From: Modupe Falodun <falodunmodupeola@gmail.com>
Date: Thu, 27 Jan 2022 09:49:34 +0000 (+0100)
Subject: http-response-line: add unittests
X-Git-Tag: suricata-6.0.5~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5bc918baa2994fcb4da4425caff9259e0eb32d7e;p=thirdparty%2Fsuricata-verify.git

http-response-line: add unittests

Task: 4911
---

diff --git a/tests/http-response-line/README.md b/tests/http-response-line/README.md
new file mode 100644
index 000000000..918617484
--- /dev/null
+++ b/tests/http-response-line/README.md
@@ -0,0 +1 @@
+Test that the http_response_line content matches against a http request which holds the content.
diff --git a/tests/http-response-line/input.pcap b/tests/http-response-line/input.pcap
new file mode 100644
index 000000000..0d2536f90
Binary files /dev/null and b/tests/http-response-line/input.pcap differ
diff --git a/tests/http-response-line/test.rules b/tests/http-response-line/test.rules
new file mode 100644
index 000000000..6091704f1
--- /dev/null
+++ b/tests/http-response-line/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any (http_response_line; content:"HTTP/1.0 200 OK"; sid:1;)
+alert tcp any any -> any any (http_response_line; content:"200 OK"; sid:2;)
diff --git a/tests/http-response-line/test.yaml b/tests/http-response-line/test.yaml
new file mode 100644
index 000000000..031ff010a
--- /dev/null
+++ b/tests/http-response-line/test.yaml
@@ -0,0 +1,22 @@
+args:
+- --set stream.midstream=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
diff --git a/tests/http-response-line/writepcap.py b/tests/http-response-line/writepcap.py
new file mode 100644
index 000000000..a2beec899
--- /dev/null
+++ b/tests/http-response-line/writepcap.py
@@ -0,0 +1,14 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+load_layer("http")
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IPv6(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=63, flags='P''A')/HTTP()/HTTPRequest(Method='GET', Path='/index.html', Http_Version='HTTP/1.0', User_Agent='This is dummy message body', Host='www.openinfosecfoundation.org', Content_Type='text/html')
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IPv6(dst='5.6.7.8', src='1.2.3.4')/TCP(sport=63, dport=6666, flags='P''A')/HTTP()/HTTPResponse(Http_Version='HTTP/1.0', Status_Code='200', Reason_Phrase='OK', Content_Type='text/html', Content_Length=7)
+
+wrpcap('input.pcap', pkts)