From: Victor Julien <victor@inliniac.net>
Date: Tue, 11 Nov 2025 12:38:29 +0000 (+0100)
Subject: tests: http body keywords parsing tests
X-Git-Tag: suricata-7.0.14~38
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dee1ae07c0a61da9744f46d0db8b7d1043f84d9c;p=thirdparty%2Fsuricata-verify.git

tests: http body keywords parsing tests

Esp for testing with pcre.

Ticket: #7573.
---

diff --git a/tests/rules/http-request-body/test.rules b/tests/rules/http-request-body/test.rules
new file mode 100644
index 000000000..87eb5f1be
--- /dev/null
+++ b/tests/rules/http-request-body/test.rules
@@ -0,0 +1,3 @@
+alert http any any -> any any (http.request_body; content:"one"; sid:1;)
+alert http any any -> any any (http.request_body; pcre:"/one/R"; sid:2;)
+alert http any any -> any any (http.request_body; content:"one"; pcre:"/one/R"; sid:3;)
diff --git a/tests/rules/http-request-body/test.yaml b/tests/rules/http-request-body/test.yaml
new file mode 100644
index 000000000..f4b2c7c34
--- /dev/null
+++ b/tests/rules/http-request-body/test.yaml
@@ -0,0 +1,59 @@
+requires:
+    min-version: 7
+    pcap: false
+
+args:
+    - --engine-analysis
+
+checks:
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 1
+      mpm.buffer: "http_client_body"
+      mpm.pattern: "one"
+      # checks that all engines are toclient
+      engines[0].name: "http_client_body"
+      engines[0].direction: "toserver"
+      engines[0].app_proto: "http2"
+      engines[0].matches[0].name: "content"
+      engines[1].name: "http_client_body"
+      engines[1].direction: "toserver"
+      engines[1].app_proto: "http"
+      engines[1].matches[0].name: "content"
+      engines.__len: 2
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 2
+      # checks that all engines are toserver
+      engines[0].name: "http_client_body"
+      engines[0].direction: "toserver"
+      engines[0].app_proto: "http"
+      engines[0].matches[0].name: "pcre"
+      engines[1].name: "http_client_body"
+      engines[1].direction: "toserver"
+      engines[1].app_proto: "http2"
+      engines[1].matches[0].name: "pcre"
+      engines.__len: 2
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 3
+      mpm.buffer: "http_client_body"
+      mpm.pattern: "one"
+      # checks that all engines are toserver
+      engines[0].name: "http_client_body"
+      engines[0].direction: "toserver"
+      engines[0].app_proto: "http2"
+      engines[0].matches[0].name: "content"
+      engines[0].matches[1].name: "pcre"
+      engines[1].name: "http_client_body"
+      engines[1].direction: "toserver"
+      engines[1].app_proto: "http"
+      engines[1].matches[0].name: "content"
+      engines[1].matches[1].name: "pcre"
+      engines.__len: 2
diff --git a/tests/rules/http-response-body/test.rules b/tests/rules/http-response-body/test.rules
index 16e963bb5..5a4c2da5f 100644
--- a/tests/rules/http-response-body/test.rules
+++ b/tests/rules/http-response-body/test.rules
@@ -1 +1,3 @@
 alert http any any -> any any (http.response_body; content:"one"; sid:1;)
+alert http any any -> any any (http.response_body; pcre:"/one/R"; sid:2;)
+alert http any any -> any any (http.response_body; content:"one"; pcre:"/one/R"; sid:3;)
diff --git a/tests/rules/http-response-body/test.yaml b/tests/rules/http-response-body/test.yaml
index f373c820f..9996ebad8 100644
--- a/tests/rules/http-response-body/test.yaml
+++ b/tests/rules/http-response-body/test.yaml
@@ -17,7 +17,43 @@ checks:
       engines[0].name: "file_data"
       engines[0].direction: "toclient"
       engines[0].app_proto: "http2"
+      engines[0].matches[0].name: "content"
       engines[1].name: "file_data"
       engines[1].direction: "toclient"
       engines[1].app_proto: "http"
+      engines[1].matches[0].name: "content"
+      engines.__len: 2
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 2
+      # checks that all engines are toclient
+      engines[0].name: "file_data"
+      engines[0].direction: "toclient"
+      engines[0].app_proto: "http"
+      engines[0].matches[0].name: "pcre"
+      engines[1].name: "file_data"
+      engines[1].direction: "toclient"
+      engines[1].app_proto: "http2"
+      engines[1].matches[0].name: "pcre"
+      engines.__len: 2
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 3
+      mpm.buffer: "file_data"
+      mpm.pattern: "one"
+      # checks that all engines are toclient
+      engines[0].name: "file_data"
+      engines[0].direction: "toclient"
+      engines[0].app_proto: "http2"
+      engines[0].matches[0].name: "content"
+      engines[0].matches[1].name: "pcre"
+      engines[1].name: "file_data"
+      engines[1].direction: "toclient"
+      engines[1].app_proto: "http"
+      engines[1].matches[0].name: "content"
+      engines[1].matches[1].name: "pcre"
       engines.__len: 2