From: Giuseppe Longo <giuseppe@glongo.it>
Date: Tue, 23 Apr 2019 18:42:37 +0000 (+0200)
Subject: detect-http-protocol: test inspect/mpm v2 apis
X-Git-Tag: suricata-6.0.4~462
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f19df0fc90679e04c890d9baca8bff604aeeda1f;p=thirdparty%2Fsuricata-verify.git

detect-http-protocol: test inspect/mpm v2 apis
---

diff --git a/tests/http-protocol-inspect-v2/README.md b/tests/http-protocol-inspect-v2/README.md
new file mode 100644
index 000000000..ecec6eb0c
--- /dev/null
+++ b/tests/http-protocol-inspect-v2/README.md
@@ -0,0 +1 @@
+Test that http-protocol keyword works with the new inspect/mpm engines.
diff --git a/tests/http-protocol-inspect-v2/http.pcap b/tests/http-protocol-inspect-v2/http.pcap
new file mode 100644
index 000000000..54f6f2953
Binary files /dev/null and b/tests/http-protocol-inspect-v2/http.pcap differ
diff --git a/tests/http-protocol-inspect-v2/test.rules b/tests/http-protocol-inspect-v2/test.rules
new file mode 100644
index 000000000..78ae4623b
--- /dev/null
+++ b/tests/http-protocol-inspect-v2/test.rules
@@ -0,0 +1,4 @@
+alert http any any -> any any (flow:to_client; http_protocol; content:"HTTP/1.1"; sid:1;)
+alert http any any -> any any (flow:to_server; http_protocol; content:"HTTP/1.1"; sid:2;)
+alert http any any -> any any (flow:to_client; http.protocol; content:"HTTP/1.1"; sid:3;)
+alert http any any -> any any (flow:to_server; http.protocol; content:"HTTP/1.1"; sid:4;)
diff --git a/tests/http-protocol-inspect-v2/test.yaml b/tests/http-protocol-inspect-v2/test.yaml
new file mode 100644
index 000000000..10fb03be3
--- /dev/null
+++ b/tests/http-protocol-inspect-v2/test.yaml
@@ -0,0 +1,35 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 5.0.0
+
+args:
+  - -k none
+
+pcap: http.pcap
+
+checks:
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4