From 2b1ddf1c034b02d297ad2f18df04988410ff50d9 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Tue, 30 Jan 2024 20:14:58 +0100
Subject: [PATCH] tests: add bug 2576 tests

---
 tests/bug-2576-01-ips/md5list.2576  |   1 +
 tests/bug-2576-01-ips/suricata.yaml | 146 ++++++++++++++++++++++++++++
 tests/bug-2576-01-ips/temp6.pcap    | Bin 0 -> 4594 bytes
 tests/bug-2576-01-ips/test.rules    |   1 +
 tests/bug-2576-01-ips/test.yaml     |  17 ++++
 tests/bug-2576-01/md5list.2576      |   1 +
 tests/bug-2576-01/suricata.yaml     | 146 ++++++++++++++++++++++++++++
 tests/bug-2576-01/temp6.pcap        | Bin 0 -> 4594 bytes
 tests/bug-2576-01/test.rules        |   1 +
 tests/bug-2576-01/test.yaml         |  17 ++++
 tests/bug-2576-02-ips/md5list.2576  |   1 +
 tests/bug-2576-02-ips/suricata.yaml | 146 ++++++++++++++++++++++++++++
 tests/bug-2576-02-ips/temp1.pcap    | Bin 0 -> 6155 bytes
 tests/bug-2576-02-ips/test.rules    |   1 +
 tests/bug-2576-02-ips/test.yaml     |  17 ++++
 tests/bug-2576-02/md5list.2576      |   1 +
 tests/bug-2576-02/suricata.yaml     | 146 ++++++++++++++++++++++++++++
 tests/bug-2576-02/temp1.pcap        | Bin 0 -> 6155 bytes
 tests/bug-2576-02/test.rules        |   1 +
 tests/bug-2576-02/test.yaml         |  17 ++++
 tests/bug-2576-03-ips/md5list.2576  |   1 +
 tests/bug-2576-03-ips/suricata.yaml | 146 ++++++++++++++++++++++++++++
 tests/bug-2576-03-ips/temp6.pcap    | Bin 0 -> 4594 bytes
 tests/bug-2576-03-ips/test.rules    |   1 +
 tests/bug-2576-03-ips/test.yaml     |  17 ++++
 tests/bug-2576-03/md5list.2576      |   1 +
 tests/bug-2576-03/suricata.yaml     | 146 ++++++++++++++++++++++++++++
 tests/bug-2576-03/temp6.pcap        | Bin 0 -> 4594 bytes
 tests/bug-2576-03/test.rules        |   1 +
 tests/bug-2576-03/test.yaml         |  17 ++++
 tests/bug-2576-04-ips/md5list.2576  |   1 +
 tests/bug-2576-04-ips/suricata.yaml | 146 ++++++++++++++++++++++++++++
 tests/bug-2576-04-ips/temp6.pcap    | Bin 0 -> 4594 bytes
 tests/bug-2576-04-ips/test.rules    |   2 +
 tests/bug-2576-04-ips/test.yaml     |  22 +++++
 tests/bug-2576-04/md5list.2576      |   1 +
 tests/bug-2576-04/suricata.yaml     | 146 ++++++++++++++++++++++++++++
 tests/bug-2576-04/temp6.pcap        | Bin 0 -> 4594 bytes
 tests/bug-2576-04/test.rules        |   2 +
 tests/bug-2576-04/test.yaml         |  22 +++++
 40 files changed, 1332 insertions(+)
 create mode 100644 tests/bug-2576-01-ips/md5list.2576
 create mode 100644 tests/bug-2576-01-ips/suricata.yaml
 create mode 100644 tests/bug-2576-01-ips/temp6.pcap
 create mode 100644 tests/bug-2576-01-ips/test.rules
 create mode 100644 tests/bug-2576-01-ips/test.yaml
 create mode 100644 tests/bug-2576-01/md5list.2576
 create mode 100644 tests/bug-2576-01/suricata.yaml
 create mode 100644 tests/bug-2576-01/temp6.pcap
 create mode 100644 tests/bug-2576-01/test.rules
 create mode 100644 tests/bug-2576-01/test.yaml
 create mode 100644 tests/bug-2576-02-ips/md5list.2576
 create mode 100644 tests/bug-2576-02-ips/suricata.yaml
 create mode 100644 tests/bug-2576-02-ips/temp1.pcap
 create mode 100644 tests/bug-2576-02-ips/test.rules
 create mode 100644 tests/bug-2576-02-ips/test.yaml
 create mode 100644 tests/bug-2576-02/md5list.2576
 create mode 100644 tests/bug-2576-02/suricata.yaml
 create mode 100644 tests/bug-2576-02/temp1.pcap
 create mode 100644 tests/bug-2576-02/test.rules
 create mode 100644 tests/bug-2576-02/test.yaml
 create mode 100644 tests/bug-2576-03-ips/md5list.2576
 create mode 100644 tests/bug-2576-03-ips/suricata.yaml
 create mode 100644 tests/bug-2576-03-ips/temp6.pcap
 create mode 100644 tests/bug-2576-03-ips/test.rules
 create mode 100644 tests/bug-2576-03-ips/test.yaml
 create mode 100644 tests/bug-2576-03/md5list.2576
 create mode 100644 tests/bug-2576-03/suricata.yaml
 create mode 100644 tests/bug-2576-03/temp6.pcap
 create mode 100644 tests/bug-2576-03/test.rules
 create mode 100644 tests/bug-2576-03/test.yaml
 create mode 100644 tests/bug-2576-04-ips/md5list.2576
 create mode 100644 tests/bug-2576-04-ips/suricata.yaml
 create mode 100644 tests/bug-2576-04-ips/temp6.pcap
 create mode 100644 tests/bug-2576-04-ips/test.rules
 create mode 100644 tests/bug-2576-04-ips/test.yaml
 create mode 100644 tests/bug-2576-04/md5list.2576
 create mode 100644 tests/bug-2576-04/suricata.yaml
 create mode 100644 tests/bug-2576-04/temp6.pcap
 create mode 100644 tests/bug-2576-04/test.rules
 create mode 100644 tests/bug-2576-04/test.yaml

diff --git a/tests/bug-2576-01-ips/md5list.2576 b/tests/bug-2576-01-ips/md5list.2576
new file mode 100644
index 000000000..f754e17b2
--- /dev/null
+++ b/tests/bug-2576-01-ips/md5list.2576
@@ -0,0 +1 @@
+090fe607a5be1228362614ccaa088577
diff --git a/tests/bug-2576-01-ips/suricata.yaml b/tests/bug-2576-01-ips/suricata.yaml
new file mode 100644
index 000000000..1e40c3aaa
--- /dev/null
+++ b/tests/bug-2576-01-ips/suricata.yaml
@@ -0,0 +1,146 @@
+%YAML 1.1
+---
+
+outputs:
+  # Extensible Event Format (nicknamed EVE) event log in JSON format
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      #prefix: "@cee: " # prefix to prepend to each log entry
+      # the following are valid when type: syslog above
+      #identity: "suricata"
+      #facility: local5
+      #level: Info ## possible levels: Emergency, Alert, Critical,
+                   ## Error, Warning, Notice, Info, Debug
+      #redis:
+      #  server: 127.0.0.1
+      #  port: 6379
+      #  async: true ## if redis replies are read asynchronously
+      #  mode: list ## possible values: list|lpush (default), rpush, channel|publish
+      #             ## lpush and rpush are using a Redis list. "list" is an alias for lpush
+      #             ## publish is using a Redis channel. "channel" is an alias for publish
+      #  key: suricata ## key or channel to use (default to suricata)
+      # Redis pipelining set up. This will enable to only do a query every
+      # 'batch-size' events. This should lower the latency induced by network
+      # connection at the cost of some memory. There is no flushing implemented
+      # so this setting as to be reserved to high traffic suricata.
