From: Philippe Antoine <pantoine@oisf.net>
Date: Mon, 6 Nov 2023 15:35:03 +0000 (+0100)
Subject: tests: Add a test for http2 authority mismatch event
X-Git-Tag: suricata-6.0.16~53
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1456%2Fhead;p=thirdparty%2Fsuricata-verify.git

tests: Add a test for http2 authority mismatch event

Ticket: #6425
---

diff --git a/tests/http2-authority-mismatch/README.md b/tests/http2-authority-mismatch/README.md
new file mode 100644
index 000000000..2e8b70f25
--- /dev/null
+++ b/tests/http2-authority-mismatch/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test http2 event for mismatch between authority and host
+
+# PCAP
+
+The pcap comes from https://redmine.openinfosecfoundation.org/issues/6425
diff --git a/tests/http2-authority-mismatch/authority_and_host_2.pcap b/tests/http2-authority-mismatch/authority_and_host_2.pcap
new file mode 100644
index 000000000..43bbf5564
Binary files /dev/null and b/tests/http2-authority-mismatch/authority_and_host_2.pcap differ
diff --git a/tests/http2-authority-mismatch/test.rules b/tests/http2-authority-mismatch/test.rules
new file mode 100644
index 000000000..ab51e8772
--- /dev/null
+++ b/tests/http2-authority-mismatch/test.rules
@@ -0,0 +1,2 @@
+alert http2 any any -> any any (msg:"SURICATA HTTP2 authority host mismatch"; flow:established,to_server; app-layer-event:http2.authority_host_mismatch; classtype:protocol-command-decode; sid:2290013; rev:1;)
+
diff --git a/tests/http2-authority-mismatch/test.yaml b/tests/http2-authority-mismatch/test.yaml
new file mode 100644
index 000000000..491818ee7
--- /dev/null
+++ b/tests/http2-authority-mismatch/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 6.0.0
+
+# disables checksum verification
+args:
+  - -k none --set app-layer.protocols.http2.enabled=true
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2290013