From 0bd88a394c20c40ecc8bff967753aeaa1176e644 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Fri, 12 Apr 2024 12:56:17 +0200
Subject: [PATCH] http: test FP for http.response_body

Ticket: 6948

We should not match on request body
---
 tests/http-post-data-decompression/test.rules | 1 +
 tests/http-post-data-decompression/test.yaml  | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/tests/http-post-data-decompression/test.rules b/tests/http-post-data-decompression/test.rules
index 6ca8c9f7e..cd676a807 100644
--- a/tests/http-post-data-decompression/test.rules
+++ b/tests/http-post-data-decompression/test.rules
@@ -1 +1,2 @@
 alert http any any -> any any (msg: "GZIPPED REQUEST"; flow: established, to_server; content: "name"; http_client_body; nocase; sid: 1; rev: 1; )
+alert http any any -> any any (msg: "not in response"; http.response_body; content: "name"; nocase; sid: 2; rev: 1; )
diff --git a/tests/http-post-data-decompression/test.yaml b/tests/http-post-data-decompression/test.yaml
index 823312db7..e1810bbec 100644
--- a/tests/http-post-data-decompression/test.yaml
+++ b/tests/http-post-data-decompression/test.yaml
@@ -9,3 +9,9 @@ checks:
       match:
         event_type: alert
         alert.signature_id: 1
+  - filter:
+      min-version: 8
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2
-- 
2.47.2