From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Fri, 20 Jan 2023 07:48:43 +0000 (+0530)
Subject: tcp: add test for bug 5379
X-Git-Tag: suricata-6.0.10~17
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5f980473fa0cfcca7d4f49d0257e2bbcbe9d9030;p=thirdparty%2Fsuricata-verify.git

tcp: add test for bug 5379
---

diff --git a/tests/tcp-5379/README.md b/tests/tcp-5379/README.md
new file mode 100644
index 000000000..c51e3f471
--- /dev/null
+++ b/tests/tcp-5379/README.md
@@ -0,0 +1,8 @@
+Description
+===========
+Illustration that if there are trailing bytes in a TCP packet, unlike UDP, TCP parses the
+correct data and alerts on it too.
+
+PCAP
+====
+Created with Scapy.
diff --git a/tests/tcp-5379/input.pcap b/tests/tcp-5379/input.pcap
new file mode 100644
index 000000000..5508813ff
Binary files /dev/null and b/tests/tcp-5379/input.pcap differ
diff --git a/tests/tcp-5379/test.rules b/tests/tcp-5379/test.rules
new file mode 100644
index 000000000..2d487261f
--- /dev/null
+++ b/tests/tcp-5379/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (msg:"Ends with AAA"; content:"AAA"; endswith; sid:1; rev:1;)
+alert tcp any any -> any any (msg:"Ends with DDD"; content:"DDD"; endswith; sid:2; rev:1;)
diff --git a/tests/tcp-5379/test.yaml b/tests/tcp-5379/test.yaml
new file mode 100644
index 000000000..7c3296df4
--- /dev/null
+++ b/tests/tcp-5379/test.yaml
@@ -0,0 +1,13 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 1
+
+- filter:
+    count: 0
+    match:
+      alert.signature_id: 2