+      #  pipelining:
+      #    enabled: yes ## set enable to yes to enable query pipelining
+      #    batch-size: 10 ## number of entry to keep in buffer
+
+      # Include top level metadata. Default yes.
+      #metadata: no
+
+      pcap-file: false
+
+      # HTTP X-Forwarded-For support by adding an extra field or overwriting
+      # the source or destination IP address (depending on flow direction)
+      # with the one reported in the X-Forwarded-For HTTP header. This is
+      # helpful when reviewing alerts for traffic that is being reverse
+      # or forward proxied.
+      xff:
+        enabled: no
+        # Two operation modes are available, "extra-data" and "overwrite".
+        mode: extra-data
+        # Two proxy deployments are supported, "reverse" and "forward". In
+        # a "reverse" deployment the IP address used is the last one, in a
+        # "forward" deployment the first IP address is used.
+        deployment: reverse
+        # Header name where the actual IP address will be reported, if more
+        # than one IP address is present, the last IP address will be the
+        # one taken into consideration.
+        header: X-Forwarded-For
+
+      types:
+        - alert:
+            # payload: yes             # enable dumping payload in Base64
+            # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+            # payload-printable: yes   # enable dumping payload in printable (lossy) format
+            # packet: yes              # enable dumping of packet (without stream segments)
+            # http-body: yes           # enable dumping of http body in Base64
+            # http-body-printable: yes # enable dumping of http body in printable format
+            # metadata: no             # enable inclusion of app layer metadata with alert. Default yes
+
+            # Enable the logging of tagged packets for rules using the
+            # "tag" keyword.
+            tagged-packets: yes
+        - http:
+            extended: yes     # enable this for extended logging information
+            # custom allows additional http fields to be included in eve-log
+            # the example below adds three additional fields when uncommented
+            #custom: [Accept-Encoding, Accept-Language, Authorization]
+        - dns:
+            # This configuration uses the new DNS logging format,
+            # the old configuration is still available:
+            # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format
+            # Use version 2 logging with the new format:
+            # DNS answers will be logged in one single event
+            # rather than an event for each of it.
+            # Without setting a version the version
+            # will fallback to 1 for backwards compatibility.
+            version: 2
+
+            # Enable/disable this logger. Default: enabled.
+            #enabled: no
+
+            # Control logging of requests and responses:
+            # - requests: enable logging of DNS queries
+            # - responses: enable logging of DNS answers
+            # By default both requests and responses are logged.
+            #requests: no
+            #responses: no
+
+            # Format of answer logging:
+            # - detailed: array item per answer
+            # - grouped: answers aggregated by type
+            # Default: all
+            #formats: [detailed, grouped]
+
+            # Answer types to log.
+            # Default: all
+            #types: [a, aaaa, cname, mx, ns, ptr, txt]
+        - tls:
+            extended: yes     # enable this for extended logging information
+            # output TLS transaction where the session is resumed using a
+            # session id
+            #session-resumption: no
+            # custom allows to control which tls fields that are included
+            # in eve-log
+            #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain]
+        - files:
+            force-magic: no   # force logging magic on all logged files
+            # force logging of checksums, available hash functions are md5,
+            # sha1 and sha256
+            force-hash: [md5]
+        #- drop:
+        #    alerts: yes      # log alerts that caused drops
+        #    flows: all       # start or all: 'start' logs only a single drop
+        #                     # per flow direction. All logs each dropped pkt.
+        - smtp:
+            #extended: yes # enable this for extended logging information
+            # this includes: bcc, message-id, subject, x_mailer, user-agent
+            # custom fields logging from the list:
+            #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
+            #  x-originating-ip, in-reply-to, references, importance, priority,
+            #  sensitivity, organization, content-md5, date
+            #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
+            # output md5 of fields: body, subject
+            # for the body you need to set app-layer.protocols.smtp.mime.body-md5
+            # to yes
+            #md5: [body, subject]
+
+        - ssh
+        - stats:
+            totals: yes       # stats for all threads merged together
+            threads: no       # per thread stats
+            deltas: no        # include delta values
+        # bi-directional flows
+        - flow
+        # uni-directional flows
+        #- netflow
+
+        # Metadata event type. Triggered whenever a pktvar is saved
+        # and will include the pktvars, flowvars, flowbits and
+        # flowints.
+        #- metadata
diff --git a/tests/bug-2576-01-ips/temp6.pcap b/tests/bug-2576-01-ips/temp6.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..cdaa6625d7e47e4631d0001882f0cbcf1edf75e4
GIT binary patch
literal 4594
zc-oa$Yj7J^72eoRXhp;%JjNXgnOlJ$c}OeCcH+od#ctv@rg0)-g$8KG-N%)*_G)*t
zdnMUrI@mxMIwYj&D>P2il!@ao$<P!$Z6>W77-nFG{(u=WlRx}OXRJJab%2!D58&Lp
zE9>En3>ry$_w2dfcg}Yo=kE1i|NM<6u7#_7TDVp4|F1*2Z|-^Slbi`{`s3Da?D*4h
z_@DXh;Rm=uj+6X{`ni7o;!D50z_r5fvmA#HULp^EoEzklUpu2uF|T;*U%+ck$5G#C
z_`^@#c&lS}1DEXhXkRylJlizZ|Fa&BYie1YY-xJHckRi8zoGV3&CQ>n{Ow!THsUw?
zxe&iFUCr+>J5f~lLu<AlrQ9?IE;+lQv(;{b7<$fr8gb7Q%KWQpK9oNS{7(V(Q(pXg
z{fGaD{5xC!%JP4`F8>~gp*gv3tp9}zj@B5sJ^-2zyto$p7UTMIL#~sp_ZS!N$@S1!
