From 101809e8194487f669fce4c1901dec4263d69e49 Mon Sep 17 00:00:00 2001
From: Juliana Fajardini <jufajardini@oisf.net>
Date: Wed, 29 Oct 2025 17:31:48 -0700
Subject: [PATCH] tests: add 'drop and alert queue max' tests

Related to
Bug #5180
---
 .../README.md                                 |  24 ++++
 .../suricata.yaml                             |  33 +++++
 .../test.rules                                |  11 ++
 .../test.yaml                                 | 120 ++++++++++++++++++
 .../writepcap.py                              |  10 ++
 .../README.md                                 |  27 ++++
 .../http-extracted-01.pcap                    | Bin 0 -> 4255 bytes
 .../suricata.yaml                             |  35 +++++
 .../test.rules                                |  16 +++
 .../test.yaml                                 | 106 ++++++++++++++++
 .../README.md                                 |  24 ++++
 .../extracted-packet-http-sticky-server.pcap  | Bin 0 -> 1037 bytes
 .../suricata.yaml                             |  33 +++++
 .../test.rules                                |  11 ++
 .../test.yaml                                 |  90 +++++++++++++
 15 files changed, 540 insertions(+)
 create mode 100644 tests/alert-max/alert-max-append-higher-priority-drop-5180-01/README.md
 create mode 100644 tests/alert-max/alert-max-append-higher-priority-drop-5180-01/suricata.yaml
 create mode 100644 tests/alert-max/alert-max-append-higher-priority-drop-5180-01/test.rules
 create mode 100644 tests/alert-max/alert-max-append-higher-priority-drop-5180-01/test.yaml
 create mode 100755 tests/alert-max/alert-max-append-higher-priority-drop-5180-01/writepcap.py
 create mode 100644 tests/alert-max/alert-max-append-higher-priority-drop-5180-02/README.md
 create mode 100644 tests/alert-max/alert-max-append-higher-priority-drop-5180-02/http-extracted-01.pcap
 create mode 100644 tests/alert-max/alert-max-append-higher-priority-drop-5180-02/suricata.yaml
 create mode 100644 tests/alert-max/alert-max-append-higher-priority-drop-5180-02/test.rules
 create mode 100644 tests/alert-max/alert-max-append-higher-priority-drop-5180-02/test.yaml
 create mode 100644 tests/alert-max/alert-max-append-higher-priority-drop-5180-03/README.md
 create mode 100644 tests/alert-max/alert-max-append-higher-priority-drop-5180-03/extracted-packet-http-sticky-server.pcap
 create mode 100644 tests/alert-max/alert-max-append-higher-priority-drop-5180-03/suricata.yaml
 create mode 100644 tests/alert-max/alert-max-append-higher-priority-drop-5180-03/test.rules
 create mode 100644 tests/alert-max/alert-max-append-higher-priority-drop-5180-03/test.yaml

diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/README.md b/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/README.md
new file mode 100644
index 000000000..ee51db3ce
--- /dev/null
+++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/README.md
@@ -0,0 +1,24 @@
+# Test
+
+This is a test for a corner case scenario where the amount of alerts matching
+against a single packet is bigger than ``packet_alert_max`` and the discarded
+alert is for a rule with a ``drop`` action.
+
+Regardless of discarding the alert, Suricata must still enforce its ``drop``
+action, if that matched against the packet.
+
+This test is also particular as it only has one packet.
+
+Expected result:
+
+Alerts for sids 1, 2, 3 and 4. Alert for sid 5 should be discarded, but the `drop`
+verdict should still be present.
+
+# PCAP
+
+Re-used from test alert-max-append-higher-priority's pcap script, to keep same
+scenario.
