From: Victor Julien <victor@inliniac.net>
Date: Fri, 20 Sep 2024 14:04:57 +0000 (+0200)
Subject: tests: add test for bug 7264
X-Git-Tag: suricata-7.0.7~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2059%2Fhead;p=thirdparty%2Fsuricata-verify.git

tests: add test for bug 7264
---

diff --git a/tests/bug-7264-tcp-3whs-ack-data-tls-01/README.md b/tests/bug-7264-tcp-3whs-ack-data-tls-01/README.md
new file mode 100644
index 000000000..e8e1512f6
--- /dev/null
+++ b/tests/bug-7264-tcp-3whs-ack-data-tls-01/README.md
@@ -0,0 +1,4 @@
+Pcap
+====
+
+Pcap from bug-2646-01, with 3whs ACK removed so 3whs is now closed by ACK with TLS data.
diff --git a/tests/bug-7264-tcp-3whs-ack-data-tls-01/input.pcap b/tests/bug-7264-tcp-3whs-ack-data-tls-01/input.pcap
new file mode 100644
index 000000000..072c568ec
Binary files /dev/null and b/tests/bug-7264-tcp-3whs-ack-data-tls-01/input.pcap differ
diff --git a/tests/bug-7264-tcp-3whs-ack-data-tls-01/test.rules b/tests/bug-7264-tcp-3whs-ack-data-tls-01/test.rules
new file mode 100644
index 000000000..f07f2d996
--- /dev/null
+++ b/tests/bug-7264-tcp-3whs-ack-data-tls-01/test.rules
@@ -0,0 +1,2 @@
+pass tls any any -> any any (tls.sni; dotprefix; content:".githubusercontent.com"; nocase; endswith; alert; msg:"Allowed TLS traffic"; flow:established,to_server; sid:188; rev:1;)
+drop tls any any -> any any (msg:"Reject non allowed TLS traffic"; flow:to_server; sid:6001;)
diff --git a/tests/bug-7264-tcp-3whs-ack-data-tls-01/test.yaml b/tests/bug-7264-tcp-3whs-ack-data-tls-01/test.yaml
new file mode 100644
index 000000000..85aad2620
--- /dev/null
+++ b/tests/bug-7264-tcp-3whs-ack-data-tls-01/test.yaml
@@ -0,0 +1,25 @@
+requires:
+  min-version: 8
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: tls
+        tls.sni: raw.githubusercontent.com
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 188
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 6001
+
+