From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Mon, 21 Mar 2022 13:33:02 +0000 (+0530)
Subject: tests: add test for bug 5197
X-Git-Tag: suricata-6.0.8~48
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F898%2Fhead;p=thirdparty%2Fsuricata-verify.git

tests: add test for bug 5197
---

diff --git a/tests/bug-5197/README.md b/tests/bug-5197/README.md
new file mode 100644
index 000000000..082e66ec6
--- /dev/null
+++ b/tests/bug-5197/README.md
@@ -0,0 +1,12 @@
+Description
+===========
+This test is to demonstrate Redmine bug 5197.
+`fast_pattern` assignment of specific content results in false negatives.
+For the PCAP used in this test, sid:1 and sid:2 are the exact same rules except for an explicit
+`fast_pattern` keyword in sid:2. But, only sid:1 fires.
+Another issue that can be seen is that changing the position of `fast_pattern` can also result
+in some false negatives. sid:3 and sid:6 are such examples. Only sid:6 fires in this case.
+
+PCAP
+====
+PCAP comes from the Redmine ticket https://redmine.openinfosecfoundation.org/issues/5197
diff --git a/tests/bug-5197/input.pcap b/tests/bug-5197/input.pcap
new file mode 100644
index 000000000..2ef665c12
Binary files /dev/null and b/tests/bug-5197/input.pcap differ
diff --git a/tests/bug-5197/test.rules b/tests/bug-5197/test.rules
new file mode 100644
index 000000000..9ffb84e39
--- /dev/null
+++ b/tests/bug-5197/test.rules
@@ -0,0 +1,7 @@
+alert dns any any -> $HOME_NET any (content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; content:"1"; distance:1; within:1; content:"|00 00 10 00 01|"; distance:0; content:"|00 10 00 01 00 00 00 01|"; distance:2; within:8; content:"1"; distance:3; within:1; content:"456789"; distance:2; within:6; sid:1;)
+alert dns any any -> $HOME_NET any (content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; content:"1"; distance:1; within:1; content:"|00 00 10 00 01|"; distance:0; content:"|00 10 00 01 00 00 00 01|"; distance:2; within:8; content:"1"; distance:3; within:1; content:"456789"; distance:2; within:6; fast_pattern; sid:2;)
+alert dns any any -> $HOME_NET any (content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; content:"1"; distance:1; within:1; content:"|00 00 10 00 01|"; distance:0; content:"|00 10 00 01 00 00 00 01|"; distance:2; within:8; content:"1"; distance:3; within:1; fast_pattern; content:"456789"; distance:2; within:6; sid:3;)
+alert dns any any -> $HOME_NET any (content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; content:"1"; distance:1; within:1; content:"|00 00 10 00 01|"; distance:0; content:"|00 10 00 01 00 00 00 01|"; distance:2; within:8; fast_pattern; content:"1"; distance:3; within:1; content:"456789"; distance:2; within:6; sid:4;)
+alert dns any any -> $HOME_NET any (content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; content:"1"; distance:1; within:1; content:"|00 00 10 00 01|"; distance:0; fast_pattern; content:"|00 10 00 01 00 00 00 01|"; distance:2; within:8; content:"1"; distance:3; within:1; content:"456789"; distance:2; within:6; sid:5;)
+alert dns any any -> $HOME_NET any (content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; content:"1"; distance:1; within:1; fast_pattern; content:"|00 00 10 00 01|"; distance:0;  content:"|00 10 00 01 00 00 00 01|"; distance:2; within:8; content:"1"; distance:3; within:1; content:"456789"; distance:2; within:6; sid:6;)
+alert dns any any -> $HOME_NET any (content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; fast_pattern; content:"1"; distance:1; within:1; content:"|00 00 10 00 01|"; distance:0;  content:"|00 10 00 01 00 00 00 01|"; distance:2; within:8; content:"1"; distance:3; within:1; content:"456789"; distance:2; within:6; sid:7;)
diff --git a/tests/bug-5197/test.yaml b/tests/bug-5197/test.yaml
new file mode 100644
index 000000000..f194e770d
--- /dev/null
+++ b/tests/bug-5197/test.yaml
@@ -0,0 +1,49 @@
+args:
+- -k none
+- --set mpm-algo=ac
+- --set spm-algo=bm
+
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: dns
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 4
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 5
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 6
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 7
+- filter:
+    count: 1
+    match:
+      event_type: flow