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/5180
diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/suricata.yaml b/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/suricata.yaml
new file mode 100644
index 000000000..520021553
--- /dev/null
+++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/suricata.yaml
@@ -0,0 +1,33 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            verdict: true
+            payload-printable: yes
+        - http
+        - flow
+        - stats
+        - drop
+        - anomaly
+
+# Set the order of alerts based on actions
+# The default order is pass, drop, reject, alert
+action-order:
+  - alert
+  - drop
+  - pass
+  - reject
+
+stats:
+  enabled: yes
+  decoder-events: true
+
+# Define maximum number of possible alerts that can be triggered for the same
+# packet. Default is 15
+packet-alert-max: 3
diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/test.rules b/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/test.rules
new file mode 100644
index 000000000..903ae4916
--- /dev/null
+++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/test.rules
@@ -0,0 +1,11 @@
+# Engine-analysis' Internal id: 1
+alert tcp any any -> any any (msg:"Match rule 1"; dsize:<140; sid:1; rev:1;)
+# Engine-analysis' Internal id: 2
+alert http any any -> any any (msg:"Match rule 2"; uricontent:"/index.html"; sid:2; rev:1;)
+# Engine-analysis' Internal id: 3
+alert http any any -> any any (msg:"Match rule 3"; alert; http.request_line; bsize:10<>100; sid:3; rev:1;)
+# Engine-analysis' Internal id: 4
+alert http any any -> any any (msg:"Match rule 4"; http.request_line; content:"GET /index.html HTTP/1.0"; sid:4;)
+# this one should not show in alert due to alert queue overflow
+# Engine-analysis' Internal id: 0
+drop http any any -> any any (msg:"Match and drop rule 5"; http.request_line; content:"GET /index.html HTTP/1.0"; sid:5;)
diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/test.yaml b/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/test.yaml
new file mode 100644
index 000000000..14c229b08
--- /dev/null
+++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/test.yaml
@@ -0,0 +1,120 @@
+args:
+- -k none
+- --runmode=single
+- --set stream.midstream=true
+- --simulate-ips
+
+pcap: ../alert-max-append-higher-priority/input.pcap
+
+checks:
+# Sub-test 1
+- filter:
+    lt-version: 8.0.4
+    gt-version: 8.0.4
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 1
+      pkt_src: "wire/pcap"
+      alert.signature_id: 1
+      verdict.action: drop
+# Sub-test 2
+- filter:
+    lt-version: 8.0.4
+    gt-version: 8.0.4
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 1
+      pkt_src: "wire/pcap"
+      alert.signature_id: 2
+      verdict.action: drop
+# Sub-test 3
+- filter:
+    # suricata 7 doesn't show this alert.
+    # if we don't drop the flow, it matches against the stream
+    # (pkt_srt: stream (flow timeout))
+    min-version: 9
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 1
+      pkt_src: "wire/pcap"
+      alert.signature_id: 3
+      verdict.action: drop
+# Sub-test 4
+- filter:
+    # suricata 8 doesn't show this alert
+    lt-version: 8.0
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 4
+# Sub-test 5
+- filter:
+    # suricata 7 doesn't show this alert.
+    # if we don't drop the flow, it matches against the stream
+    # (pkt_srt: stream (flow timeout))
+    lt-version: 8.0
+    count: 0
+    match:
+      event_type: alert
+      pcap_cnt: 1
+      pkt_src: "wire/pcap"
+      alert.signature_id: 3
+      verdict.action: drop
+# Sub-test 6
+- filter:
+    min-version: 9
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 4
+# Sub-test 7
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 5
+# Sub-test 8
+- filter:
+    lt-version: 8.0.4
+    gt-version: 8.0.4
+    count: 1
+    match:
+      event_type: drop
+      pkt_src: "wire/pcap"
+      pcap_cnt: 1
+      drop.reason: rules
+# Sub-test 9
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.action: drop
+# Sub-test 10
+- filter:
+    # as suricata 7 won't have a match for sid 3,
+    # the overflow check fails for 7
+    min-version: 9
+    count: 1
+    match:
+      event_type: stats
+      stats.detect.alert_queue_overflow: 2
+      stats.detect.alert: 3
+      stats.decoder.pkts: 1
+      stats.ips.blocked: 1
+      stats.ips.accepted: 0
+      stats.ips.drop_reason.rules: 1
+# Sub-test 11
+- filter:
+    lt-version: 8.0
+    count: 1
+    match:
+      event_type: stats
+      stats.detect.alert_queue_overflow: 1
+      stats.detect.alert: 3
+      stats.decoder.pkts: 1
+      stats.ips.blocked: 1
+      stats.ips.accepted: 0
+      stats.ips.drop_reason.rules: 1
diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/writepcap.py b/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/writepcap.py
new file mode 100755
index 000000000..1399831c4
--- /dev/null
+++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/writepcap.py
@@ -0,0 +1,10 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=63, flags='P''A')/"GET /index.html HTTP/1.0\r\nHost: www.openinfosecfoundation.org\r\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113\r\nContent-Type: text/html\r\n"
+
+wrpcap('input.pcap', pkts)
diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/README.md b/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/README.md
new file mode 100644
index 000000000..a0572d5fd
--- /dev/null
+++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/README.md
@@ -0,0 +1,27 @@
+# Test
+
+This is a test for a corner case scenario where the amount of alerts matching
+against a single packet is higher than ``packet_alert_max`` and the discarded
+alert is for a rule with a ``drop`` action.
