From: Philippe Antoine <contact@catenacyber.fr>
Date: Tue, 2 Apr 2019 09:13:36 +0000 (+0200)
Subject: Adds test case for http with missing protocol
X-Git-Tag: suricata-6.0.4~394
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=99c6b47a547a84eb0c86f29478a67c43e165d93b;p=thirdparty%2Fsuricata-verify.git

Adds test case for http with missing protocol

And header_names keyword in rules
---

diff --git a/tests/http-missing-protocol/README.md b/tests/http-missing-protocol/README.md
new file mode 100644
index 000000000..d5ba3cd6a
--- /dev/null
+++ b/tests/http-missing-protocol/README.md
@@ -0,0 +1,9 @@
+# Description
+
+Test http detection with header_names when protocol field is missing in request
+
+# PCAP
+
+The pcap comes from
+https://redmine.openinfosecfoundation.org/issues/2619
+You can reproduce a similar behavior with running the http server and client with the python scripts client.py and server.py
diff --git a/tests/http-missing-protocol/client.py b/tests/http-missing-protocol/client.py
new file mode 100644
index 000000000..9af058933
--- /dev/null
+++ b/tests/http-missing-protocol/client.py
@@ -0,0 +1,10 @@
+import socket
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock.connect(("127.0.0.1", 8000))
+
+a = sock.send("GET /\r\nHeader1 : Value1\r\nUser-Agent : test\r\n\r\n")
+data = sock.recv(2000)
+print "returned", data
+
+sock.close()
diff --git a/tests/http-missing-protocol/input.pcap b/tests/http-missing-protocol/input.pcap
new file mode 100644
index 000000000..27b7a78f0
Binary files /dev/null and b/tests/http-missing-protocol/input.pcap differ
diff --git a/tests/http-missing-protocol/server.py b/tests/http-missing-protocol/server.py
new file mode 100644
index 000000000..c95738549
--- /dev/null
+++ b/tests/http-missing-protocol/server.py
@@ -0,0 +1,22 @@
+#!/usr/bin/env python
+
+import http.server
+import socketserver
+import logging
+
+PORT = 8000
+
+class GetHandler(http.server.SimpleHTTPRequestHandler):
+
+    def do_GET(self):
+        logging.error(self.headers)
+        self.send_response(200, 'OK')
+        self.send_header('Content-type', 'txt')
+        self.end_headers()
+        self.wfile.write(bytes(self.headers))
+
+
+Handler = GetHandler
+httpd = socketserver.TCPServer(("", PORT), Handler)
+
+httpd.serve_forever()
diff --git a/tests/http-missing-protocol/test.rules b/tests/http-missing-protocol/test.rules
new file mode 100644
index 000000000..710fd82fb
--- /dev/null
+++ b/tests/http-missing-protocol/test.rules
@@ -0,0 +1 @@
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"http_header_names testcase 2"; flow:established,to_server; content:"GET"; http_method; http_header_names; content:"User-Agent"; classtype:trojan-activity; sid:10003658; rev:2;)
diff --git a/tests/http-missing-protocol/test.yaml b/tests/http-missing-protocol/test.yaml
new file mode 100644
index 000000000..3e3c92186
--- /dev/null
+++ b/tests/http-missing-protocol/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+# disables checksum verification
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 10003658