From: Victor Julien <victor@inliniac.net>
Date: Wed, 21 Sep 2022 07:39:36 +0000 (+0200)
Subject: tests: add http file with gap test
X-Git-Tag: suricata-6.0.8~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d82549ebe093cb78f29e752df91b1f6a6b677f44;p=thirdparty%2Fsuricata-verify.git

tests: add http file with gap test
---

diff --git a/tests/http-pipeline-files-with-gap/README.md b/tests/http-pipeline-files-with-gap/README.md
new file mode 100644
index 000000000..fd8fdffa4
--- /dev/null
+++ b/tests/http-pipeline-files-with-gap/README.md
@@ -0,0 +1 @@
+Pcap from malware traffic analysis
diff --git a/tests/http-pipeline-files-with-gap/input.pcap b/tests/http-pipeline-files-with-gap/input.pcap
new file mode 100644
index 000000000..88131583b
Binary files /dev/null and b/tests/http-pipeline-files-with-gap/input.pcap differ
diff --git a/tests/http-pipeline-files-with-gap/suricata.yaml b/tests/http-pipeline-files-with-gap/suricata.yaml
new file mode 100644
index 000000000..758e0505e
--- /dev/null
+++ b/tests/http-pipeline-files-with-gap/suricata.yaml
@@ -0,0 +1,103 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - files
+        - stats
+  - file-store:
+      version: 2
+      enabled: yes
+      force-filestore: yes
+      stream-depth: 0
+
+app-layer:
+  # error-policy: ignore
+  protocols:
+    http:
+      enabled: yes
+      libhtp:
+         default-config:
+           personality: IDS
+
+           # Can be specified in kb, mb, gb.  Just a number indicates
+           # it's in bytes.
+           request-body-limit: 100kb
+           response-body-limit: 100kb
+
+           # inspection limits
+           request-body-minimal-inspect-size: 32kb
+           request-body-inspect-window: 4kb
+           response-body-minimal-inspect-size: 40kb
+           response-body-inspect-window: 16kb
+
+           # response body decompression (0 disables)
+           response-body-decompress-layer-limit: 2
+
+           # auto will use http-body-inline mode in IPS mode, yes or no set it statically
+           http-body-inline: auto
+
+           # Decompress SWF files.
+           # Two types: 'deflate', 'lzma', 'both' will decompress deflate and lzma
+           # compress-depth:
+           # Specifies the maximum amount of data to decompress,
+           # set 0 for unlimited.
+           # decompress-depth:
+           # Specifies the maximum amount of decompressed data to obtain,
+           # set 0 for unlimited.
+           swf-decompression:
+             enabled: yes
+             type: both
+             compress-depth: 100kb
+             decompress-depth: 100kb
+
+           # Use a random value for inspection sizes around the specified value.
+           # This lowers the risk of some evasion techniques but could lead
+           # to detection change between runs. It is set to 'yes' by default.
+           #randomize-inspection-sizes: yes
+           # If "randomize-inspection-sizes" is active, the value of various
+           # inspection size will be chosen from the [1 - range%, 1 + range%]
+           # range
+           # Default value of "randomize-inspection-range" is 10.
+           #randomize-inspection-range: 10
+
+           # decoding
+           double-decode-path: no
+           double-decode-query: no
+
+           # Can enable LZMA decompression
+           #lzma-enabled: false
+           # Memory limit usage for LZMA decompression dictionary
+           # Data is decompressed until dictionary reaches this size
+           #lzma-memlimit: 1mb
+           # Maximum decompressed size with a compression ratio
+           # above 2048 (only LZMA can reach this ratio, deflate cannot)
+           #compression-bomb-limit: 1mb
+           # Maximum time spent decompressing a single transaction in usec
+           #decompression-time-limit: 100000
+
+         server-config:
+
+           #- apache:
+           #    address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
+           #    personality: Apache_2
+           #    # Can be specified in kb, mb, gb.  Just a number indicates
+           #    # it's in bytes.
+           #    request-body-limit: 4096
+           #    response-body-limit: 4096
+           #    double-decode-path: no
+           #    double-decode-query: no
+
+           #- iis7:
+           #    address:
+           #      - 192.168.0.0/24
+           #      - 192.168.10.0/24
+           #    personality: IIS_7_0
+           #    # Can be specified in kb, mb, gb.  Just a number indicates
+           #    # it's in bytes.
+           #    request-body-limit: 4096
+           #    response-body-limit: 4096
+           #    double-decode-path: no
+           #    double-decode-query: no
diff --git a/tests/http-pipeline-files-with-gap/test.yaml b/tests/http-pipeline-files-with-gap/test.yaml
new file mode 100644
index 000000000..98a4d4a0f
--- /dev/null
+++ b/tests/http-pipeline-files-with-gap/test.yaml
@@ -0,0 +1,23 @@
+requires:
+  min-version: 6
+  features:
+    - HAVE_NSS
+
+checks:
+  - filter:
+      count: 3
+      match:
+        event_type: fileinfo
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.gaps: true
+        fileinfo.size: 733
+        fileinfo.state: TRUNCATED
+        fileinfo.sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.file_store.fs_errors: 0