+
+Regardless of discarding the alert, Suricata must still enforce its ``drop``
+action, if that matched against the packet.
+
+Expected result:
+
+We should see one discarded alert, as there isn't enough space in the alert queue
+for the rule with the "drop" action, and Suricata should block the traffic from
+the matched packet onwards.
+
+Currently:
+
+Suricata 7 will tag the flow for dropping from packet 1. We see alerts for
+sids 2, 3, and 5, only for said packet.
+
+## Pcap
+
+A single HTTP flow extracted from existing test ``http-protocol-inspect-v2`` pcap
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/5180
diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/http-extracted-01.pcap b/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/http-extracted-01.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..f213a3f1fefd069bdd77078901ca3851a57f972b
GIT binary patch
literal 4255
zc-rk&c~}$I79R+1kyzBK2oy#XM94})2!SABN5Di03e|pgNQNYmWy}Hu>p}z}YEi5U
zq9U7G1UJ+w)E$b7B2p2-1x3MU1r(KvRD?GZz*b*B|9{`-&D_kr=bkzDp7nR@D@yZB
z0W)B@4GaK)3Ho*nE$~^SHv>lD0AueT0F894j|Kt&)84PbeSp;?^VFIBxt)zKJcR@o
zfX}>W>qL%=Na0)Bv&M=5ASgfpQV>WCLm~<!QqLC3q_9H65ke$H8$)uXQ$1+tkHKQP
z)0wUwjw(nYQp!0rDvQBj&>3{9E6dGMCf8sTR|eCa>PmHtRjTBWhQna85}DK`klInH
z)gW38N1~C-9JMMLI?x~vbgqMIAo?UEB#>c^1XjV2j4V{jQIbfRppYpc5!v{KP$^TY
zmc)oTfyOp8*T9Jy4&B&>C^D%cjzcxJAqut^6Kx+@Vw5TotQw+$!2$uFLL<`%_+X`4
z!v+Vf;7S%Nm0}sJ)+t0%A*7Ki71*%|_((OZB5}p2b=Y9IGD#|vK@>MK6?9rCMQxIx
z_5>q6!J#oYR{*+^X`UdgAVo%af~t5njm(?{2EoEOCB>CWWl(7}IswlW3Sk75hiOAe
zl*@<^g2;w;{ogre4i}7SWXEQn%Q#fB$KV{1K~ja0z#>ZJs4f&lAs!knMd0C~SQ=|&
zawR%boQ)&e@Ht3fkV33Qnb_F5wQ3?fD9`N!Lx4i46iF3gHYiS#B191!D}yxfhh;wr
zq*BAEJ|Pi25{u>LL81}0nphIcD8`*QxSu-#9}2?=i7S)Fqg&CbR07^lsZhW|OieZz
zhb=<bA^|@ijzuFw#RjpMVN)odMhoSmSRvpEcq}bwS>pgEng&c`!e9w8m>g(YSO89`
zEC6sHc`^h`2`n`LKEVY`3Fbwxmv52OI&uR5%tWO)#^Zo%BLHLnRLY36sn;<nN5A=3
zDV9mCB~1V@9AO~pagY~E!1L*RG|rT$OLZzZmSg`9tp=kGO+i={FBQUSqjp1yiO>-;
z>UVo0=*Q>S&*g=H{s9X>egqfo{$R)g^u53z<O%p7FLFNmo)3o1#pZtYM$2l@m?a5x
z2s{*M#>fGMgU;go?W@0;KlU>LAAueU^MW5YFaT8ua~LF)z$78cuTsiTomA3zG!lql
zA_@C~q>SU(|6_9*tPpD?Y>?*a?n=P>qnvC|Akh**8XXLWbeMe@AdSkVxwB~uFeqGr
zdD3qEXrup32Wl3!tM9NZ23D?0y)F;Q8flHw>C0%k8^^<wI`_Jt;klPO+$|q{b*pG}
z`0H~Isx1*vw7I#aW(U;WxIez<Wa)B)?aP&vysYl!b9f$|Ju4NAm8BJ}%xilmymFdI
zyd{Xg3hN_OY4WfPR_Nh65`ILQygNVIOA=^J|Bd0W^RmG*qRf!)S5wu^J&+%@_R4{_
zpA((Cwe4}lV%rj0iSB6Y`ENrfw`LnO$6O-!UFs`(C67N)eWH$@Vza;QY0oa#Oy@1c
zo5xZDbyil=!umI&v`lvS?ju{$4F?$wWxlrA8i!kDVVT=JI-5x|d{2CLuC_xikNhLi
z`nEE2@{XE-^qQRA!B#r|l-~4xcQT5++v>wc-Bg?28*wJzzUppFnx04Wy=z^$dL0L%
z#}s?<EixF*@$L7`y-t=K+C`w5*EdAzWw)KybHgfP&Gq+x&JsoGt3$bx3*$}F=1rKI
zQJ7VN%+MBaXx+bh`j_b+&P<)=Q1N?(Z$jyz<$2K*fu;V9*M_sJf}%a<ShnBln(djL
zknp;7dvro<?l`j@`JgxR#G`2VU{w0e;3Ym;QO}~oug*AJYBlNRnCa}Il8M!i{CEDi
zlJ|IZgg~WvGmgmE|J-C%u*brw<E91Vv|VqQ>R1?s<5+Cwd+e-&{%ErG>ingS)WU0!
zb&%v8wk3^{Lyd@gqZ4oTNyx&C{qP1UP9c%P@3VH}UoIQ<ZRDuQPb{YA?0s2@s7tnp
zQ?Fb^inXT%50WQ-e?11N5moy>R*f)}ZVIl=we+z$e|pl`%eL8Jz%D_?^l5%e(_&g>
zowDS;2g{*z7G?Q%RaLw98;BwmQpErY+Om#y-8lx7u%V@C8F^;yNO^Ff)g;cPW7kgS
zHM%FYmN$h@nbbadqvamk<Q4je(`y_meh6w2xSjW2U!IGrovt@TrWB?BZhkrEPw}!2
