From: Victor Julien <victor@inliniac.net>
Date: Thu, 12 Oct 2023 11:52:54 +0000 (+0200)
Subject: tests: add test for issue 6397
X-Git-Tag: suricata-6.0.15~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1421%2Fhead;p=thirdparty%2Fsuricata-verify.git

tests: add test for issue 6397
---

diff --git a/tests/rules/http_uri/test.rules b/tests/rules/http_uri/test.rules
index e4d3ac653..2fbc8b43f 100644
--- a/tests/rules/http_uri/test.rules
+++ b/tests/rules/http_uri/test.rules
@@ -4,3 +4,5 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; urile
 alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.uri; content:".php?"; content:"=01&"; distance:4; within:4; fast_pattern; sid:4;)
 # urilen followed by "raw" content, make sure the urilen doesn't act as http.uri sticky buffer
 alert http1 any any -> any any (urilen:44; content:"abc"; sid:5;)
+# make sure there is a single uri list. Based on 2016816:3
+alert http $HOME_NET any -> $EXTERNAL_NET any (flow:to_server,established; content:"a"; fast_pattern:only; http_uri; content:"b"; http_uri; content:"Mozilla"; http_user_agent; pcre:"/^$/RV"; content:!"Referer|3a 20|"; http_header; pcre:"/abcdef$/Ui"; sid:6;)
diff --git a/tests/rules/http_uri/test.yaml b/tests/rules/http_uri/test.yaml
index 45bd5c59e..42d0e7c01 100644
--- a/tests/rules/http_uri/test.yaml
+++ b/tests/rules/http_uri/test.yaml
@@ -85,3 +85,17 @@ checks:
       engines[1].name: "http_uri"
       engines[1].app_proto: "http"
       engines[1].matches[0].name: "urilen"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 6
+      mpm.buffer: "http_uri"
+      mpm.pattern: "a"
+      engines[0].name: "http_uri"
+      engines[0].app_proto: "http"
+      engines[0].matches[0].name: "content"
+      engines[0].matches[1].name: "content"
+      engines[0].matches[2].name: "pcre"
+      engines[1].name: "http_user_agent"
+      engines[2].name: "http_header"