From: Philippe Antoine <contact@catenacyber.fr>
Date: Tue, 23 Feb 2021 09:06:25 +0000 (+0100)
Subject: Move checks about HTTP2 keywords in separate tests
X-Git-Tag: suricata-6.0.4~123
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ee317ec1ee9f0c4e99c2d1b0dee186efb7d73052;p=thirdparty%2Fsuricata-verify.git

Move checks about HTTP2 keywords in separate tests

so as to have min-version 7 for them
---

diff --git a/tests/http2-basic/test.rules b/tests/http2-basic/test.rules
index 499c11f78..d0866dadd 100644
--- a/tests/http2-basic/test.rules
+++ b/tests/http2-basic/test.rules
@@ -2,9 +2,3 @@ alert http2 any any -> any any (http2.header; content:"agent: nghttp2"; sid:1; r
 alert http2 any any -> any any (http2.frametype:GOAWAY; sid:2; rev:1;)
 alert http2 any any -> any any (http2.settings:SETTINGS_HEADER_TABLE_SIZE>1000; sid:3; rev:1;)
 alert http2 any any -> any any (http2.window:34634; sid:4; rev:1;)
-
-alert http any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:10;)
-alert http1 any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:11;)
-alert http2 any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:12;)
-alert tcp any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:13;)
-alert ip any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:14;)
diff --git a/tests/http2-basic/test.yaml b/tests/http2-basic/test.yaml
index 21b3bf559..0ffbc7e6e 100644
--- a/tests/http2-basic/test.yaml
+++ b/tests/http2-basic/test.yaml
@@ -78,29 +78,3 @@ checks:
       count: 0
       match:
         event_type: anomaly
-  # HTTP generic keywords with HTTP2 traffic
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 10
-  - filter:
-      count: 0
-      match:
-        event_type: alert
-        alert.signature_id: 11
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 12
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 13
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 14
diff --git a/tests/http2-keywords/README.md b/tests/http2-keywords/README.md
new file mode 100644
index 000000000..3d75753ce
--- /dev/null
+++ b/tests/http2-keywords/README.md
@@ -0,0 +1,8 @@
+# Description
+
+Test http2 with HTTP keywords functionality
+
+# PCAP
+
+The pcap comes from https://wiki.wireshark.org/HTTP2
+It is the same as in http2-basic
diff --git a/tests/http2-keywords/input.pcap b/tests/http2-keywords/input.pcap
new file mode 100644
index 000000000..0e1ada852
Binary files /dev/null and b/tests/http2-keywords/input.pcap differ
diff --git a/tests/http2-keywords/suricata.yaml b/tests/http2-keywords/suricata.yaml
new file mode 100644
index 000000000..eb2d0794b
--- /dev/null
+++ b/tests/http2-keywords/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: true
+      types:
+        - alert
+        - http2
+        - files
+
+app-layer:
+  protocols:
+    http2:
+      enabled: true
diff --git a/tests/http2-keywords/test.rules b/tests/http2-keywords/test.rules
new file mode 100644
index 000000000..3941f88be
--- /dev/null
+++ b/tests/http2-keywords/test.rules
@@ -0,0 +1,6 @@
+
+alert http any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:10;)
+alert http1 any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:11;)
+alert http2 any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:12;)
+alert tcp any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:13;)
+alert ip any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:14;)
diff --git a/tests/http2-keywords/test.yaml b/tests/http2-keywords/test.yaml
new file mode 100644
index 000000000..3cb66fb7a
--- /dev/null
+++ b/tests/http2-keywords/test.yaml
@@ -0,0 +1,36 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 7.0.0
+
+# disables checksum verification
+args:
+  - -k none
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 10
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 11
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 12
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 13
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 14
diff --git a/tests/http2-keywords2/README.md b/tests/http2-keywords2/README.md
new file mode 100644
index 000000000..94ae115a0
--- /dev/null
+++ b/tests/http2-keywords2/README.md
@@ -0,0 +1,8 @@
+# Description
+
+Test more HTTP2 traffic against HTTP keywords
+
+# PCAP
+
+The pcap comes from https://wiki.wireshark.org/HTTP2
+It is the same as in http2-upgrade
diff --git a/tests/http2-keywords2/input.pcap b/tests/http2-keywords2/input.pcap
new file mode 100644
index 000000000..a77847ae7
Binary files /dev/null and b/tests/http2-keywords2/input.pcap differ
diff --git a/tests/http2-keywords2/suricata.yaml b/tests/http2-keywords2/suricata.yaml
new file mode 100644
index 000000000..82124d619
--- /dev/null
+++ b/tests/http2-keywords2/suricata.yaml
@@ -0,0 +1,20 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert:
+            tagged-packets: yes
+        - http:
+            extended: yes
+        - http2
+        - files
+
+app-layer:
+  protocols:
+    http2:
+      enabled: yes
diff --git a/tests/http2-upgrade/test.rules b/tests/http2-keywords2/test.rules
similarity index 100%
rename from tests/http2-upgrade/test.rules
rename to tests/http2-keywords2/test.rules
diff --git a/tests/http2-keywords2/test.yaml b/tests/http2-keywords2/test.yaml
new file mode 100644
index 000000000..bed395a24
--- /dev/null
+++ b/tests/http2-keywords2/test.yaml
@@ -0,0 +1,37 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 7.0.0
+
+# disables checksum verification
+args:
+  - -k none --set stream.midstream=true
+
+checks:
+
+# checks for http.uri keyword : 1 for HTTP1, 1 for mimicked HTTP2 response, so 2 for whole HTTP
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 10
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 11
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 12
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 20
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 21
diff --git a/tests/http2-upgrade/test.yaml b/tests/http2-upgrade/test.yaml
index 82be0b058..0e24fb778 100644
--- a/tests/http2-upgrade/test.yaml
+++ b/tests/http2-upgrade/test.yaml
@@ -50,29 +50,3 @@ checks:
         http.http_method: "GET"
         http.url: "/humans.txt"
         http.status: 404
-# checks for http.uti keyword : 1 for HTTP1, 1 for mimicked HTTP2 response, so 2 for whole HTTP
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 10
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 11
-  - filter:
-      count: 2
-      match:
-        event_type: alert
-        alert.signature_id: 12
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 20
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 21