z(~;YLYO!>_dtnBnzc2sDrMN6z|02~lD<Z>N_N3mXR`xHt^B2pD)%*6)(b=p<JMG!`
zE$=!rY&D1aS|T;9uJ=#6DuM>y)<1aPiZdJ!>DL8Uz9`tVhp?tEf6~+BRZZ)7lB)x6
z9Lj#cEk41p(<ul)Eml$L*q*9ge+Hjjx+nRV0R6A@t=v`a);0N2Tk5IIHg3T!g>89P
zyG=*u$)2!h10nOTUVm9omP)Q0Ae^c-PpBP}tNZ@#&U+>yifhR0D^tlY4ovBMbo8&8
zTc{ERGSli;fpfhNr6*x`rjMIfb-7dRrsZxvOTe`cDSPs_lTVvoTcKLlf5dFdyBD};
zoY2?S@A~G9y?|RLjEPFQvBGTL#_B#hu+4koe7olNR$gXB_Ye1Wcf{CiyrT|&ueF>1
zpW3y8cJIQ(@pJaM<Y{7Ny$aj9=Eum9PS&`K-n(;7zdUU9VwG78kN4WDDrbirSIXme
zDUSrs3`@4dKYue|Ccm-Xi7nqieJokMmHS-|?7Q^%a|^5Nu4b&Z=T0yK8qnI(@NWol
zIkgt6?Y~U;xVA@I4cGSOS?I+nTlk!^|CD*LXWPMT>kO4mHrnUK4o?^NTo}7Dqxqda
zEzM=KgU{Y39ly5p{C4G~Vh6&kP2=~@IM2WBLfZK(WzIU?yv1GdJ5|XB`PuZPV|pa`
zNxe;rUKAc#(MGxhU+DIk_4Q(l=G*9VwW}dLxM<;T(D`LaXQsa5)t2AtG5B8iny}tl
zoXPD=oIJ(zNqF69W;W&GIg{o0a2}T91`!O?au^3cy&eKiUqxWo!$R+muZLhSs%bgj
z!k!gviZY>6Y@$p)gM%A7Fk2N3e8IslIQRtzzu@2(9Q=R5!QtBe8H9*7A_VJm2=QO3
C`sL36

literal 0
Hc-jL100001

diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/suricata.yaml b/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/suricata.yaml
new file mode 100644
index 000000000..a7e59ea3e
--- /dev/null
+++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/suricata.yaml
@@ -0,0 +1,35 @@
+%YAML 1.1
+---
+
+outputs:
+  - stats:
+      enabled: yes
+      filename: stats.log
+      append: yes       # append to file (yes) or overwrite it (no)
+      totals: yes       # stats for all threads merged together
+      threads: no       # per thread stats
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            verdict: true
+            payload-printable: yes
+        - http
+        - flow
+        - stats
+        - drop
+
+
+# Set the order of alerts based on actions
+# The default order is pass, drop, reject, alert
+action-order:
+  - alert
+  - drop
+  - pass
+  - reject
+
+# Define maximum number of possible alerts that can be triggered for the same
+# packet. Default is 15
+packet-alert-max: 3
diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/test.rules b/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/test.rules
new file mode 100644
index 000000000..bc16c1009
--- /dev/null
+++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/test.rules
@@ -0,0 +1,16 @@
+# Engine-analysis' Internal id: 2
+# We don't expect this rule to match as the flow should be dropped before packets that
+# match against it would be inspected
+alert tcp any any -> any any (msg:"No match rule 1"; dsize:<140; sid:1; rev:1;)
+# Engine-analysis' Internal id: 3
+alert http any any -> any any (msg:"Match rule 2"; uricontent:"/pagead"; sid:2; rev:1;)
+# Engine-analysis' Internal id: 1
+alert http any any -> any any (msg:"Match rule 3"; http.request_line; content:"GET /pagead"; flowbits:set,suspiciousad; sid:3;)
+# Engine-analysis' Internal id: 0
+drop http any any -> any any (msg:"Match rule 4"; http.request_line; content:"GET /pagead"; flowbits:isset,suspiciousad; sid:4;)
+# Engine-analysis' Internal id: 4
+alert tcp any any -> any any (msg:"Match rule 5"; dsize:>720; sid:5; rev:1;)