z|Bclg_xNB6@o0A{mE<F#h~Ia>##V43gLM)^Pi8Qo)^60Psd|1Qn9=ha{k{QN#wI-8
z#BcKZb{jS{i^XC{5>+K1l8v0-x6{ydEECnxW9SKt&ESBh7O>yv_tDh!Kdj{>$V&1`
zE#*Ji&u!v=m2EJL{aokNzrkzG^^v+^Y=-pCCD%QDZ{|pO`clT&^|jn3NS6NU8CRe2
z|Clnq_r*qxt0$)ZLm7YHbU(%i5yzEfMA2{<?R%muRdBzkXRsYZ(j>t)$Ro;G90ZYw
zWoR*ET53Tgcni{vpiCdJmQ4%`TBc=8Oa?7n5H(dPdl5_2?X+PvkeZ^yAO`nfJwviF
z6z%GbRII5<6UPw26NJx_oaXoK0_Yfe%u=_YNEi*|Gmt{07lpUSx}z~@JU*QA`v!@a
ziJ?GGZ|~M{w;~6(cPjzEZ;xn`;IN^nX%#CmG;HWwfDL^`)G5X`6zPgZx5aw4Iv7by
z%;dz_Qm%gA2(}8?0&&t9v<ruNLy=x;C7_Tou0mLk?%KEi8$xtjSEQ#8<;01gn88Bt
z*6wh)4=F}YRCS>;`}&Y6lB~ef*%p6f*S?*puO|l)%`!m^!Qe=0Aa!5_h9?+I#F-t%
zvshFT@f;>1coH*+59if_AiHW2Pz$*?!jfoxa#pl#OoTj12YZ+IJ{UYO04d}k997aP
z07HYqppwCEhq6`FisGb=bTNko3#YMVVJi`bWjBs2tO+)m)Uch!m>?RB6NPNsC=1R4
zWsUK?9SKQ_O@L3PO7IpB>yl?O^O9m%&+v{)IaLoq-$b0KM8k>OufAWpdVcZB)Z&#N
ze)Qha#f7t_%WvI&efIA3i*ep@iStY$6qgKT649uHFNNVF%V1N~0#X&BXo;o?K`$BH
zF7!^;MB8SD(ONg>fjvqmvxjMP8K{<lwwlYJtg7I&A?Iy@Sb2<WOBQ&(W*_3g4e}n<
zjEoTpnR*5lRRyL-bXyo@v6{&eArjpVa6Dkcg%VN<c4Y&RMj~5U%aCn1$}|mH)y=#+
zED)4}b*D2^d=$Jfg2kK1LgfCwYT3t`OZW9lyKW6!EW0o&nJZILKUJAn*^%h34@*B0
zw@p~tPWk~UgX~e&Brr~agbM%)ju)M-MP+F;!O4N43s_^Dk`V3bL1La5ppmIzf(0X;
zW(GE{FzM*toxI+#=)TGdp|(QN{g@TP*Xj!4xz5&!k>omZ^E*RMok#)KJkZR0ah>;{
zVwLGL4J*^sG)L>iAOBffCniQ%op|W!dpmx|aa2MNAtj<$3&}>p&PzF!iE8KFaj0Ie
zwf$)hZ#33xhUqo7f?j`PdY$&r>mt=_`p=GDv%qx%YU&BEy82!JX;xRe8`jlB)2mor
zeYj4qi)FpO`Z<mxI*7tE)nK){dxg7d-HW?D<mp5fYj#B)7wyW@b?5ZhD6!}RSHGMt
z7818!xqSEJyK!Dz20<5pRx~2ft~v<ESPkM>yg+iI=@|yts{u-<FPCQC_W~$*b}zs_
zXjB8-nfw0TpPcXlAS#wbPZ0K`24sG|^!%Iyq8qks!TR--rLreF6$Un2s4f{by@R#d
z#hlqkObt+3Gtc_Abq%ydAA@fVLR&Q5)|IYon{8c6WGP05=0>PVP_y1GExhc+$5#dD
zHWb)Ea!^)7MN1{Pv!fh%;Qxr+jXE!MY(`j@4Fw<AKSb-fp#ySfQPmZr7}5+`q$MIm
z@i(JoW*du^oJE2lpg;iaK!F_r1ZSxBz{breP{~z@P(w$+$v03=I8a{SniQzYxnpA=
zEQh*5sn040=SO}?Kgm*6IBU3gaEI8DLI^0TZEE5qoWCIE@xDOf*35kA+^NN@bEOxj
zU4d&>TJ3^M6F5`W-4@~AWW_qWY|dmM*-DU!(ve>*Uj31?qj^nP)v9tHkPO%sAEozh
zU}l*~HWTf#VNUkZBWJrV*=8T}bD9n3t&%5`d}49o+U=JvIDwR&J65`O<j$LHFK`g*
z;~G;%eNwGLafOx5U>ajZ66Nv4t?wPbGdEp2e(dh~A5@SQuU;D3nY{Dnbhryb?J6CA
zr_4Z4HTOHlWNbP!%PD&f2v5&u^y;2<=>~o5M#Ez88Y>3b6^g;%SuvPdUJRbSnOyhn
zDeDVPF?hK#*BQo@S%K>xjO&yq*LvW3*x_3LEq|j|$hTRc9%}pwIo-@&A@|l6o@Z|Y
z-z<Hhdw#C^74oNz8Q)=yyH{XrVT{9`jO&5%d^O|Sz}P^~D@@Pf#(F-oi|V;yZ=IgA
N!1^H@yU%mne*qBh@2da+

literal 0
Hc-jL100001

diff --git a/tests/bug-2576-01-ips/test.rules b/tests/bug-2576-01-ips/test.rules
new file mode 100644
index 000000000..8c2aa9218
--- /dev/null
+++ b/tests/bug-2576-01-ips/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"filemd5"; filemd5:md5list.2576; sid: 3; rev: 1;)
diff --git a/tests/bug-2576-01-ips/test.yaml b/tests/bug-2576-01-ips/test.yaml
new file mode 100644
index 000000000..8663071fc
--- /dev/null
+++ b/tests/bug-2576-01-ips/test.yaml
@@ -0,0 +1,17 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - HAVE_NSS
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.md5: 090fe607a5be1228362614ccaa088577
+
diff --git a/tests/bug-2576-01/md5list.2576 b/tests/bug-2576-01/md5list.2576
new file mode 100644
index 000000000..f754e17b2
--- /dev/null
+++ b/tests/bug-2576-01/md5list.2576
@@ -0,0 +1 @@
+090fe607a5be1228362614ccaa088577
diff --git a/tests/bug-2576-01/suricata.yaml b/tests/bug-2576-01/suricata.yaml
new file mode 100644
index 000000000..1e40c3aaa
--- /dev/null
+++ b/tests/bug-2576-01/suricata.yaml
@@ -0,0 +1,146 @@
+%YAML 1.1
+---
+
+outputs:
+  # Extensible Event Format (nicknamed EVE) event log in JSON format
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      #prefix: "@cee: " # prefix to prepend to each log entry
+      # the following are valid when type: syslog above
+      #identity: "suricata"
+      #facility: local5
+      #level: Info ## possible levels: Emergency, Alert, Critical,
+                   ## Error, Warning, Notice, Info, Debug
+      #redis:
+      #  server: 127.0.0.1
+      #  port: 6379
+      #  async: true ## if redis replies are read asynchronously
+      #  mode: list ## possible values: list|lpush (default), rpush, channel|publish
+      #             ## lpush and rpush are using a Redis list. "list" is an alias for lpush
+      #             ## publish is using a Redis channel. "channel" is an alias for publish
+      #  key: suricata ## key or channel to use (default to suricata)
+      # Redis pipelining set up. This will enable to only do a query every
+      # 'batch-size' events. This should lower the latency induced by network
+      # connection at the cost of some memory. There is no flushing implemented
+      # so this setting as to be reserved to high traffic suricata.
+      #  pipelining:
+      #    enabled: yes ## set enable to yes to enable query pipelining
+      #    batch-size: 10 ## number of entry to keep in buffer
+
+      # Include top level metadata. Default yes.
+      #metadata: no
+
+      pcap-file: false
+
+      # HTTP X-Forwarded-For support by adding an extra field or overwriting
+      # the source or destination IP address (depending on flow direction)
+      # with the one reported in the X-Forwarded-For HTTP header. This is
+      # helpful when reviewing alerts for traffic that is being reverse
+      # or forward proxied.
+      xff:
+        enabled: no
+        # Two operation modes are available, "extra-data" and "overwrite".
+        mode: extra-data
+        # Two proxy deployments are supported, "reverse" and "forward". In
+        # a "reverse" deployment the IP address used is the last one, in a
+        # "forward" deployment the first IP address is used.
+        deployment: reverse
+        # Header name where the actual IP address will be reported, if more
+        # than one IP address is present, the last IP address will be the
+        # one taken into consideration.
