From: Philippe Antoine Date: Wed, 24 Jan 2024 12:07:11 +0000 (+0100) Subject: http: adds test with HTTP not being 0.9 X-Git-Tag: suricata-6.0.17~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d461a9757c17c24fc9bf361e47eec4ceea60bfc9;p=thirdparty%2Fsuricata-verify.git http: adds test with HTTP not being 0.9 Ticket: 6643 If the request is junk, and the response is valid HTTP/1.1, we should handle the response as HTTP/1.1, not HTTP 0.9 --- diff --git a/tests/http-not09-file/README.md b/tests/http-not09-file/README.md new file mode 100644 index 000000000..6e9151de3 --- /dev/null +++ b/tests/http-not09-file/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test that we parse junk request and HTTP response not as HTTP/0.9 + +## PCAP + +TLPW1 163.44.181.249_80-10.6.29.102_49190-11ff4.pcap + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6643 diff --git a/tests/http-not09-file/input.pcap b/tests/http-not09-file/input.pcap new file mode 100644 index 000000000..c1e593449 Binary files /dev/null and b/tests/http-not09-file/input.pcap differ diff --git a/tests/http-not09-file/test.rules b/tests/http-not09-file/test.rules new file mode 100644 index 000000000..9311e862c --- /dev/null +++ b/tests/http-not09-file/test.rules @@ -0,0 +1,4 @@ +# should match +alert http any any -> any any (http.response_line; content:"HTTP/1.1 400"; sid:1;) +# should not match as it is the response line, not yet the response body +alert http any any -> any any (file.data; content:"HTTP/1.1 400"; sid:2;) diff --git a/tests/http-not09-file/test.yaml b/tests/http-not09-file/test.yaml new file mode 100644 index 000000000..cea043ec3 --- /dev/null +++ b/tests/http-not09-file/test.yaml @@ -0,0 +1,19 @@ +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.size: 166 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2