.pcap b/tests/prefilter-multibuf-multipkts/input.pcap
new file mode 100644
index 000000000..e8a2a0779
Binary files /dev/null and b/tests/prefilter-multibuf-multipkts/input.pcap differ
diff --git a/tests/prefilter-multibuf-multipkts/test.rules b/tests/prefilter-multibuf-multipkts/test.rules
new file mode 100644
index 000000000..b90332301
--- /dev/null
+++ b/tests/prefilter-multibuf-multipkts/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any ( sid: 2; http.stat_code; content: "200"; fast_pattern; http.response_header; content: "first";)
+alert http any any -> any any ( sid: 3; http.stat_code; content: "200"; http.response_header; content: "first"; fast_pattern;)
diff --git a/tests/prefilter-multibuf-multipkts/test.yaml b/tests/prefilter-multibuf-multipkts/test.yaml
new file mode 100644
index 000000000..78bc76ffa
--- /dev/null
+++ b/tests/prefilter-multibuf-multipkts/test.yaml
@@ -0,0 +1,17 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3