From: Maurizio Abba <mabba@lastline.com>
Date: Fri, 15 Feb 2019 20:19:20 +0000 (+0000)
Subject: eve/http: add request/response headers test
X-Git-Tag: suricata-6.0.4~336
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=60c0edb086177f6ae74225e5b3a08cd2ddff789c;p=thirdparty%2Fsuricata-verify.git

eve/http: add request/response headers test
---

diff --git a/tests/http-all-headers/README.md b/tests/http-all-headers/README.md
new file mode 100644
index 000000000..fc88fc338
--- /dev/null
+++ b/tests/http-all-headers/README.md
@@ -0,0 +1,15 @@
+# HTTP dump headers
+
+This test verifies that the flag outputs.eve-log.types.http.dump-all-headers set
+to "both" will make suricata dump all headers per HTTP transaction, for both
+requests and response.
+
+To simplify the test, the check will verify the length of the headers in the json
+object and the header name and value of one request header and one response
+header.
+
+The pcap file is downloaded from
+
+```
+https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=http.cap
+```
diff --git a/tests/http-all-headers/check.sh b/tests/http-all-headers/check.sh
new file mode 100755
index 000000000..2d7b37bb3
--- /dev/null
+++ b/tests/http-all-headers/check.sh
@@ -0,0 +1,21 @@
+#! /bin/sh
+
+. ${TOPDIR}/util/functions.sh
+
+# 9 request headers (2 rows per header + start and end of list).
+n=$(jq '.http.request_headers | length' eve.json)
+assert_eq 9 "$n"
+
+# Simplified test: check 1 request header
+# Arbitrary decision to check "Host": "www.ethereal.com"
+n=$(jq ".http.request_headers[] | select(.name | contains(\"Host\")) | select(.value | contains(\"www.ethereal.com\"))" eve.json)
+test -n "$n"
+
+# 9 request headers (2 rows per header).
+n=$(jq '.http.response_headers | length ' eve.json)
+assert_eq 9 "$n"
+
+# Simplified test: check 1 response header
+# Arbitrary decision to check "Content-Length": "18070"
+n=$(jq ".http.response_headers[] | select(.name | contains(\"Content-Length\")) | select(.value | contains(\"18070\"))" eve.json)
+test -n "$n"
diff --git a/tests/http-all-headers/input.pcap b/tests/http-all-headers/input.pcap
new file mode 100644
index 000000000..bf5caebc4
Binary files /dev/null and b/tests/http-all-headers/input.pcap differ
diff --git a/tests/http-all-headers/suricata.yaml b/tests/http-all-headers/suricata.yaml
new file mode 100644
index 000000000..1987f0434
--- /dev/null
+++ b/tests/http-all-headers/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - http:
+            dump-all-headers: both
diff --git a/tests/http-all-headers/test.yaml b/tests/http-all-headers/test.yaml
new file mode 100644
index 000000000..10c069eb3
--- /dev/null
+++ b/tests/http-all-headers/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    min-version: 5.0.0
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+            count: 1
+            match:
+                event_type: http