From 16acca6349b629ef00d81cbe7160b3c813239e4d Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Sat, 12 Dec 2020 10:04:25 -0500
Subject: [PATCH] bug-4199: Tests for shared http request body

---
 tests/bug-4199/input.pcap | Bin 0 -> 2075 bytes
 tests/bug-4199/test.rules |   2 ++
 tests/bug-4199/test.yaml  |  15 +++++++++++++++
 3 files changed, 17 insertions(+)
 create mode 100644 tests/bug-4199/input.pcap
 create mode 100644 tests/bug-4199/test.rules
 create mode 100644 tests/bug-4199/test.yaml

diff --git a/tests/bug-4199/input.pcap b/tests/bug-4199/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b9eec15c8218b9bbcafb992452f367e7bf334bd5
GIT binary patch
literal 2075
zc-ozn3rtg27{_k`p<Jv%nF@+{5;Z(~`=CX*GNq`cQjjimz(B>?9_StI?WNpOz-2P0
zc50l;f-hvcxS><QcQPM<2F1vRGUv85b-{&^IbB3I-Q3(@=Kx}O%w)UC>EnFo{=Wac
z-~T)3R?Eqcya*p+=t?380s1;ve;}VI7ZFR*Z#)QH)-IneF1vYFmOw}>?q8QgEbx8O
zMZO|cka9uZ&EoJt?XnHUc=2(szP{x_1mWc~?zF($+gBhEk{Vqlk7GVw19UZ_r=tIO
z3~&c>^wSeDJ<0d+kC==zga_U%?iE=lp$zu@lgzizCt&(4L=%$ct2q}i9cA*v<Y$PS
zjHt<D=~fKt?ir!mj_5&^frvI6y@5f!n2d?W3K6jpy%s!15(TRVh>s7ANemW}^oHR?
zT}GxJNMIQ>=5w|Zp5n|L(CGC#iHwqoNDZ2zflNv%rId_HkkK+Jx<usbCD1Nb6+#w8
z(`^-u#bS^sDJh6ZHy9a~x0RUZfh8;tEdWh`j7*S&Ao(&yeq1C_ahwHa!&O>_mndWB
zQn7I$LaWiIr^NsZQv^W@G#1$+!9ug$W`&aYcuGns<O%VV0%RHr40dMlCK0JJ8X?Dv
z7qdp2iD3(AP*}lmF~9^1ECwDvkJBJZ5+x!R+E^AEdB(=lpa?=vY_Kq;uz#LMk0DNj
zY$0!^fn5G#PG8PJ8W@mX#%RE|O3K7er&C;Dvs=Xuy9MIR&?F*7Brc4t;zg-PnMk2*
zz$R)|jWAJ=cA4vJWgy{U0|p9%iqeRSgNfycn1g6JW0@y)&^+$prFNZtUh2cW!%NMW
zUPX@)Jx8vFyb*nJhLRGe3FmqH<;susD^D6j`3<bx`ed~7fGQF37ium%MiRXqD34>}
zh4o_+g9%Sm@DQ;D6Q3Ir$fZ({p%syt&|V7dG++xEwhTw&uv-_QveQ6scEkXw5-hcq
zqV;kqkj|wQN?H*MQquJ!i_60@USj60meEd7#Krx)ZF0mqn-kihNt|3x1D!^P?60H}
z#4^V!2g^GYlq^<6W*O`#IKrkc5)C&lcG1ku!hwy?`;1=YTq_;l^lNlH+w)WOI7fqP
zMyVTy#jR1TpHLnxE>d-ON*IndT;1KVQ}RbuYu%lr)+<Y9g9+*C`wenS_}}xRK0aJ8
z@bwEJ?q4v5MNHisa>V+^Zee5i_O<JtDz5z=rU?<|9@V*)R9$=LOyH4jdER@3`)tI*
z;OdiEIZR~MMi6*!+3x1lZzk2``F}_%+$ws<=WiX$shrisR`wEJYVfQzx1G;Sn{rIi
z@h!MC-ruz4GxdxUJt^B(u9zI2*mn0^XwCQjZxY!F>rxW7oH`ixfn1-wChdo^#Ond>
z)KKk)Kf8n;V$Ys4Uo4pSGui4*U)+}T+pU>jR$mR+S^wHxF0neYE1PSb&X_(8oh&?E
zT-yC`scGw>l~Wg$)*9BS{Xf|*4tuipKoi)s@4UUYVcPxN+p9g#vc7&)8*{Ji_C9B)
ztZnbE+V9+6TdN<;sed;}qpscWfOY3wCzoeWHoPCNp(szS@u{7d$K9#bPPypz<es=R
zlkIceTCv#C)69dqhcQ>`I-43>^SURrwHKVKVX5-H(=_IgwvvgD6bFO{yF&%e*){6u
zO?53*C|sxk54xxS@;IaU?)1(@Y4;j^1`e06s{Z>C;JVQ(vb9$R`t_LthPt={_X8%j
zRR3?{L?L1FA5HA6e(4TyqJIaNKfGUU?TFe@Ig#)b#SHc9WlY7yiXHz$V+W#MM+YBa
J@*Ae{@;|cSpj`j}

literal 0
Hc-jL100001

diff --git a/tests/bug-4199/test.rules b/tests/bug-4199/test.rules
new file mode 100644
index 000000000..2cb6dca99
--- /dev/null
+++ b/tests/bug-4199/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> $HOME_NET any (msg: "detect (/etc/passwd) no transform"; flow:to_server,established; http.request_body;content:"/etc/passwd"; nocase; sid:1;)
+alert http any any -> $HOME_NET any (msg: "detect (/etc/passwd) with transform"; flow:to_server,established; http.request_body; url_decode; content:"/etc/passwd"; nocase; sid:2;)
diff --git a/tests/bug-4199/test.yaml b/tests/bug-4199/test.yaml
new file mode 100644
index 000000000..bea0b2118
--- /dev/null
+++ b/tests/bug-4199/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  min-version: 7
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
-- 
2.47.2