+        header: X-Forwarded-For
+
+      types:
+        - alert:
+            # payload: yes             # enable dumping payload in Base64
+            # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+            # payload-printable: yes   # enable dumping payload in printable (lossy) format
+            # packet: yes              # enable dumping of packet (without stream segments)
+            # http-body: yes           # enable dumping of http body in Base64
+            # http-body-printable: yes # enable dumping of http body in printable format
+            # metadata: no             # enable inclusion of app layer metadata with alert. Default yes
+
+            # Enable the logging of tagged packets for rules using the
+            # "tag" keyword.
+            tagged-packets: yes
+        - http:
+            extended: yes     # enable this for extended logging information
+            # custom allows additional http fields to be included in eve-log
+            # the example below adds three additional fields when uncommented
+            #custom: [Accept-Encoding, Accept-Language, Authorization]
+        - dns:
+            # This configuration uses the new DNS logging format,
+            # the old configuration is still available:
+            # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format
+            # Use version 2 logging with the new format:
+            # DNS answers will be logged in one single event
+            # rather than an event for each of it.
+            # Without setting a version the version
+            # will fallback to 1 for backwards compatibility.
+            version: 2
+
+            # Enable/disable this logger. Default: enabled.
+            #enabled: no
+
+            # Control logging of requests and responses:
+            # - requests: enable logging of DNS queries
+            # - responses: enable logging of DNS answers
+            # By default both requests and responses are logged.
+            #requests: no
+            #responses: no
+
+            # Format of answer logging:
+            # - detailed: array item per answer
+            # - grouped: answers aggregated by type
+            # Default: all
+            #formats: [detailed, grouped]
+
+            # Answer types to log.
+            # Default: all
+            #types: [a, aaaa, cname, mx, ns, ptr, txt]
+        - tls:
+            extended: yes     # enable this for extended logging information
+            # output TLS transaction where the session is resumed using a
+            # session id
+            #session-resumption: no
+            # custom allows to control which tls fields that are included
+            # in eve-log
+            #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain]
+        - files:
+            force-magic: no   # force logging magic on all logged files
+            # force logging of checksums, available hash functions are md5,
+            # sha1 and sha256
+            force-hash: [md5]
+        #- drop:
+        #    alerts: yes      # log alerts that caused drops
+        #    flows: all       # start or all: 'start' logs only a single drop
+        #                     # per flow direction. All logs each dropped pkt.
+        - smtp:
+            #extended: yes # enable this for extended logging information
+            # this includes: bcc, message-id, subject, x_mailer, user-agent
+            # custom fields logging from the list:
+            #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
+            #  x-originating-ip, in-reply-to, references, importance, priority,
+            #  sensitivity, organization, content-md5, date
+            #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
+            # output md5 of fields: body, subject
+            # for the body you need to set app-layer.protocols.smtp.mime.body-md5
+            # to yes
+            #md5: [body, subject]
+
+        - ssh
+        - stats:
+            totals: yes       # stats for all threads merged together
+            threads: no       # per thread stats
+            deltas: no        # include delta values
+        # bi-directional flows
+        - flow
+        # uni-directional flows
+        #- netflow
+
+        # Metadata event type. Triggered whenever a pktvar is saved
+        # and will include the pktvars, flowvars, flowbits and
+        # flowints.
+        #- metadata
diff --git a/tests/bug-2576-01/temp6.pcap b/tests/bug-2576-01/temp6.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..cdaa6625d7e47e4631d0001882f0cbcf1edf75e4
GIT binary patch
literal 4594
zc-oa$Yj7J^72eoRXhp;%JjNXgnOlJ$c}OeCcH+od#ctv@rg0)-g$8KG-N%)*_G)*t
zdnMUrI@mxMIwYj&D>P2il!@ao$<P!$Z6>W77-nFG{(u=WlRx}OXRJJab%2!D58&Lp
zE9>En3>ry$_w2dfcg}Yo=kE1i|NM<6u7#_7TDVp4|F1*2Z|-^Slbi`{`s3Da?D*4h
z_@DXh;Rm=uj+6X{`ni7o;!D50z_r5fvmA#HULp^EoEzklUpu2uF|T;*U%+ck$5G#C
z_`^@#c&lS}1DEXhXkRylJlizZ|Fa&BYie1YY-xJHckRi8zoGV3&CQ>n{Ow!THsUw?
zxe&iFUCr+>J5f~lLu<AlrQ9?IE;+lQv(;{b7<$fr8gb7Q%KWQpK9oNS{7(V(Q(pXg
z{fGaD{5xC!%JP4`F8>~gp*gv3tp9}zj@B5sJ^-2zyto$p7UTMIL#~sp_ZS!N$@S1!
z|Bclg_xNB6@o0A{mE<F#h~Ia>##V43gLM)^Pi8Qo)^60Psd|1Qn9=ha{k{QN#wI-8
z#BcKZb{jS{i^XC{5>+K1l8v0-x6{ydEECnxW9SKt&ESBh7O>yv_tDh!Kdj{>$V&1`
zE#*Ji&u!v=m2EJL{aokNzrkzG^^v+^Y=-pCCD%QDZ{|pO`clT&^|jn3NS6NU8CRe2
z|Clnq_r*qxt0$)ZLm7YHbU(%i5yzEfMA2{<?R%muRdBzkXRsYZ(j>t)$Ro;G90ZYw
zWoR*ET53Tgcni{vpiCdJmQ4%`TBc=8Oa?7n5H(dPdl5_2?X+PvkeZ^yAO`nfJwviF
z6z%GbRII5<6UPw26NJx_oaXoK0_Yfe%u=_YNEi*|Gmt{07lpUSx}z~@JU*QA`v!@a
ziJ?GGZ|~M{w;~6(cPjzEZ;xn`;IN^nX%#CmG;HWwfDL^`)G5X`6zPgZx5aw4Iv7by
z%;dz_Qm%gA2(}8?0&&t9v<ruNLy=x;C7_Tou0mLk?%KEi8$xtjSEQ#8<;01gn88Bt
z*6wh)4=F}YRCS>;`}&Y6lB~ef*%p6f*S?*puO|l)%`!m^!Qe=0Aa!5_h9?+I#F-t%
zvshFT@f;>1coH*+59if_AiHW2Pz$*?!jfoxa#pl#OoTj12YZ+IJ{UYO04d}k997aP
z07HYqppwCEhq6`FisGb=bTNko3#YMVVJi`bWjBs2tO+)m)Uch!m>?RB6NPNsC=1R4
zWsUK?9SKQ_O@L3PO7IpB>yl?O^O9m%&+v{)IaLoq-$b0KM8k>OufAWpdVcZB)Z&#N
ze)Qha#f7t_%WvI&efIA3i*ep@iStY$6qgKT649uHFNNVF%V1N~0#X&BXo;o?K`$BH
zF7!^;MB8SD(ONg>fjvqmvxjMP8K{<lwwlYJtg7I&A?Iy@Sb2<WOBQ&(W*_3g4e}n<
zjEoTpnR*5lRRyL-bXyo@v6{&eArjpVa6Dkcg%VN<c4Y&RMj~5U%aCn1$}|mH)y=#+
zED)4}b*D2^d=$Jfg2kK1LgfCwYT3t`OZW9lyKW6!EW0o&nJZILKUJAn*^%h34@*B0
zw@p~tPWk~UgX~e&Brr~agbM%)ju)M-MP+F;!O4N43s_^Dk`V3bL1La5ppmIzf(0X;
zW(GE{FzM*toxI+#=)TGdp|(QN{g@TP*Xj!4xz5&!k>omZ^E*RMok#)KJkZR0ah>;{
zVwLGL4J*^sG)L>iAOBffCniQ%op|W!dpmx|aa2MNAtj<$3&}>p&PzF!iE8KFaj0Ie
