From: Victor Julien <victor@inliniac.net>
Date: Fri, 27 Jan 2023 15:55:00 +0000 (+0100)
Subject: tests: add frame ips test
X-Git-Tag: suricata-6.0.10~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1094%2Fhead;p=thirdparty%2Fsuricata-verify.git

tests: add frame ips test
---

diff --git a/tests/http-gap-simple-frames-ips/README.md b/tests/http-gap-simple-frames-ips/README.md
new file mode 100644
index 000000000..73de7efbc
--- /dev/null
+++ b/tests/http-gap-simple-frames-ips/README.md
@@ -0,0 +1,13 @@
+# Description
+
+Test http gap handling
+
+This test case contains a single simple gap in response body with defined content-length
+
+# PCAP
+
+The pcap comes from running
+`python test/htptopcap.py toaddgap.txt`
+With the attached toaddgap.txt
+
+Then removing packet 17
diff --git a/tests/http-gap-simple-frames-ips/input.pcap b/tests/http-gap-simple-frames-ips/input.pcap
new file mode 100644
index 000000000..5edd0f198
Binary files /dev/null and b/tests/http-gap-simple-frames-ips/input.pcap differ
diff --git a/tests/http-gap-simple-frames-ips/suricata.yaml b/tests/http-gap-simple-frames-ips/suricata.yaml
new file mode 100644
index 000000000..3bcb3d6d5
--- /dev/null
+++ b/tests/http-gap-simple-frames-ips/suricata.yaml
@@ -0,0 +1,22 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert:
+            tagged-packets: yes
+        # app layer frames
+        - frame:
+            enabled: yes
+        - anomaly:
+            enabled: yes
+            types:
+              # decode: no
+              # stream: no
+              # applayer: yes
+            #packethdr: no
+        - http:
+            extended: yes
+        - files
diff --git a/tests/http-gap-simple-frames-ips/test.rules b/tests/http-gap-simple-frames-ips/test.rules
new file mode 100644
index 000000000..7199fa804
--- /dev/null
+++ b/tests/http-gap-simple-frames-ips/test.rules
@@ -0,0 +1,3 @@
+drop http any any -> any any (frame:http1.response; content:"|0d 0a|AAA"; sid:1;)
+# shouldn't match
+drop http any any -> any any (frame:http1.response; content:"|0d 0a|AAA"; endswith; sid:4;)
diff --git a/tests/http-gap-simple-frames-ips/test.yaml b/tests/http-gap-simple-frames-ips/test.yaml
new file mode 100644
index 000000000..8f41b1a9d
--- /dev/null
+++ b/tests/http-gap-simple-frames-ips/test.yaml
@@ -0,0 +1,69 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 7.0.0
+
+# disables checksum verification
+args:
+  - -k none
+  - --simulate-ips
+
+checks:
+
+  # Check that there is one file event with content range.
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.url: "/1"
+        http.status: 200
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.url: "/2"
+        http.status: 200
+  - filter:
+      count: 0
+      match:
+        event_type: http
+        http.url: "/3"
+        http.status: 200
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.size: 14
+        fileinfo.state: "CLOSED"
+        fileinfo.gaps: false
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.size: 14
+        fileinfo.filename: "/2"
+        fileinfo.state: "TRUNCATED"
+        fileinfo.gaps: false
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        pcap_cnt: 15
+        alert.action: "blocked"
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: frame
+        app_proto: http
+        frame.id: 2
+        frame.stream_offset: 0
+        frame.type: request
+        frame.length: 40
+        frame.direction: toserver
+        frame.tx_id: 0
diff --git a/tests/http-gap-simple-frames-ips/toaddgap.txt b/tests/http-gap-simple-frames-ips/toaddgap.txt
new file mode 100644
index 000000000..c6859edfa
--- /dev/null
+++ b/tests/http-gap-simple-frames-ips/toaddgap.txt
@@ -0,0 +1,53 @@
+>>>
+GET /1 HTTP/1.0
+User-Agent: Mozilla
+
+
+<<<
+HTTP/1.0 200 OK
+Date: Mon, 31 Aug 2009 20:25:50 GMT
+Server: Apache
+Connection: close
+Content-Type: text/html
+Content-Length: 12
+
+
+<<<
+Hello World!
+
+>>>
+GET /2 HTTP/1.0
+User-Agent: Mozilla
+
+
+<<<
+HTTP/1.0 200 OK
+Server: Apache
+Connection: close
+Content-Type: text/html
+Content-Length: 70
+
+
+<<<
+AAAAAAAAAAAAAA
+<<<
+AAAAAAAAAAAAAA
+<<<
+AAAAAAAAAAAAAA
+<<<
+AAAAAAAAAAAAAA
+<<<
+AAAAAAAAAAAAAA
+>>>
+GET /3 HTTP/1.0
+User-Agent: Mozilla
+
+
+<<<
+HTTP/1.0 200 OK
+Server: Apache
+Connection: close
+Content-Type: text/html
+Content-Length: 12
+
+Hello People