+# Engine-analysis' Internal id: 5
+# We don't expect this rule to match as the flow should be dropped before packets that
+# match against it would be inspected
+alert tcp any any -> any any (msg:"No match rule 6"; tcp.flags:A; sid: 6; rev:1;)
diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/test.yaml b/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/test.yaml
new file mode 100644
index 000000000..f8204218e
--- /dev/null
+++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/test.yaml
@@ -0,0 +1,106 @@
+args:
+- -k none
+- --runmode=single
+- --set stream.midstream=true
+- --simulate-ips
+
+checks:
+# Subtest 1
+- filter:
+    lt-version: 8.0.4
+    gt-version: 8.0.4
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1
+# Subtest 2
+- filter:
+    lt-version: 8.0.4
+    gt-version: 8.0.4
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+      pcap_cnt: 1
+      pkt_src: "wire/pcap"
+      verdict.action: drop
+# Subtest 3
+- filter:
+    lt-version: 8.0.4
+    gt-version: 8.0.4
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+      pcap_cnt: 1
+      pkt_src: "wire/pcap"
+      verdict.action: drop
+# Subtest 4
+# Matches, but not enough space in packet alert queue
+- filter:
+    lt-version: 8.0.4
+    gt-version: 8.0.4
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 4
+# Subtest 5
+- filter:
+    lt-version: 8.0.4
+    gt-version: 8.0.4
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 5
+      pcap_cnt: 1
+      pkt_src: "wire/pcap"
+      verdict.action: drop
+# Subtest 6
+# Matches, but not enough space in packet alert queue
+- filter:
+    lt-version: 8.0.4
+    gt-version: 8.0.4
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 6
+# Subtest 7
+- filter:
+    lt-version: 8.0.4
+    gt-version: 8.0.4
+    count: 1
+    match:
+      event_type: drop
+      pcap_cnt: 1
+      drop.reason: rules
+# Subtest 8
+- filter:
+    lt-version: 8.0.4
+    gt-version: 8.0.4
+    count: 1
+    match:
+      event_type: drop
+      pcap_cnt: 2
+      drop.reason: "flow drop"
+# Subtest 9
+- filter:
+    lt-version: 8.0.4
+    gt-version: 8.0.4
+    count: 1
+    match:
+      event_type: flow
+      flow.action: "drop"
+# Subtest 10
+- filter:
+    lt-version: 8.0.4
+    gt-version: 8.0.4
+    count: 1
+    match:
+      event_type: stats
+      stats.decoder.pkts: 7
+      stats.detect.alert_queue_overflow: 1
+      stats.detect.alert: 3
+      stats.ips.accepted: 0
+      stats.ips.blocked: 7
+      stats.ips.drop_reason.flow_drop: 6
+      stats.ips.drop_reason.rules: 1
diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/README.md b/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/README.md
new file mode 100644
index 000000000..f3abd7af4
--- /dev/null
+++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/README.md
@@ -0,0 +1,24 @@
+# Test
+
+This is a test for a corner case scenario where the amount of alerts matching
+against a single packet is bigger than ``packet_alert_max`` and the discarded
+alert is for a rule with a ``drop`` action.