zwf$)hZ#33xhUqo7f?j`PdY$&r>mt=_`p=GDv%qx%YU&BEy82!JX;xRe8`jlB)2mor
zeYj4qi)FpO`Z<mxI*7tE)nK){dxg7d-HW?D<mp5fYj#B)7wyW@b?5ZhD6!}RSHGMt
z7818!xqSEJyK!Dz20<5pRx~2ft~v<ESPkM>yg+iI=@|yts{u-<FPCQC_W~$*b}zs_
zXjB8-nfw0TpPcXlAS#wbPZ0K`24sG|^!%Iyq8qks!TR--rLreF6$Un2s4f{by@R#d
z#hlqkObt+3Gtc_Abq%ydAA@fVLR&Q5)|IYon{8c6WGP05=0>PVP_y1GExhc+$5#dD
zHWb)Ea!^)7MN1{Pv!fh%;Qxr+jXE!MY(`j@4Fw<AKSb-fp#ySfQPmZr7}5+`q$MIm
z@i(JoW*du^oJE2lpg;iaK!F_r1ZSxBz{breP{~z@P(w$+$v03=I8a{SniQzYxnpA=
zEQh*5sn040=SO}?Kgm*6IBU3gaEI8DLI^0TZEE5qoWCIE@xDOf*35kA+^NN@bEOxj
zU4d&>TJ3^M6F5`W-4@~AWW_qWY|dmM*-DU!(ve>*Uj31?qj^nP)v9tHkPO%sAEozh
zU}l*~HWTf#VNUkZBWJrV*=8T}bD9n3t&%5`d}49o+U=JvIDwR&J65`O<j$LHFK`g*
z;~G;%eNwGLafOx5U>ajZ66Nv4t?wPbGdEp2e(dh~A5@SQuU;D3nY{Dnbhryb?J6CA
zr_4Z4HTOHlWNbP!%PD&f2v5&u^y;2<=>~o5M#Ez88Y>3b6^g;%SuvPdUJRbSnOyhn
zDeDVPF?hK#*BQo@S%K>xjO&yq*LvW3*x_3LEq|j|$hTRc9%}pwIo-@&A@|l6o@Z|Y
z-z<Hhdw#C^74oNz8Q)=yyH{XrVT{9`jO&5%d^O|Sz}P^~D@@Pf#(F-oi|V;yZ=IgA
N!1^H@yU%mne*qBh@2da+

literal 0
Hc-jL100001

diff --git a/tests/bug-2576-01/test.rules b/tests/bug-2576-01/test.rules
new file mode 100644
index 000000000..8c2aa9218
--- /dev/null
+++ b/tests/bug-2576-01/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"filemd5"; filemd5:md5list.2576; sid: 3; rev: 1;)
diff --git a/tests/bug-2576-01/test.yaml b/tests/bug-2576-01/test.yaml
new file mode 100644
index 000000000..8663071fc
--- /dev/null
+++ b/tests/bug-2576-01/test.yaml
@@ -0,0 +1,17 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - HAVE_NSS
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.md5: 090fe607a5be1228362614ccaa088577
+
diff --git a/tests/bug-2576-02-ips/md5list.2576 b/tests/bug-2576-02-ips/md5list.2576
new file mode 100644
index 000000000..f754e17b2
--- /dev/null
+++ b/tests/bug-2576-02-ips/md5list.2576
@@ -0,0 +1 @@
+090fe607a5be1228362614ccaa088577
diff --git a/tests/bug-2576-02-ips/suricata.yaml b/tests/bug-2576-02-ips/suricata.yaml
new file mode 100644
index 000000000..1e40c3aaa
--- /dev/null
+++ b/tests/bug-2576-02-ips/suricata.yaml
@@ -0,0 +1,146 @@
+%YAML 1.1
+---
+
+outputs:
+  # Extensible Event Format (nicknamed EVE) event log in JSON format
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      #prefix: "@cee: " # prefix to prepend to each log entry
+      # the following are valid when type: syslog above
+      #identity: "suricata"
+      #facility: local5
+      #level: Info ## possible levels: Emergency, Alert, Critical,
+                   ## Error, Warning, Notice, Info, Debug
+      #redis:
+      #  server: 127.0.0.1
+      #  port: 6379
+      #  async: true ## if redis replies are read asynchronously
+      #  mode: list ## possible values: list|lpush (default), rpush, channel|publish
+      #             ## lpush and rpush are using a Redis list. "list" is an alias for lpush
+      #             ## publish is using a Redis channel. "channel" is an alias for publish
+      #  key: suricata ## key or channel to use (default to suricata)
+      # Redis pipelining set up. This will enable to only do a query every
+      # 'batch-size' events. This should lower the latency induced by network
+      # connection at the cost of some memory. There is no flushing implemented
+      # so this setting as to be reserved to high traffic suricata.
+      #  pipelining:
+      #    enabled: yes ## set enable to yes to enable query pipelining
+      #    batch-size: 10 ## number of entry to keep in buffer
+
+      # Include top level metadata. Default yes.
+      #metadata: no
+
+      pcap-file: false
+
+      # HTTP X-Forwarded-For support by adding an extra field or overwriting
+      # the source or destination IP address (depending on flow direction)
+      # with the one reported in the X-Forwarded-For HTTP header. This is
+      # helpful when reviewing alerts for traffic that is being reverse
+      # or forward proxied.
+      xff:
+        enabled: no
+        # Two operation modes are available, "extra-data" and "overwrite".
+        mode: extra-data
+        # Two proxy deployments are supported, "reverse" and "forward". In
+        # a "reverse" deployment the IP address used is the last one, in a
+        # "forward" deployment the first IP address is used.
+        deployment: reverse
+        # Header name where the actual IP address will be reported, if more
+        # than one IP address is present, the last IP address will be the
+        # one taken into consideration.
+        header: X-Forwarded-For
+
+      types:
+        - alert:
+            # payload: yes             # enable dumping payload in Base64
+            # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+            # payload-printable: yes   # enable dumping payload in printable (lossy) format
+            # packet: yes              # enable dumping of packet (without stream segments)
+            # http-body: yes           # enable dumping of http body in Base64
+            # http-body-printable: yes # enable dumping of http body in printable format
+            # metadata: no             # enable inclusion of app layer metadata with alert. Default yes
+
+            # Enable the logging of tagged packets for rules using the
+            # "tag" keyword.
+            tagged-packets: yes
+        - http:
+            extended: yes     # enable this for extended logging information
+            # custom allows additional http fields to be included in eve-log
+            # the example below adds three additional fields when uncommented
+            #custom: [Accept-Encoding, Accept-Language, Authorization]
+        - dns:
+            # This configuration uses the new DNS logging format,
+            # the old configuration is still available:
+            # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format
+            # Use version 2 logging with the new format:
+            # DNS answers will be logged in one single event
+            # rather than an event for each of it.
+            # Without setting a version the version
+            # will fallback to 1 for backwards compatibility.
+            version: 2
+
+            # Enable/disable this logger. Default: enabled.
+            #enabled: no
+
+            # Control logging of requests and responses:
+            # - requests: enable logging of DNS queries
+            # - responses: enable logging of DNS answers
+            # By default both requests and responses are logged.
