From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Thu, 9 Mar 2023 07:34:35 +0000 (+0530)
Subject: base64_data: add tests for bug 5885
X-Git-Tag: suricata-6.0.12~18
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1163%2Fhead;p=thirdparty%2Fsuricata-verify.git

base64_data: add tests for bug 5885
---

diff --git a/tests/base64-decode-5885/README.md b/tests/base64-decode-5885/README.md
new file mode 100644
index 000000000..2cd0c1be3
--- /dev/null
+++ b/tests/base64-decode-5885/README.md
@@ -0,0 +1,7 @@
+# Test Description
+
+This test demonsrates the issue with population of `base64_data` lately.
+
+## PCAP
+
+PCAP comes from redmine ticket [5885](https://redmine.openinfosecfoundation.org/issues/5885).
diff --git a/tests/base64-decode-5885/input.pcap b/tests/base64-decode-5885/input.pcap
new file mode 100644
index 000000000..46f89b527
Binary files /dev/null and b/tests/base64-decode-5885/input.pcap differ
diff --git a/tests/base64-decode-5885/test.rules b/tests/base64-decode-5885/test.rules
new file mode 100644
index 000000000..a9ab49454
--- /dev/null
+++ b/tests/base64-decode-5885/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (msg:"Base64 data w/o url_decode"; http.request_body; content:"API="; startswith; base64_decode:offset 0, relative; base64_data; content:"cmVwb3J"; sid:1; rev:1;)
+alert tcp any any -> any any (msg:"Base64 data with url_decode"; http.request_body; url_decode; content:"API="; startswith; base64_decode:offset 0, relative; base64_data; content:"cmVwb3J"; sid:2; rev:1;)
diff --git a/tests/base64-decode-5885/test.yaml b/tests/base64-decode-5885/test.yaml
new file mode 100644
index 000000000..94ad21aa9
--- /dev/null
+++ b/tests/base64-decode-5885/test.yaml
@@ -0,0 +1,15 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1