+
+Regardless of discarding the alert, Suricata must still enforce its ``drop``
+action, if that matched against the packet.
+
+This test is also particular as it only has one packet.
+
+Expected result:
+
+Alerts for sids 1, 2 and 3. Alerts for sid 4 and 5 should be discarded, but the
+`drop` verdict should still be present.
+There should be 2 alerts discarded (alert_queue_overflow).
+
+## PCAP
+
+Single packet extracted from flow/pcap from test http-sticky-server's pcap.
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/5180
diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/extracted-packet-http-sticky-server.pcap b/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/extracted-packet-http-sticky-server.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..de4891191212c6bbd40a9effe4276add85b68606
GIT binary patch
literal 1037
zc-mEv%d6vb6vv}iR0?$`h;D+5!I7rT`_U5aq-ompk={Jo<hCFsO@4XYyxJyxq_`Lm
zTnsMUDK138g=^io6#N$ycj`v>E(BeTna()i56<KF<8#jW{?3m-eDmdt&`Z#N=ka3*
zdZCJcymhT`?kmvmSJ1_vH$Qs)pN9|Z4?p|!uU8=ny88L>+XLv~%b&mh{nu9?$glnM
z=$CIH^^-?$fBNxvU;V1Sas9=6e?!nfn!zn6OExhmKr09K&IzuaI0R|IJHakXz`Y>m
zL5j?cdt2Vw!SZaTwy-8vugO_nwBe_0jy3%(^JCC-?0QYi(iAvFn5Atv0$_vKad-gr
z+B^q4MDQ!V4J+9>jAOe+HBtB-D@@(&n0MfL2Y!~r(-}-Ru?~EheIFJ!l|&1y$6?W;
z2(pP)Wn+1!Od4<;MgSfFC(7=_;ze_dZK6$z!kak3z=rMFyYN|2y(Tyg*c6DAI++`$
zejE1B;ilmNFSZNN$XzFR&P?po-`hTDKNZmcX=lr$P4+n;2KFuo)o+Hz4Z^Y%hhU9;
z;UVmWV;b*XBJpG+Srk@%R9))x!yfP8fS^zm!*PmrJ<Ms(d4i>F8mxhbx@(+eoOZv@
zqwSf(V>m}*G+Fuf<bOAVUpxDwLYn~vobhR!L><_un)ft85T<11x`c9M0z<e>a4tW1
zOYNiwwq#DI(~22Mr6rX|weW`H#Kbj4T+*278Hd5iM=bGZFgJ@-%2NB_>L8r?%M~%Q
zV@EBA>1nZ+2Q<wF>%cShlPFs|TV&&D5CqGENKz95w|aMxs_P}XO|tWfFb3yd&)+9q
zJn_rBnH+9)*O!uPlS_wepRJ8$Pd|mHTUVGKW^%b@DK#<E^H?6QkP{P_?jqQe<cL;R
z*^pc>tyC5`n$}XAA-2@wMpeP#u++?3w$EUxdDn|bd!$g~AQrS^w|Anv^Uma~Xr-?f
z2=LEn-kWflNO;}3J}{3PvOH=XSbnlRVe2czD6V*c(4w$Bci?IDOcH#5l^IK`%(!W2
zyAj4DG^G^^XUE-<MlL337cB*q!FK!U)~0fk9Np-{B-gUT98)b^m4-vcMyT;TBp0Ht
wh@dR?L3oTT--xY3mV~=iTCAi#Te74wO?E}1pU2#|2snC5B5QS7uhnb+0(@LcG5`Po

literal 0
Hc-jL100001

diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/suricata.yaml b/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/suricata.yaml
new file mode 100644
index 000000000..520021553
--- /dev/null
+++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/suricata.yaml
@@ -0,0 +1,33 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            verdict: true
+            payload-printable: yes
+        - http
+        - flow
+        - stats
+        - drop
+        - anomaly
+
+# Set the order of alerts based on actions
+# The default order is pass, drop, reject, alert
+action-order:
+  - alert
+  - drop
+  - pass
+  - reject
+
+stats:
+  enabled: yes
+  decoder-events: true
+
+# Define maximum number of possible alerts that can be triggered for the same
+# packet. Default is 15
+packet-alert-max: 3
diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/test.rules b/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/test.rules
