From: Victor Julien <victor@inliniac.net>
Date: Wed, 24 Mar 2021 20:43:27 +0000 (+0100)
Subject: tests: add issue 3703 test
X-Git-Tag: suricata-6.0.4~64
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4fd24adf3cbf100a55f421d91befd2f9061f4074;p=thirdparty%2Fsuricata-verify.git

tests: add issue 3703 test
---

diff --git a/tests/issue-3703/bug3703.rules b/tests/issue-3703/bug3703.rules
new file mode 100644
index 000000000..f123faf2b
--- /dev/null
+++ b/tests/issue-3703/bug3703.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg: "FILEMAGIC PDF document"; filemagic:"PDF document"; filestore:both,file; noalert; sid:1100008; rev:1;)
diff --git a/tests/issue-3703/input.pcap b/tests/issue-3703/input.pcap
new file mode 100644
index 000000000..36365a0fa
Binary files /dev/null and b/tests/issue-3703/input.pcap differ
diff --git a/tests/issue-3703/suricata.yaml b/tests/issue-3703/suricata.yaml
new file mode 100644
index 000000000..84ccc3664
--- /dev/null
+++ b/tests/issue-3703/suricata.yaml
@@ -0,0 +1,101 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - files
+  - file-store:
+      version: 2
+      enabled: yes
+      #force-filestore: yes
+      stream-depth: 100000
+
+app-layer:
+  protocols:
+    http:
+      enabled: yes
+      libhtp:
+         default-config:
+           personality: IDS
+
+           # Can be specified in kb, mb, gb.  Just a number indicates
+           # it's in bytes.
+           request-body-limit: 100kb
+           response-body-limit: 100kb
+
+           # inspection limits
+           request-body-minimal-inspect-size: 32kb
+           request-body-inspect-window: 4kb
+           response-body-minimal-inspect-size: 40kb
+           response-body-inspect-window: 16kb
+
+           # response body decompression (0 disables)
+           response-body-decompress-layer-limit: 2
+
+           # auto will use http-body-inline mode in IPS mode, yes or no set it statically
+           http-body-inline: auto
+
+           # Decompress SWF files.
+           # Two types: 'deflate', 'lzma', 'both' will decompress deflate and lzma
+           # compress-depth:
+           # Specifies the maximum amount of data to decompress,
+           # set 0 for unlimited.
+           # decompress-depth:
+           # Specifies the maximum amount of decompressed data to obtain,
+           # set 0 for unlimited.
+           swf-decompression:
+             enabled: yes
+             type: both
+             compress-depth: 100kb
+             decompress-depth: 100kb
+
+           # Use a random value for inspection sizes around the specified value.
+           # This lowers the risk of some evasion techniques but could lead
+           # to detection change between runs. It is set to 'yes' by default.
+           #randomize-inspection-sizes: yes
+           # If "randomize-inspection-sizes" is active, the value of various
+           # inspection size will be chosen from the [1 - range%, 1 + range%]
+           # range
+           # Default value of "randomize-inspection-range" is 10.
+           #randomize-inspection-range: 10
+
+           # decoding
+           double-decode-path: no
+           double-decode-query: no
+
+           # Can enable LZMA decompression
+           #lzma-enabled: false
+           # Memory limit usage for LZMA decompression dictionary
+           # Data is decompressed until dictionary reaches this size
+           #lzma-memlimit: 1mb
+           # Maximum decompressed size with a compression ratio
+           # above 2048 (only LZMA can reach this ratio, deflate cannot)
+           #compression-bomb-limit: 1mb
+           # Maximum time spent decompressing a single transaction in usec
+           #decompression-time-limit: 100000
+
+         server-config:
+
+           #- apache:
+           #    address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
+           #    personality: Apache_2
+           #    # Can be specified in kb, mb, gb.  Just a number indicates
+           #    # it's in bytes.
+           #    request-body-limit: 4096
+           #    response-body-limit: 4096
+           #    double-decode-path: no
+           #    double-decode-query: no
+
+           #- iis7:
+           #    address:
+           #      - 192.168.0.0/24
+           #      - 192.168.10.0/24
+           #    personality: IIS_7_0
+           #    # Can be specified in kb, mb, gb.  Just a number indicates
+           #    # it's in bytes.
+           #    request-body-limit: 4096
+           #    response-body-limit: 4096
+           #    double-decode-path: no
+           #    double-decode-query: no
diff --git a/tests/issue-3703/test.yaml b/tests/issue-3703/test.yaml
new file mode 100644
index 000000000..f4b7731e3
--- /dev/null
+++ b/tests/issue-3703/test.yaml
@@ -0,0 +1,18 @@
+requires:
+  min-version: 7
+  features:
+    - HAVE_NSS
+    - MAGIC
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.gaps: false
+        fileinfo.state: "CLOSED"
+        fileinfo.sha256: "02f43016d07812f881dc1ccee724f95682016ff00c7ee6b2c856d4d693ce3fa5"
+        fileinfo.stored: true
+        fileinfo.file_id: 1
+        fileinfo.size: 9952
+        fileinfo.tx_id: 0