From: Philippe Antoine <contact@catenacyber.fr>
Date: Fri, 17 May 2019 11:56:06 +0000 (+0200)
Subject: Adds test case four uri double encoding
X-Git-Tag: suricata-6.0.4~432
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7b8e07508002c48a3f466da470acda39ce9ba5a6;p=thirdparty%2Fsuricata-verify.git

Adds test case four uri double encoding
---

diff --git a/tests/http-double-encoded-uri/README.md b/tests/http-double-encoded-uri/README.md
new file mode 100644
index 000000000..da3aedb8b
--- /dev/null
+++ b/tests/http-double-encoded-uri/README.md
@@ -0,0 +1,8 @@
+# Description
+
+Test http double encoded uri alert
+
+# PCAP
+
+The pcap comes from running
+`curl http://oisf.net/evil%2527sqli`
diff --git a/tests/http-double-encoded-uri/input.pcap b/tests/http-double-encoded-uri/input.pcap
new file mode 100644
index 000000000..171cfc524
Binary files /dev/null and b/tests/http-double-encoded-uri/input.pcap differ
diff --git a/tests/http-double-encoded-uri/suricata.yaml b/tests/http-double-encoded-uri/suricata.yaml
new file mode 100644
index 000000000..506074005
--- /dev/null
+++ b/tests/http-double-encoded-uri/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+include: ../../etc/suricata-4.0.3.yaml
+
+app-layer:
+  protocols:
+    http:
+      libhtp:
+        default-config:
+          double-decode-path: yes
+          double-decode-query: yes
diff --git a/tests/http-double-encoded-uri/test.rules b/tests/http-double-encoded-uri/test.rules
new file mode 100644
index 000000000..4effef85b
--- /dev/null
+++ b/tests/http-double-encoded-uri/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"SURICATA HTTP Request double encoded URI"; flow:established,to_server; app-layer-event:http.double_encoded_uri; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:1; rev:1;)
diff --git a/tests/http-double-encoded-uri/test.yaml b/tests/http-double-encoded-uri/test.yaml
new file mode 100644
index 000000000..2fadf930d
--- /dev/null
+++ b/tests/http-double-encoded-uri/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 5.0.0
+
+# disables checksum verification
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1