From: Philippe Antoine <contact@catenacyber.fr>
Date: Tue, 7 May 2019 14:22:42 +0000 (+0200)
Subject: Adds test case for http_header while closing
X-Git-Tag: suricata-6.0.4~406
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9c5840fedee0b37f48826058a97a11f65b2741be;p=thirdparty%2Fsuricata-verify.git

Adds test case for http_header while closing
---

diff --git a/tests/http-close-headers/README.md b/tests/http-close-headers/README.md
new file mode 100644
index 000000000..b99379a61
--- /dev/null
+++ b/tests/http-close-headers/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test http_header keywors for signature support when connection closes during the headers transmission.
+
+# PCAP
+
+The pcap comes from https://redmine.openinfosecfoundation.org/issues/2969
diff --git a/tests/http-close-headers/input.pcap b/tests/http-close-headers/input.pcap
new file mode 100644
index 000000000..dabf45b5a
Binary files /dev/null and b/tests/http-close-headers/input.pcap differ
diff --git a/tests/http-close-headers/test.rules b/tests/http-close-headers/test.rules
new file mode 100644
index 000000000..99e2eba4b
--- /dev/null
+++ b/tests/http-close-headers/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg: "'ng1nx' Server header found"; flow: established, from_server; content: "ng1nx"; nocase; http_header; classtype: attempted-admin; sid: 1; rev: 1; )
diff --git a/tests/http-close-headers/test.yaml b/tests/http-close-headers/test.yaml
new file mode 100644
index 000000000..c4f81fbd3
--- /dev/null
+++ b/tests/http-close-headers/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+# disables checksum verification
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1