From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 9 Nov 2023 09:40:02 +0000 (+0100)
Subject: test: adds test for header_lowercase transform
X-Git-Tag: suricata-6.0.16~37
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1479%2Fhead;p=thirdparty%2Fsuricata-verify.git

test: adds test for header_lowercase transform
---

diff --git a/tests/transform-header-lowercase/README.md b/tests/transform-header-lowercase/README.md
new file mode 100644
index 000000000..ba988275c
--- /dev/null
+++ b/tests/transform-header-lowercase/README.md
@@ -0,0 +1,9 @@
+# Description
+
+Test header_lowercase transform.
+https://redmine.openinfosecfoundation.org/issues/6290
+
+# PCAP
+
+The pcap comes from test http2-range.
+This pcap has both HTTP1 and HTTP2.
diff --git a/tests/transform-header-lowercase/test.rules b/tests/transform-header-lowercase/test.rules
new file mode 100644
index 000000000..0ed6bee41
--- /dev/null
+++ b/tests/transform-header-lowercase/test.rules
@@ -0,0 +1,7 @@
+alert http any any -> any any (http.header; header_lowercase; content: "accept-ranges:";sid:1; )
+alert http any any -> any any (http.header; content: "accept-ranges:";sid:2; )
+alert http any any -> any any (http.header; content: "Accept-Ranges:";sid:3; )
+alert http1 any any -> any any (http.header; content: "accept-ranges:";sid:4; )
+alert http1 any any -> any any (http.header; content: "Accept-Ranges:";sid:5; )
+alert http2 any any -> any any (http.header; content: "accept-ranges:";sid:6; )
+alert http2 any any -> any any (http.header; content: "Accept-Ranges:";sid:7; )
diff --git a/tests/transform-header-lowercase/test.yaml b/tests/transform-header-lowercase/test.yaml
new file mode 100644
index 000000000..3dfc576fe
--- /dev/null
+++ b/tests/transform-header-lowercase/test.yaml
@@ -0,0 +1,40 @@
+requires:
+  min-version: 8.0.0
+
+pcap: ../http2-range/http2-range.pcap
+
+# disables checksum verification
+args:
+  - -k none --set app-layer.protocols.http2.enabled=true
+
+checks:
+  - filter:
+      count: 5
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 3
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 5
+  - filter:
+      count: 3
+      match:
+        event_type: alert
+        alert.signature_id: 6
+  # we counted all alerts
+  - filter:
+      count: 15
+      match:
+        event_type: alert