From: Jason Ish <jason.ish@oisf.net>
Date: Thu, 22 Sep 2022 18:07:34 +0000 (-0600)
Subject: incomplete hex: test with strict content keyword
X-Git-Tag: suricata-6.0.8~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eccbc7800b075602e303c93fa6c694c4067074b1;p=thirdparty%2Fsuricata-verify.git

incomplete hex: test with strict content keyword

With strict content parsing, -T should fail out for version 6 and 7.
---

diff --git a/tests/content-incomplete-hex-t-version-6-strict/README.md b/tests/content-incomplete-hex-t-version-6-strict/README.md
new file mode 100644
index 000000000..ef2785201
--- /dev/null
+++ b/tests/content-incomplete-hex-t-version-6-strict/README.md
@@ -0,0 +1,6 @@
+Tests the behaviour of -T when a rule contains incomplete hex.
+
+For Suricata 6.0.x, -T should pass unless
+--strict-rule-keywords=content is provided.
+
+For Suricata 7.0+, -T should fail.
diff --git a/tests/content-incomplete-hex-t-version-6-strict/suricata.yaml b/tests/content-incomplete-hex-t-version-6-strict/suricata.yaml
new file mode 100644
index 000000000..6917d8538
--- /dev/null
+++ b/tests/content-incomplete-hex-t-version-6-strict/suricata.yaml
@@ -0,0 +1,2 @@
+%YAML 1.1
+---
diff --git a/tests/content-incomplete-hex-t-version-6-strict/test.rules b/tests/content-incomplete-hex-t-version-6-strict/test.rules
new file mode 100644
index 000000000..397a5f1ce
--- /dev/null
+++ b/tests/content-incomplete-hex-t-version-6-strict/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"incomplete hex test rule"; content:"|22 2 22|"; sid:12346; rev:1;)
diff --git a/tests/content-incomplete-hex-t-version-6-strict/test.yaml b/tests/content-incomplete-hex-t-version-6-strict/test.yaml
new file mode 100644
index 000000000..05de7930a
--- /dev/null
+++ b/tests/content-incomplete-hex-t-version-6-strict/test.yaml
@@ -0,0 +1,6 @@
+args:
+  - -T --strict-rule-keywords=content
+
+pcap: false
+
+exit-code: 1