From: Philippe Antoine Date: Tue, 15 Oct 2019 14:33:59 +0000 (+0200) Subject: Adds test for http async parsing X-Git-Tag: suricata-6.0.4~333 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=499527c82868bbc172d6fec988124ab71a960488;p=thirdparty%2Fsuricata-verify.git Adds test for http async parsing --- diff --git a/tests/http-async-cli/README.md b/tests/http-async-cli/README.md new file mode 100644 index 000000000..695786997 --- /dev/null +++ b/tests/http-async-cli/README.md @@ -0,0 +1,9 @@ +# Description + +Test http async parsing + +This test case contains direction client to server + +# PCAP + +The pcap comes from test http-async with filter `tcp.dstport == 8080` diff --git a/tests/http-async-cli/input.pcap b/tests/http-async-cli/input.pcap new file mode 100644 index 000000000..bbc365cc5 Binary files /dev/null and b/tests/http-async-cli/input.pcap differ diff --git a/tests/http-async-cli/test.yaml b/tests/http-async-cli/test.yaml new file mode 100644 index 000000000..0090c6b35 --- /dev/null +++ b/tests/http-async-cli/test.yaml @@ -0,0 +1,23 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 5.0.0 + +# disables checksum verification +args: + - -k none + - --set stream.async-oneside=true + +checks: + + # Check that there is one file event with content range. + - filter: + count: 1 + match: + event_type: http + http.url: "/1" + - filter: + count: 1 + match: + event_type: http + http.url: "/2" diff --git a/tests/http-async-srv/README.md b/tests/http-async-srv/README.md new file mode 100644 index 000000000..e06b28c0d --- /dev/null +++ b/tests/http-async-srv/README.md @@ -0,0 +1,9 @@ +# Description + +Test http async parsing + +This test case contains direction server to client + +# PCAP + +The pcap comes from test http-async with filter `tcp.srcport == 8080` diff --git a/tests/http-async-srv/input.pcap b/tests/http-async-srv/input.pcap new file mode 100644 index 000000000..cf105f4aa Binary files /dev/null and b/tests/http-async-srv/input.pcap differ diff --git a/tests/http-async-srv/test.rules b/tests/http-async-srv/test.rules new file mode 100644 index 000000000..604a118a4 --- /dev/null +++ b/tests/http-async-srv/test.rules @@ -0,0 +1,2 @@ +alert http any any -> any any (msg:"World"; file_data; content:"World"; sid:1;) +alert http any any -> any any (msg:"People"; file_data; content:"People"; sid:2;) diff --git a/tests/http-async-srv/test.yaml b/tests/http-async-srv/test.yaml new file mode 100644 index 000000000..cd135ff6c --- /dev/null +++ b/tests/http-async-srv/test.yaml @@ -0,0 +1,28 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 5.0.0 + +# disables checksum verification +args: + - -k none + - --set stream.async-oneside=true + +checks: + + # Check that there is one file event with content range. + - filter: + count: 2 + match: + event_type: http + http.status: 200 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 diff --git a/tests/http-async/README.md b/tests/http-async/README.md new file mode 100644 index 000000000..9c06878a2 --- /dev/null +++ b/tests/http-async/README.md @@ -0,0 +1,11 @@ +# Description + +Test http async parsing + +This test case contains both directions + +# PCAP + +The pcap comes from running +`python test/htptopcap.py async.txt` +With the attached async.txt diff --git a/tests/http-async/async.txt b/tests/http-async/async.txt new file mode 100644 index 000000000..007beea9d --- /dev/null +++ b/tests/http-async/async.txt @@ -0,0 +1,28 @@ +>>> +GET /1 HTTP/1.0 +User-Agent: Mozilla + + +<<< +HTTP/1.0 200 OK +Date: Mon, 31 Aug 2009 20:25:50 GMT +Server: Apache +Connection: close +Content-Type: text/html +Content-Length: 12 + +Hello World! + +>>> +GET /2 HTTP/1.0 +User-Agent: Mozilla + + +<<< +HTTP/1.0 200 OK +Server: Apache +Connection: close +Content-Type: text/html +Content-Length: 12 + +Hello People \ No newline at end of file diff --git a/tests/http-async/input.pcap b/tests/http-async/input.pcap new file mode 100644 index 000000000..ecc6da087 Binary files /dev/null and b/tests/http-async/input.pcap differ diff --git a/tests/http-async/test.rules b/tests/http-async/test.rules new file mode 100644 index 000000000..604a118a4 --- /dev/null +++ b/tests/http-async/test.rules @@ -0,0 +1,2 @@ +alert http any any -> any any (msg:"World"; file_data; content:"World"; sid:1;) +alert http any any -> any any (msg:"People"; file_data; content:"People"; sid:2;) diff --git a/tests/http-async/test.yaml b/tests/http-async/test.yaml new file mode 100644 index 000000000..00b660239 --- /dev/null +++ b/tests/http-async/test.yaml @@ -0,0 +1,34 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 5.0.0 + +# disables checksum verification +args: + - -k none + +checks: + + # Check that there is one file event with content range. + - filter: + count: 1 + match: + event_type: http + http.url: "/1" + http.status: 200 + - filter: + count: 1 + match: + event_type: http + http.url: "/2" + http.status: 200 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2