+            #requests: no
+            #responses: no
+
+            # Format of answer logging:
+            # - detailed: array item per answer
+            # - grouped: answers aggregated by type
+            # Default: all
+            #formats: [detailed, grouped]
+
+            # Answer types to log.
+            # Default: all
+            #types: [a, aaaa, cname, mx, ns, ptr, txt]
+        - tls:
+            extended: yes     # enable this for extended logging information
+            # output TLS transaction where the session is resumed using a
+            # session id
+            #session-resumption: no
+            # custom allows to control which tls fields that are included
+            # in eve-log
+            #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain]
+        - files:
+            force-magic: no   # force logging magic on all logged files
+            # force logging of checksums, available hash functions are md5,
+            # sha1 and sha256
+            force-hash: [md5]
+        #- drop:
+        #    alerts: yes      # log alerts that caused drops
+        #    flows: all       # start or all: 'start' logs only a single drop
+        #                     # per flow direction. All logs each dropped pkt.
+        - smtp:
+            #extended: yes # enable this for extended logging information
+            # this includes: bcc, message-id, subject, x_mailer, user-agent
+            # custom fields logging from the list:
+            #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
+            #  x-originating-ip, in-reply-to, references, importance, priority,
+            #  sensitivity, organization, content-md5, date
+            #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
+            # output md5 of fields: body, subject
+            # for the body you need to set app-layer.protocols.smtp.mime.body-md5
+            # to yes
+            #md5: [body, subject]
+
+        - ssh
+        - stats:
+            totals: yes       # stats for all threads merged together
+            threads: no       # per thread stats
+            deltas: no        # include delta values
+        # bi-directional flows
+        - flow
+        # uni-directional flows
+        #- netflow
+
+        # Metadata event type. Triggered whenever a pktvar is saved
+        # and will include the pktvars, flowvars, flowbits and
+        # flowints.
+        #- metadata
diff --git a/tests/bug-2576-02-ips/temp1.pcap b/tests/bug-2576-02-ips/temp1.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..9550b4f2ba02ffa6494cf044032e7e96701eaba9
GIT binary patch
literal 6155
zc-rk)YitzP6&~A|CR?_GKIABA(apBT=CM1wYa7gZXR!lLZ~}OXO+(WlXLjc9?wHw`
zVdn0xH&s--Em5OF3C)8B6GAGCNkI*1tpt%c^dYrUqpFpP#Gn2kl9$J?s4cWjr9RHR
zGwXeLShrGtdga}@bLZUio%7v$&v!jne)*Hv8@Xj%`Lm2`fZu=Y%Y1FebD!i4XwxsZ
zVr|<WkHGKbuMgbA^>bXpyRVn)<<GtNv$I?ad_T)^c<*^~@10CP7yrshZJb#}TmB4I
z%i9ilMuH!H>gro<Q>(dn+ed?))a9wh(cT|-aa`lF=J>M4dpwsP-}@`t-_X?b35vgF
z!-{(NMlToOXD2H0ZDc!&GJatB=0g;l#=ym=R=2lUjSxfEsZS&B>0AlFq3T2N!+`%J
zKtJh*zsq~zzsSG6<u5G%*J|?bf*6|OD@S|3f7a$21J(xs^MM=Itk+~%U#g3BtmQVt
z;$5-s8|}T?%yEzO4<jCJA0CeLp+Ly%*<)eT-<QG~iJ-?*n9$x%)UGO8cFdpBvTMDb
zK1sp`JYL7I^Ln=H7Butud>|nzayB688Lwxnu4z~zimpY_V;CF$K2^zKugB}5scFAo
z!6hK8gj;IE-ebMoI{xSBI@8$8wU7S`td?IHs+q<nNbhuf<x{sO50;iMMT}fo!JUU>
z>9-cK`K0#;6!E<;)I)3@8~-;&{9WVS5bs4CSE3PxgF!U-ScxkCZc$5ND}oXQf-Rs&
zl+xG_BoR|rBgin7oJjBnr0IT%K4LA4=q9ubQy(k%O`H=|MJ`zpQ`D@aZq}iidWT8$
z@4#A$q$4QY(H$!H4i^j@K?IKxK20*J*Ru^=N6^EjvH^vHs4ts>6hhr7xH-}pjzHs)
zox@&FKM_+A<m>A0-WcqZCI9A5+2{4_5G~^0smn@I!Eyxc)U^$Oh8`6)>SGfMbwt9O
zB3&D8A8}JmWyHvQu3pa&Hgnhna*`Oh3kJFap>EnsfFXUq0%1M0ZE*J!LU>b0sH+EM
z#4*2^!b11P&S0<y$$CaqG@-oudXOQKw7}EV7JYEr;MU=<#`_V?GDbW6{-NQ%;XOkz
zJ$`>I%KA|>jYT;Y&0r#eB{BT?Kvu~KlEW4Owvclp%#+q5rA5=iM97k)zkA{6z5YFY
zkU|E+Q4(s|!9c&zFQ>3Gpwug>d9h$2P0V1y#7S(L*o;MC+wDgtRt1X`RBWX&CWuC3
zM<H1jN`tXLQ6oHWg#roLB7i4RCU}#FeaSPL`Gl;SPxCfQ8AS`g*jSV(M8&Ziue@Kp
zbY|}2_}s<se)Qg<x!F_23vb<cZR*y<3sK%SiSmpg6iw)I0nw<0F9zWwNzf-NIi$!!
