From: Lukas Sismis <lsismis@oisf.net>
Date: Tue, 6 Feb 2024 10:54:03 +0000 (+0100)
Subject: tcp: add a SYN packet test to verify correct flow output
X-Git-Tag: suricata-6.0.17~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c0f84a0c454d38258f363f62f0f02b3e2c60c47c;p=thirdparty%2Fsuricata-verify.git

tcp: add a SYN packet test to verify correct flow output

Ticket: #6733
---

diff --git a/tests/bug-6733-syn-packet-flow-output/README.md b/tests/bug-6733-syn-packet-flow-output/README.md
new file mode 100644
index 000000000..3fe763442
--- /dev/null
+++ b/tests/bug-6733-syn-packet-flow-output/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Created when a bug was found - pseudopackets were assigned with ACK flag 
+and that falsely turned SYN flows to SYN/ACK flows. 
+This only happened when content-matching rules were in the ruleset.
+
+https://redmine.openinfosecfoundation.org/issues/6733
+
+# PCAP
+
+The PCAP files comes from a private capture, free to share.
diff --git a/tests/bug-6733-syn-packet-flow-output/input.pcap b/tests/bug-6733-syn-packet-flow-output/input.pcap
new file mode 100644
index 000000000..544fb7dbc
Binary files /dev/null and b/tests/bug-6733-syn-packet-flow-output/input.pcap differ
diff --git a/tests/bug-6733-syn-packet-flow-output/test.rules b/tests/bug-6733-syn-packet-flow-output/test.rules
new file mode 100644
index 000000000..80eeb3611
--- /dev/null
+++ b/tests/bug-6733-syn-packet-flow-output/test.rules
@@ -0,0 +1 @@
+alert tcp $HOME_NET any -> any any (msg: "example"; flow:established,to_server; content:"GET|20|"; sid:11111; rev:1;)
diff --git a/tests/bug-6733-syn-packet-flow-output/test.yaml b/tests/bug-6733-syn-packet-flow-output/test.yaml
new file mode 100644
index 000000000..bdf46c759
--- /dev/null
+++ b/tests/bug-6733-syn-packet-flow-output/test.yaml
@@ -0,0 +1,23 @@
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      dest_ip: "155.166.235.43"
+      dest_port: 25
+      flow.age: 0
+      flow.alerted: false
+      flow.bytes_toclient: 0
+      flow.bytes_toserver: 66
+      flow.pkts_toclient: 0
+      flow.pkts_toserver: 1
+      flow.reason: shutdown
+      flow.state: new
+      proto: TCP
+      src_ip: "147.183.77.73"
+      src_port: 38212
+      tcp.state: syn_sent
+      tcp.syn: true
+      tcp.tcp_flags: "02"
+      tcp.tcp_flags_tc: '00'
+      tcp.tcp_flags_ts: '02'