From: Philippe Antoine Date: Thu, 23 Mar 2023 09:46:12 +0000 (+0100) Subject: http2: move http.request_header keyword to new test X-Git-Tag: suricata-6.0.13~25 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1238%2Fhead;p=thirdparty%2Fsuricata-verify.git http2: move http.request_header keyword to new test as it requires min version 7, and we do not want to mix it with rules that already worked for version 6 --- diff --git a/tests/http2-basic/test.rules b/tests/http2-basic/test.rules index d0866dadd..3055f7fc5 100644 --- a/tests/http2-basic/test.rules +++ b/tests/http2-basic/test.rules @@ -1,4 +1,3 @@ -alert http2 any any -> any any (http2.header; content:"agent: nghttp2"; sid:1; rev:1;) alert http2 any any -> any any (http2.frametype:GOAWAY; sid:2; rev:1;) alert http2 any any -> any any (http2.settings:SETTINGS_HEADER_TABLE_SIZE>1000; sid:3; rev:1;) alert http2 any any -> any any (http2.window:34634; sid:4; rev:1;) diff --git a/tests/http2-basic/test.yaml b/tests/http2-basic/test.yaml index 0ffbc7e6e..7579cff3f 100644 --- a/tests/http2-basic/test.yaml +++ b/tests/http2-basic/test.yaml @@ -49,11 +49,6 @@ checks: http.request_headers[2].value: "/doc/manual/html/index.html" http.response_headers[0].name: ":status" http.response_headers[0].value: "200" - - filter: - count: 6 - match: - event_type: alert - alert.signature_id: 1 - filter: count: 1 match: diff --git a/tests/http2-files/expected/fast.log b/tests/http2-files/expected/fast.log index d0998bcc4..6152138df 100644 --- a/tests/http2-files/expected/fast.log +++ b/tests/http2-files/expected/fast.log @@ -1,12 +1,6 @@ -08/02/2014-10:50:25.816243 [**] [1:1:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:56508 -> 0000:0000:0000:0000:0000:0000:0000:0001:3000 08/02/2014-10:50:25.823699 [**] [1:6:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:3000 -> 0000:0000:0000:0000:0000:0000:0000:0001:56508 08/02/2014-10:50:25.823699 [**] [1:7:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:3000 -> 0000:0000:0000:0000:0000:0000:0000:0001:56508 08/02/2014-10:50:25.823699 [**] [1:8:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:3000 -> 0000:0000:0000:0000:0000:0000:0000:0001:56508 -08/02/2014-10:50:25.828791 [**] [1:1:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:56508 -> 0000:0000:0000:0000:0000:0000:0000:0001:3000 -08/02/2014-10:50:25.828791 [**] [1:1:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:56508 -> 0000:0000:0000:0000:0000:0000:0000:0001:3000 -08/02/2014-10:50:25.828791 [**] [1:1:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:56508 -> 0000:0000:0000:0000:0000:0000:0000:0001:3000 -08/02/2014-10:50:25.828791 [**] [1:1:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:56508 -> 0000:0000:0000:0000:0000:0000:0000:0001:3000 -08/02/2014-10:50:25.828791 [**] [1:1:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:56508 -> 0000:0000:0000:0000:0000:0000:0000:0001:3000 08/02/2014-10:50:25.828791 [**] [1:3:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:56508 -> 0000:0000:0000:0000:0000:0000:0000:0001:3000 08/02/2014-10:50:25.828986 [**] [1:7:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:3000 -> 0000:0000:0000:0000:0000:0000:0000:0001:56508 08/02/2014-10:50:25.830473 [**] [1:7:1] (null) [**] [Classification: (null)] [Priority: 3] {TCP} 0000:0000:0000:0000:0000:0000:0000:0001:3000 -> 0000:0000:0000:0000:0000:0000:0000:0001:56508 diff --git a/tests/http2-files/test.rules b/tests/http2-files/test.rules index 959a01593..d1126b8b7 100644 --- a/tests/http2-files/test.rules +++ b/tests/http2-files/test.rules @@ -1,4 +1,3 @@ -alert http2 any any -> any any (http2.header; content:"agent: nghttp2"; sid:1; rev:1;) alert http2 any any -> any any (http2.frametype:GOAWAY; sid:2; rev:1;) alert http2 any any -> any any (http2.settings:SETTINGS_HEADER_TABLE_SIZE>1000; sid:3; rev:1;) alert http2 any any -> any any (http2.window:34634; sid:4; rev:1;) diff --git a/tests/http2-files/test.yaml b/tests/http2-files/test.yaml index ef4e7b0cc..f61522bd5 100644 --- a/tests/http2-files/test.yaml +++ b/tests/http2-files/test.yaml @@ -56,11 +56,6 @@ checks: http.request_headers[2].value: "/doc/manual/html/index.html" http.response_headers[0].name: ":status" http.response_headers[0].value: "200" - - filter: - count: 6 - match: - event_type: alert - alert.signature_id: 1 - filter: count: 1 match: diff --git a/tests/http2-header/README.md b/tests/http2-header/README.md new file mode 100644 index 000000000..eff02bf6c --- /dev/null +++ b/tests/http2-header/README.md @@ -0,0 +1,7 @@ +# Description + +Test http2 header keyword + +# PCAP + +The pcap comes from the http2-basic test diff --git a/tests/http2-header/suricata.yaml b/tests/http2-header/suricata.yaml new file mode 100644 index 000000000..eb2d0794b --- /dev/null +++ b/tests/http2-header/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: true + types: + - alert + - http2 + - files + +app-layer: + protocols: + http2: + enabled: true diff --git a/tests/http2-header/test.rules b/tests/http2-header/test.rules new file mode 100644 index 000000000..72699c05f --- /dev/null +++ b/tests/http2-header/test.rules @@ -0,0 +1 @@ +alert http2 any any -> any any (http.request_header; content:"agent: nghttp2"; sid:1; rev:2;) diff --git a/tests/http2-header/test.yaml b/tests/http2-header/test.yaml new file mode 100644 index 000000000..879261f16 --- /dev/null +++ b/tests/http2-header/test.yaml @@ -0,0 +1,17 @@ +requires: + min-version: 7 + +pcap: ../http2-basic/input.pcap + +# disables checksum verification +args: + - -k none + +checks: + + # Check that there is one file event with content range. + - filter: + count: 6 + match: + event_type: alert + alert.signature_id: 1