From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 30 May 2024 12:47:31 +0000 (+0200)
Subject: bypass: adds a test with a UDP flow
X-Git-Tag: suricata-7.0.7~86
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8f8c3e4c7075cdfd7a74364b2c28b7bfef8c694b;p=thirdparty%2Fsuricata-verify.git

bypass: adds a test with a UDP flow

Ticket: 7053
---

diff --git a/tests/detect-bypass-udp/README.md b/tests/detect-bypass-udp/README.md
new file mode 100644
index 000000000..82dae7c60
--- /dev/null
+++ b/tests/detect-bypass-udp/README.md
@@ -0,0 +1,5 @@
+Tests the bypass keyword with a UDP flow
+
+Pcap shared from creator of https://forum.suricata.io/t/bypass-does-this-only-work-with-tcp/4660/2
+
+https://redmine.openinfosecfoundation.org/issues/7053
diff --git a/tests/detect-bypass-udp/input.pcap b/tests/detect-bypass-udp/input.pcap
new file mode 100644
index 000000000..1959e627d
Binary files /dev/null and b/tests/detect-bypass-udp/input.pcap differ
diff --git a/tests/detect-bypass-udp/test.rules b/tests/detect-bypass-udp/test.rules
new file mode 100755
index 000000000..9d6abd8c1
--- /dev/null
+++ b/tests/detect-bypass-udp/test.rules
@@ -0,0 +1,2 @@
+#this looks for 0x2e, 20 bytes into the UDP payload
+pass udp 192.168.0.2 4500 -> any any (msg:"Bypass packet 3 and 4";content:"|00 00 00 00|"; offset:0; depth:4; content:"|2e|"; offset:20; depth:1; bypass; sid:1003068;)
diff --git a/tests/detect-bypass-udp/test.yaml b/tests/detect-bypass-udp/test.yaml
new file mode 100644
index 000000000..ffbe5c9dd
--- /dev/null
+++ b/tests/detect-bypass-udp/test.yaml
@@ -0,0 +1,12 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.state: bypassed