From: Philippe Antoine <contact@catenacyber.fr>
Date: Mon, 22 Aug 2022 15:46:20 +0000 (+0200)
Subject: Adds test about event for failed protocol change
X-Git-Tag: suricata-6.0.8~33
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a68e8684c7a36ca9460f791409bf493ffdf468ee;p=thirdparty%2Fsuricata-verify.git

Adds test about event for failed protocol change
---

diff --git a/tests/protocol-change-failed-event/README.md b/tests/protocol-change-failed-event/README.md
new file mode 100644
index 000000000..14d04f94a
--- /dev/null
+++ b/tests/protocol-change-failed-event/README.md
@@ -0,0 +1,8 @@
+# Description
+
+Test app-layer-event:http.failed_protocol_change
+
+# PCAP
+
+The pcap comes from oss-fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45941
+And use of fuzzpcap to get to a real pcap file
diff --git a/tests/protocol-change-failed-event/input.pcap b/tests/protocol-change-failed-event/input.pcap
new file mode 100644
index 000000000..d77187a0a
Binary files /dev/null and b/tests/protocol-change-failed-event/input.pcap differ
diff --git a/tests/protocol-change-failed-event/test.rules b/tests/protocol-change-failed-event/test.rules
new file mode 100644
index 000000000..f0d295b84
--- /dev/null
+++ b/tests/protocol-change-failed-event/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"SURICATA HTTP failed protocol change"; flow:established; app-layer-event:http.failed_protocol_change; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221053; rev:1;)
diff --git a/tests/protocol-change-failed-event/test.yaml b/tests/protocol-change-failed-event/test.yaml
new file mode 100644
index 000000000..c7c33fd22
--- /dev/null
+++ b/tests/protocol-change-failed-event/test.yaml
@@ -0,0 +1,12 @@
+requires:
+    min-version: 7
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 2221053