From: Alice Akaki Date: Thu, 13 Feb 2025 21:04:29 +0000 (-0400) Subject: detect: transaction cleaned before detection when stream.midstream=true X-Git-Tag: suricata-7.0.9~10 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=be7d4ecb22556be6a11cbb6a063d5affcc76912d;p=thirdparty%2Fsuricata-verify.git detect: transaction cleaned before detection when stream.midstream=true Ticket: #7552 --- diff --git a/tests/bug-7552/bug-7552-01/README.md b/tests/bug-7552/bug-7552-01/README.md new file mode 100644 index 000000000..5903ce2c5 --- /dev/null +++ b/tests/bug-7552/bug-7552-01/README.md @@ -0,0 +1,11 @@ +# Description + +Created when a bug was found - Transaction gets cleaned by +AppLayerParserTransactionsCleanup before detection is run in the to_client +direction when stream.midstream=true and first packet is to client direction. + +https://redmine.openinfosecfoundation.org/issues/7552 + +# PCAP + +PCAP created by selecting packets from ../http-gap-simple/input.pcap \ No newline at end of file diff --git a/tests/bug-7552/bug-7552-01/input.pcap b/tests/bug-7552/bug-7552-01/input.pcap new file mode 100644 index 000000000..9d632dbe5 Binary files /dev/null and b/tests/bug-7552/bug-7552-01/input.pcap differ diff --git a/tests/bug-7552/bug-7552-01/test.rules b/tests/bug-7552/bug-7552-01/test.rules new file mode 100644 index 000000000..9e1ece74e --- /dev/null +++ b/tests/bug-7552/bug-7552-01/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"HTTP Stat Code Response"; http.stat_code; content:"200"; sid:1;) \ No newline at end of file diff --git a/tests/bug-7552/bug-7552-01/test.yaml b/tests/bug-7552/bug-7552-01/test.yaml new file mode 100644 index 000000000..3ef7235b6 --- /dev/null +++ b/tests/bug-7552/bug-7552-01/test.yaml @@ -0,0 +1,12 @@ +requires: + min-version: 8 + +args: + - -k none --set stream.midstream=true + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 diff --git a/tests/bug-7552/bug-7552-02/README.md b/tests/bug-7552/bug-7552-02/README.md new file mode 100644 index 000000000..e1f106382 --- /dev/null +++ b/tests/bug-7552/bug-7552-02/README.md @@ -0,0 +1,11 @@ +# Description + +Created when a bug was found - Transaction gets cleaned by +AppLayerParserTransactionsCleanup before detection is run in the to_client +direction when stream.midstream=true and first packet is to client direction. + +https://redmine.openinfosecfoundation.org/issues/7552 + +# PCAP + +PCAP from ../../ldap-unsolicited/ldap.pcap \ No newline at end of file diff --git a/tests/bug-7552/bug-7552-02/test.rules b/tests/bug-7552/bug-7552-02/test.rules new file mode 100644 index 000000000..c257317c1 --- /dev/null +++ b/tests/bug-7552/bug-7552-02/test.rules @@ -0,0 +1,2 @@ +# we want alert tcp instead od alert ldap to test one more edge case +alert tcp any any -> any any (msg:"Test LDAP response operation"; ldap.responses.operation:extended_response; sid:1;) \ No newline at end of file diff --git a/tests/bug-7552/bug-7552-02/test.yaml b/tests/bug-7552/bug-7552-02/test.yaml new file mode 100644 index 000000000..d949d4967 --- /dev/null +++ b/tests/bug-7552/bug-7552-02/test.yaml @@ -0,0 +1,14 @@ +requires: + min-version: 8 + +args: + - -k none --set stream.midstream=true + +pcap: ../../ldap-unsolicited/ldap.pcap + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1