From 002009b8fe8e911887703146ee4d353486cd3dc2 Mon Sep 17 00:00:00 2001
From: Andreas Herz <andi@geekosphere.org>
Date: Mon, 1 Jul 2019 22:21:31 +0200
Subject: [PATCH] tests: add mix of byte_extract tests

---
 tests/byte-extract-01/README.md  |   4 +++
 tests/byte-extract-01/input.pcap | Bin 0 -> 1147 bytes
 tests/byte-extract-01/test.rules |  10 ++++++
 tests/byte-extract-01/test.yaml  |  58 +++++++++++++++++++++++++++++++
 4 files changed, 72 insertions(+)
 create mode 100644 tests/byte-extract-01/README.md
 create mode 100644 tests/byte-extract-01/input.pcap
 create mode 100644 tests/byte-extract-01/test.rules
 create mode 100644 tests/byte-extract-01/test.yaml

diff --git a/tests/byte-extract-01/README.md b/tests/byte-extract-01/README.md
new file mode 100644
index 000000000..4a8763f86
--- /dev/null
+++ b/tests/byte-extract-01/README.md
@@ -0,0 +1,4 @@
+# test byte_extract cases
+
+This test covers different byte_extract cases. The rules and the pcap are taken
+from https://redmine.openinfosecfoundation.org/issues/3047
diff --git a/tests/byte-extract-01/input.pcap b/tests/byte-extract-01/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..274449d647a527f7048edc7bb7ac7ae3d0bb60a1
GIT binary patch
literal 1147
zc-no^&2JJx6aetYSA|VbFg2+M$=JjMjooFJrD@ldV80}!>V|?bnjZL=!dBeXWoT)P
zDHnS&dNUsV_!DZ6YEq5y(8QA${{Zw_d-CYaLIW-Yl7V6N@tgN}@5h(jw{Gx4@8ty-
zefRHsRv!xin4^2P;LIxA-g`6s`sdjfepqyatW{Fb8he@M0G8?cHhu)!*Y|(VvEbHc
z1Z$T7++N?F%j5C8TwXU5zl%MwV|83A0>}U<NR3_CWg1gK8$Ws#`7lM*Nb9r}+JDj&
zsYcZkOpM0^pi)g8%n=}}RqY(}jvOOY<+YICSG#vyHM2e?0+6Bm%rHyUblXY|wI=+&
zW)?t<Nz<VjbUrTg;mP<yevOwzJImQ#mIHN14;rlQyJ<(=Jk=#F1nqjIKg(;>dQMx!
zmeX==A8at|&f!pN0@}~s0i<&|O%Qnz$*~xkE0j?dKWgAQ334mg+Q62AjEZhFS%}QX
zP&8j`7^HDA$So8IR?w2AUq+&gG7SSsF>w}&2}MpQqJ*yB$OXB1(;(O&Q@O2&G??Hf
z5vt@tt@mIV8x>MjkT@gRhXyVY-82+bs+n~h<bs^aevo9JxKK{2L?<<zbR??^onuw7
zgJ^KkEN`J=rDWDj>+0lYRVR3ootNmP*h;EZanPV=s?ZH!_tCKKx1oPQf2_dnvp3yr
zS##z`H+s`<^wR&$`S{dsP8izOss2X)zA|#O*X?m!ag3uxy&XE*p7lTd*7nVj)_vQ`
f4z<G6I_$T8-5ObA)2?yRQR5Ev;%u0$lgHLSh8QQv

literal 0
Hc-jL100001

diff --git a/tests/byte-extract-01/test.rules b/tests/byte-extract-01/test.rules
new file mode 100644
index 000000000..c24f031a9
--- /dev/null
+++ b/tests/byte-extract-01/test.rules
@@ -0,0 +1,10 @@
+alert tcp-pkt any any -> any any (msg:"byte extract test 1"; byte_extract:2,0,two1,string,dec; content:"|33 34|"; offset:0; depth:two1; sid:1; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 2"; byte_extract:1,2,two2,string,dec; content:"|33 34|"; offset:8; depth:two2; sid:2; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 3"; byte_extract:1,2,two3,string,dec; byte_extract:1,5,eight,string,dec; content:"|33 34|"; offset:eight; depth:two3; sid:3; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 4"; byte_extract:1,3,sixd1,string,dec; content:"|31 30|"; content:"|33 34|"; distance:sixd1; sid:4; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 5"; byte_extract:1,2,twow,string,dec; byte_extract:1,3,sixd2,string,dec; content:"|31 30|"; content:"|33 34|"; distance:sixd2; within:twow; sid: 5; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 6"; content:"|31 30|"; byte_extract:1,6,three1,relative,string,dec; content:"|36 10|"; offset:three1; depth:2; sid:6; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 7"; byte_extract:1,2,dectwo1,string,dec; content:"|32|"; offset:dectwo1; depth:1; sid:7; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 8"; byte_extract:1,2,dectwo2,string,dec; content:"|32|"; offset:dectwo2; sid:8; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 9"; byte_extract:1,4,hexten; byte_extract:1,0,decone,string,dec; content:"|66|"; offset:hexten; depth:decone; sid:9; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 10"; byte_extract:1,4,two4; content:"|31|"; depth:1; content:"|2e|"; distance:two4; within:1; sid:10; rev:1;)
diff --git a/tests/byte-extract-01/test.yaml b/tests/byte-extract-01/test.yaml
new file mode 100644
index 000000000..e0f207b63
--- /dev/null
+++ b/tests/byte-extract-01/test.yaml
@@ -0,0 +1,58 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 5
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 6
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 7
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 9
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 10
-- 
2.47.2