From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Tue, 29 Mar 2022 06:34:45 +0000 (+0530)
Subject: datasets: add test for bug 5109
X-Git-Tag: suricata-5.0.10~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cf49de8dc95b3a481760f0aee993e06c9697882c;p=thirdparty%2Fsuricata-verify.git

datasets: add test for bug 5109
---

diff --git a/tests/datasets-bug-5109/README.md b/tests/datasets-bug-5109/README.md
new file mode 100644
index 000000000..8045e407d
--- /dev/null
+++ b/tests/datasets-bug-5109/README.md
@@ -0,0 +1,12 @@
+Description
+===========
+A space condition with dataset parsing was not handled which caused rules like
+```
+alert http any any -> any any (http.user_agent; dataset:set  ,ua-seen,type string,save datasets.csv; sid:1;)
+```
+Note the spaces after `dataset:set`.
+Corresponding redmine ticket: https://redmine.openinfosecfoundation.org/issues/5019
+
+PCAP
+====
+PCAP is irrelevant to the test but comes from the test [datasets-01](https://github.com/OISF/suricata-verify/blob/master/tests/datasets-01/input.pcap)
diff --git a/tests/datasets-bug-5109/input.pcap b/tests/datasets-bug-5109/input.pcap
new file mode 100644
index 000000000..8fb6832de
Binary files /dev/null and b/tests/datasets-bug-5109/input.pcap differ
diff --git a/tests/datasets-bug-5109/test.rules b/tests/datasets-bug-5109/test.rules
new file mode 100644
index 000000000..e79dcaae1
--- /dev/null
+++ b/tests/datasets-bug-5109/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (http.user_agent; dataset:set  ,ua-seen,type string,save datasets.csv; sid:1;)
diff --git a/tests/datasets-bug-5109/test.yaml b/tests/datasets-bug-5109/test.yaml
new file mode 100644
index 000000000..dc49ca5b1
--- /dev/null
+++ b/tests/datasets-bug-5109/test.yaml
@@ -0,0 +1,12 @@
+exit-code: 0
+
+command: |
+  ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/etc/classification.config"    \
+      --set reference-config-file="${SRCDIR}/etc/reference.config" -l ${OUTPUT_DIR}         \
+      --set threshold-file="${TEST_DIR}/threshold.config"                                   \
+      -c "${SRCDIR}/suricata.yaml" -r ${TEST_DIR}/input.pcap -S ${TEST_DIR}/test.rules
+
+checks:
+    - shell:
+        args: grep "dataset action \"\" is not supported" suricata.log | wc -l | xargs
+        expect: 0