z-V_Z3f}ZbihR{1n6)lT(j8vQ153CWom|eO?7C2Q?&{i@jlvZS%)TOK?5HpLBWl93i
zSJfdN%pmU(RZr=mfT5*OUXfvGgf|6I8Y`(Z5kle3;Eo61aG`({f?e4}B$3Fr)&kF#
z6J?SHt!PHpnHC62#+p5tF+Kv;7{TVvVj*;QTcu=Uucf=%B^|RmCZ?4eNf?VmQaeQ+
zTilRnjtxsc7PSo6*>?KAL<(6Wia}tWd@;uXFt|T&56#Q-vk6AF8@hp2R+NNrR~Hhq
zL<f!x6%#Dz$t3Gw^9qZO*6#R~x}y6E6GC+n(Y?cj@YNb2Jl)<hHWXh;u6=XB)`?-j
zngN&@H>@+><4l=8Q&*YBCpfATfB3jsC&q@DPTcp@?Jd9II7*=lkqM$z63J%5$|f=j
zBh|_}^H8~8tH;wEUa!yBB;#vz5x)M)_&VXj*E!19#Gh=wrU2_GXzEcnUHz8#1k=^d
zy1Ke=qJin^12ue|EAjQ^&v6{lfE1pw2D{a%70#}8E>3yK(uFKmRYeWwt@74&*7WEI
zG3f(`zl<j4V%J~3aO>E+QC?i&f^Pn_sE5KGH7@MVN+))Yo0E)axP}4!l@5w0E)*x<
zcXN<)9iD?as8>3;IsNRdA0BmcKop!1U7fHeRZeDRiqB8mPBh(;OxVA!w3KV2tuRn*
zL0wWxatmv%5i>>)F;wu%nprlswWF^!{4o4gd1wtMTRW2Fvf0`phvs8s-kb>41ZdW~
z#o3qa`1pzdorVkrBm=S<$eRkm?QNyNeg8w`PSjbUZ9T%8q|12E?g6Ujx(1%x^NJ?x
z`GBfRB9({$^}il1=(ezEN@*kr0`mFL7UbLFLvV&#<6FBP`O3KpA==UAv-9<p684q$
zx0>)(<lMHl2ew1aq||1Wf%79j&tJk+6gX=*{@@O=BZc6T70Xb?0-V1f=KVds*!9Vo
z;_2gam!^v^OgIEr?X>C*mn3kethvp@y}`sfy<p9xA=z?}vEsp>&RzPRUD4c@tYTIe
z_a$^Fix1IzCorRgBpI<al5P}w=#g`cmavQ-W@k6+u3I@v3VdvC_VSGv&)R_$pF3Q<
zeDLO*tQOcFYU3JJM6IAycyWl841W@1IU!2>W7ofZ<mU85@yOv@XTDSRG<WIzz}EQ9
zHz$G}5Nb#9$U7wjdaAkGF(zfvm03#JbwYT0HltVPtV;{@;j4AU;8i9D=|#lgZ%hm(
z7mC3%*WxR`F>Zd|7K4}SW1VDJsYS5<&ajTVVyyzK2W+fg{Ijm`yupO0Z4u#VWWsa*
zlJG1E&yw&g3D1)7{2ztqw@{$dP@B_kV(^6bM@$R`>xw~V%g0O%4%djm6cvMU5S}~m
zUt2>%vxgRK+DCC$ecfB{-QwHqKe&PV?-nPT*t^AD)xz-1HHuB&^gTaa`EK!z`iSo^
w#O;e9E@Oy0T@hCS;+aasw*j$^&|YNR?yN7g4{oE}uHNOs?T1X%@8`Jx0I)?K>;M1&

literal 0
Hc-jL100001

diff --git a/tests/bug-2576-02-ips/test.rules b/tests/bug-2576-02-ips/test.rules
new file mode 100644
index 000000000..8c2aa9218
--- /dev/null
+++ b/tests/bug-2576-02-ips/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"filemd5"; filemd5:md5list.2576; sid: 3; rev: 1;)
diff --git a/tests/bug-2576-02-ips/test.yaml b/tests/bug-2576-02-ips/test.yaml
new file mode 100644
index 000000000..8663071fc
--- /dev/null
+++ b/tests/bug-2576-02-ips/test.yaml
@@ -0,0 +1,17 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - HAVE_NSS
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.md5: 090fe607a5be1228362614ccaa088577
+
diff --git a/tests/bug-2576-02/md5list.2576 b/tests/bug-2576-02/md5list.2576
new file mode 100644
index 000000000..f754e17b2
--- /dev/null
+++ b/tests/bug-2576-02/md5list.2576
@@ -0,0 +1 @@
+090fe607a5be1228362614ccaa088577
diff --git a/tests/bug-2576-02/suricata.yaml b/tests/bug-2576-02/suricata.yaml
new file mode 100644
index 000000000..1e40c3aaa
--- /dev/null
+++ b/tests/bug-2576-02/suricata.yaml
@@ -0,0 +1,146 @@
+%YAML 1.1
+---
+
+outputs:
+  # Extensible Event Format (nicknamed EVE) event log in JSON format
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      #prefix: "@cee: " # prefix to prepend to each log entry
+      # the following are valid when type: syslog above
+      #identity: "suricata"
+      #facility: local5
+      #level: Info ## possible levels: Emergency, Alert, Critical,
+                   ## Error, Warning, Notice, Info, Debug
+      #redis:
+      #  server: 127.0.0.1
+      #  port: 6379
+      #  async: true ## if redis replies are read asynchronously
+      #  mode: list ## possible values: list|lpush (default), rpush, channel|publish
+      #             ## lpush and rpush are using a Redis list. "list" is an alias for lpush
+      #             ## publish is using a Redis channel. "channel" is an alias for publish
+      #  key: suricata ## key or channel to use (default to suricata)
+      # Redis pipelining set up. This will enable to only do a query every
+      # 'batch-size' events. This should lower the latency induced by network
+      # connection at the cost of some memory. There is no flushing implemented
+      # so this setting as to be reserved to high traffic suricata.
+      #  pipelining:
+      #    enabled: yes ## set enable to yes to enable query pipelining
+      #    batch-size: 10 ## number of entry to keep in buffer
+
+      # Include top level metadata. Default yes.
+      #metadata: no
+
+      pcap-file: false
+
+      # HTTP X-Forwarded-For support by adding an extra field or overwriting
+      # the source or destination IP address (depending on flow direction)
+      # with the one reported in the X-Forwarded-For HTTP header. This is
+      # helpful when reviewing alerts for traffic that is being reverse
+      # or forward proxied.
+      xff:
+        enabled: no
+        # Two operation modes are available, "extra-data" and "overwrite".
+        mode: extra-data
+        # Two proxy deployments are supported, "reverse" and "forward". In
+        # a "reverse" deployment the IP address used is the last one, in a
+        # "forward" deployment the first IP address is used.
+        deployment: reverse
+        # Header name where the actual IP address will be reported, if more
+        # than one IP address is present, the last IP address will be the
+        # one taken into consideration.
+        header: X-Forwarded-For
+
+      types:
+        - alert:
+            # payload: yes             # enable dumping payload in Base64
+            # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+            # payload-printable: yes   # enable dumping payload in printable (lossy) format
+            # packet: yes              # enable dumping of packet (without stream segments)
+            # http-body: yes           # enable dumping of http body in Base64
+            # http-body-printable: yes # enable dumping of http body in printable format
+            # metadata: no             # enable inclusion of app layer metadata with alert. Default yes
+
+            # Enable the logging of tagged packets for rules using the
+            # "tag" keyword.
+            tagged-packets: yes
+        - http:
+            extended: yes     # enable this for extended logging information
+            # custom allows additional http fields to be included in eve-log
+            # the example below adds three additional fields when uncommented
+            #custom: [Accept-Encoding, Accept-Language, Authorization]
+        - dns:
+            # This configuration uses the new DNS logging format,
+            # the old configuration is still available:
+            # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format
+            # Use version 2 logging with the new format:
+            # DNS answers will be logged in one single event
+            # rather than an event for each of it.
+            # Without setting a version the version
+            # will fallback to 1 for backwards compatibility.
+            version: 2
+
+            # Enable/disable this logger. Default: enabled.
+            #enabled: no
+
+            # Control logging of requests and responses:
+            # - requests: enable logging of DNS queries
+            # - responses: enable logging of DNS answers
+            # By default both requests and responses are logged.
+            #requests: no
+            #responses: no
+
+            # Format of answer logging:
+            # - detailed: array item per answer
+            # - grouped: answers aggregated by type
+            # Default: all
+            #formats: [detailed, grouped]
+
+            # Answer types to log.
+            # Default: all
+            #types: [a, aaaa, cname, mx, ns, ptr, txt]
+        - tls:
+            extended: yes     # enable this for extended logging information
+            # output TLS transaction where the session is resumed using a
+            # session id
+            #session-resumption: no
+            # custom allows to control which tls fields that are included
+            # in eve-log
+            #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain]
+        - files:
+            force-magic: no   # force logging magic on all logged files
+            # force logging of checksums, available hash functions are md5,
+            # sha1 and sha256
+            force-hash: [md5]
+        #- drop:
+        #    alerts: yes      # log alerts that caused drops
+        #    flows: all       # start or all: 'start' logs only a single drop
+        #                     # per flow direction. All logs each dropped pkt.