new file mode 100644
index 000000000..1c1077231
--- /dev/null
+++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/test.rules
@@ -0,0 +1,11 @@
+# Engine-analysis' Internal id: 1
+alert tcp any any -> any any (msg:"Match rule 1"; dsize:>140; sid:1; rev:1;)
+# Engine-analysis' Internal id: 2
+alert http any any -> any any (msg:"Match rule 2"; http.host; content:"clients1.google"; sid:2; rev:1;)
+# Engine-analysis' Internal id: 3
+alert http any any -> any any (msg:"Match rule 3"; alert; http.method; bsize:3; sid:3; rev:1;)
+# Engine-analysis' Internal id: 4
+alert http any any -> any any (msg:"Match rule 4"; http.method; content:"GET"; sid:4;)
+# this one should not show in alert due to alert queue overflow
+# Engine-analysis' Internal id: 0
+drop http any any -> any any (msg:"Match and drop rule 5"; http.request_line; content:"GET /complete/search"; sid:5;)
diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/test.yaml b/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/test.yaml
new file mode 100644
index 000000000..16186c4be
--- /dev/null
+++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/test.yaml
@@ -0,0 +1,90 @@
+args:
+- -k none
+- --runmode=single
+- --set stream.midstream=true
+- --simulate-ips
+
+checks:
+# Sub-test 1
+- filter:
+    lt-version: 8.0.4
+    gt-version: 8.0.4
+    count: 1
+    match:
+      event_type: alert
+      pkt_src: "wire/pcap"
+      alert.signature_id: 1
+      verdict.action: drop
+# Sub-test 2
+- filter:
+    lt-version: 8.0.4
+    gt-version: 8.0.4
+    count: 1
+    match:
+      event_type: alert
+      pkt_src: "wire/pcap"
+      alert.signature_id: 2
+      verdict.action: drop
+# Sub-test 3
+- filter:
+    # as with drop-5180-01 test, 7.0.x doesn't show this alert
+    min-version: 9
+    count: 1
+    match:
+      event_type: alert
+      pkt_src: "wire/pcap"
+      alert.signature_id: 3
+      verdict.action: drop
+# Sub-test 4
+- filter:
+    # as with drop-5180-01 test, 7.0.x shows this alert
+    lt-version: 8.0
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 4
+# Sub-test 5
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 5
+# Sub-test 6
+- filter:
+    min-version: 9
+    lt-version: 8.0.4
+    gt-version: 8.0.4
+    count: 1
+    match:
+      event_type: drop
+      pkt_src: "wire/pcap"
+# Sub-test 7
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.action: drop
+# Sub-test 8
+- filter:
+    min-version: 9
+    count: 1
+    match:
+      event_type: stats
+      stats.detect.alert_queue_overflow: 2
+      stats.detect.alert: 3
+      stats.decoder.pkts: 1
+      stats.ips.blocked: 1
+      stats.ips.accepted: 0
+      stats.ips.drop_reason.rules: 1
+# Sub-test 9
+- filter:
+    lt-version: 8.0
+    count: 1
+    match:
+      event_type: stats
+      stats.detect.alert_queue_overflow: 1
+      stats.detect.alert: 3
+      stats.decoder.pkts: 1
+      stats.ips.blocked: 1
+      stats.ips.accepted: 0
+      stats.ips.drop_reason.rules: 1
-- 
2.47.3