From: Juliana Fajardini <jufajardini@gmail.com>
Date: Fri, 27 Sep 2024 20:55:50 +0000 (-0300)
Subject: tests: add test for bug-7199
X-Git-Tag: suricata-7.0.8~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8b812987c483e05970bada85689d7188ec995717;p=thirdparty%2Fsuricata-verify.git

tests: add test for bug-7199

More of a change in behavior than a bug, but important to be documented

Related to
Bug https://redmine.openinfosecfoundation.org/issues/7199
---

diff --git a/tests/bug-7199/README.md b/tests/bug-7199/README.md
new file mode 100644
index 000000000..b8ac42937
--- /dev/null
+++ b/tests/bug-7199/README.md
@@ -0,0 +1,15 @@
+# Test
+
+Showcase change of behavior from Suricata-7.0.5 to Suricata-7.0.6.
+Before, a non-stream rule that matched traffic associated with an app-layer
+transaction would result in app-layer metadata being logged with the alert, if
+metadata was enabled. Starting with 7.0.6, this will only be achieved if the
+rule is an app-layer/stream one.
+
+### Pcap
+
+Packet capture resulting of a curl to suricata.io.
+
+### Ticket
+
+https://redmine.openinfosecfoundation.org/issues/7199
diff --git a/tests/bug-7199/TLPW-curl-http-suricata.pcap b/tests/bug-7199/TLPW-curl-http-suricata.pcap
new file mode 100644
index 000000000..144e4fcaa
Binary files /dev/null and b/tests/bug-7199/TLPW-curl-http-suricata.pcap differ
diff --git a/tests/bug-7199/suricata.yaml b/tests/bug-7199/suricata.yaml
new file mode 100644
index 000000000..0e4699ae2
--- /dev/null
+++ b/tests/bug-7199/suricata.yaml
@@ -0,0 +1,22 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert:
+            enabled: true
+            tagged-packets: true
+            metadata: true
+            http-body: true
+        - http:
+            extended: true
+            tagged-packets: true
+        - tls:
+            extended: true
+
+detect:
+  guess-applayer-tx: yes
\ No newline at end of file
diff --git a/tests/bug-7199/test.rules b/tests/bug-7199/test.rules
new file mode 100644
index 000000000..3df3608a6
--- /dev/null
+++ b/tests/bug-7199/test.rules
@@ -0,0 +1,3 @@
+reject ip any any -> any any (msg: "Reject by AntreaNetworkPolicy:default/ingress-allow-http-request-to-api-v2"; flow: to_server, established; sid: 1;)
+pass http any any -> any any (msg: "Allow http by AntreaNetworkPolicy:default/ingress-allow-http-request-to-api-v2"; http.uri; content:"/api/v2/"; startswith; http.method; content:"GET"; http.host; content:"foo.bar.com"; startswith; endswith; sid: 2;)
+alert http any any -> any any (msg: "Alert by AntreaNetworkPolicy:default/ingress-allow-http-request-to-api-v2"; http.uri; content:!"/api/v2/"; sid: 3;)
diff --git a/tests/bug-7199/test.yaml b/tests/bug-7199/test.yaml
new file mode 100644
index 000000000..510fe6017
--- /dev/null
+++ b/tests/bug-7199/test.yaml
@@ -0,0 +1,33 @@
+requires:
+  features:
+    - LIBNET1.1
+
+args:
+- -k none
+- --set stream.midstream=true
+- --simulate-ips
+
+checks:
+    - filter:
+        count: 4
+        match:
+            event_type: alert
+            alert.signature_id: 1
+    - filter:
+        min-version: 8
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 1
+            has-key: http
+    - filter:
+        count: 0
+        match:
+            event_type: alert
+            alert.signature_id: 2
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 3
+            has-key: http