+        - smtp:
+            #extended: yes # enable this for extended logging information
+            # this includes: bcc, message-id, subject, x_mailer, user-agent
+            # custom fields logging from the list:
+            #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
+            #  x-originating-ip, in-reply-to, references, importance, priority,
+            #  sensitivity, organization, content-md5, date
+            #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
+            # output md5 of fields: body, subject
+            # for the body you need to set app-layer.protocols.smtp.mime.body-md5
+            # to yes
+            #md5: [body, subject]
+
+        - ssh
+        - stats:
+            totals: yes       # stats for all threads merged together
+            threads: no       # per thread stats
+            deltas: no        # include delta values
+        # bi-directional flows
+        - flow
+        # uni-directional flows
+        #- netflow
+
+        # Metadata event type. Triggered whenever a pktvar is saved
+        # and will include the pktvars, flowvars, flowbits and
+        # flowints.
+        #- metadata
diff --git a/tests/bug-2576-02/temp1.pcap b/tests/bug-2576-02/temp1.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..9550b4f2ba02ffa6494cf044032e7e96701eaba9
GIT binary patch
literal 6155
zc-rk)YitzP6&~A|CR?_GKIABA(apBT=CM1wYa7gZXR!lLZ~}OXO+(WlXLjc9?wHw`
zVdn0xH&s--Em5OF3C)8B6GAGCNkI*1tpt%c^dYrUqpFpP#Gn2kl9$J?s4cWjr9RHR
zGwXeLShrGtdga}@bLZUio%7v$&v!jne)*Hv8@Xj%`Lm2`fZu=Y%Y1FebD!i4XwxsZ
zVr|<WkHGKbuMgbA^>bXpyRVn)<<GtNv$I?ad_T)^c<*^~@10CP7yrshZJb#}TmB4I
z%i9ilMuH!H>gro<Q>(dn+ed?))a9wh(cT|-aa`lF=J>M4dpwsP-}@`t-_X?b35vgF
z!-{(NMlToOXD2H0ZDc!&GJatB=0g;l#=ym=R=2lUjSxfEsZS&B>0AlFq3T2N!+`%J
zKtJh*zsq~zzsSG6<u5G%*J|?bf*6|OD@S|3f7a$21J(xs^MM=Itk+~%U#g3BtmQVt
z;$5-s8|}T?%yEzO4<jCJA0CeLp+Ly%*<)eT-<QG~iJ-?*n9$x%)UGO8cFdpBvTMDb
zK1sp`JYL7I^Ln=H7Butud>|nzayB688Lwxnu4z~zimpY_V;CF$K2^zKugB}5scFAo
z!6hK8gj;IE-ebMoI{xSBI@8$8wU7S`td?IHs+q<nNbhuf<x{sO50;iMMT}fo!JUU>
z>9-cK`K0#;6!E<;)I)3@8~-;&{9WVS5bs4CSE3PxgF!U-ScxkCZc$5ND}oXQf-Rs&
zl+xG_BoR|rBgin7oJjBnr0IT%K4LA4=q9ubQy(k%O`H=|MJ`zpQ`D@aZq}iidWT8$
z@4#A$q$4QY(H$!H4i^j@K?IKxK20*J*Ru^=N6^EjvH^vHs4ts>6hhr7xH-}pjzHs)
zox@&FKM_+A<m>A0-WcqZCI9A5+2{4_5G~^0smn@I!Eyxc)U^$Oh8`6)>SGfMbwt9O
zB3&D8A8}JmWyHvQu3pa&Hgnhna*`Oh3kJFap>EnsfFXUq0%1M0ZE*J!LU>b0sH+EM
z#4*2^!b11P&S0<y$$CaqG@-oudXOQKw7}EV7JYEr;MU=<#`_V?GDbW6{-NQ%;XOkz
zJ$`>I%KA|>jYT;Y&0r#eB{BT?Kvu~KlEW4Owvclp%#+q5rA5=iM97k)zkA{6z5YFY
zkU|E+Q4(s|!9c&zFQ>3Gpwug>d9h$2P0V1y#7S(L*o;MC+wDgtRt1X`RBWX&CWuC3
zM<H1jN`tXLQ6oHWg#roLB7i4RCU}#FeaSPL`Gl;SPxCfQ8AS`g*jSV(M8&Ziue@Kp
zbY|}2_}s<se)Qg<x!F_23vb<cZR*y<3sK%SiSmpg6iw)I0nw<0F9zWwNzf-NIi$!!
z-V_Z3f}ZbihR{1n6)lT(j8vQ153CWom|eO?7C2Q?&{i@jlvZS%)TOK?5HpLBWl93i
zSJfdN%pmU(RZr=mfT5*OUXfvGgf|6I8Y`(Z5kle3;Eo61aG`({f?e4}B$3Fr)&kF#
z6J?SHt!PHpnHC62#+p5tF+Kv;7{TVvVj*;QTcu=Uucf=%B^|RmCZ?4eNf?VmQaeQ+
zTilRnjtxsc7PSo6*>?KAL<(6Wia}tWd@;uXFt|T&56#Q-vk6AF8@hp2R+NNrR~Hhq
zL<f!x6%#Dz$t3Gw^9qZO*6#R~x}y6E6GC+n(Y?cj@YNb2Jl)<hHWXh;u6=XB)`?-j
zngN&@H>@+><4l=8Q&*YBCpfATfB3jsC&q@DPTcp@?Jd9II7*=lkqM$z63J%5$|f=j
zBh|_}^H8~8tH;wEUa!yBB;#vz5x)M)_&VXj*E!19#Gh=wrU2_GXzEcnUHz8#1k=^d
zy1Ke=qJin^12ue|EAjQ^&v6{lfE1pw2D{a%70#}8E>3yK(uFKmRYeWwt@74&*7WEI
zG3f(`zl<j4V%J~3aO>E+QC?i&f^Pn_sE5KGH7@MVN+))Yo0E)axP}4!l@5w0E)*x<
zcXN<)9iD?as8>3;IsNRdA0BmcKop!1U7fHeRZeDRiqB8mPBh(;OxVA!w3KV2tuRn*
zL0wWxatmv%5i>>)F;wu%nprlswWF^!{4o4gd1wtMTRW2Fvf0`phvs8s-kb>41ZdW~
z#o3qa`1pzdorVkrBm=S<$eRkm?QNyNeg8w`PSjbUZ9T%8q|12E?g6Ujx(1%x^NJ?x
z`GBfRB9({$^}il1=(ezEN@*kr0`mFL7UbLFLvV&#<6FBP`O3KpA==UAv-9<p684q$
zx0>)(<lMHl2ew1aq||1Wf%79j&tJk+6gX=*{@@O=BZc6T70Xb?0-V1f=KVds*!9Vo
z;_2gam!^v^OgIEr?X>C*mn3kethvp@y}`sfy<p9xA=z?}vEsp>&RzPRUD4c@tYTIe
z_a$^Fix1IzCorRgBpI<al5P}w=#g`cmavQ-W@k6+u3I@v3VdvC_VSGv&)R_$pF3Q<
zeDLO*tQOcFYU3JJM6IAycyWl841W@1IU!2>W7ofZ<mU85@yOv@XTDSRG<WIzz}EQ9
zHz$G}5Nb#9$U7wjdaAkGF(zfvm03#JbwYT0HltVPtV;{@;j4AU;8i9D=|#lgZ%hm(
z7mC3%*WxR`F>Zd|7K4}SW1VDJsYS5<&ajTVVyyzK2W+fg{Ijm`yupO0Z4u#VWWsa*
zlJG1E&yw&g3D1)7{2ztqw@{$dP@B_kV(^6bM@$R`>xw~V%g0O%4%djm6cvMU5S}~m
zUt2>%vxgRK+DCC$ecfB{-QwHqKe&PV?-nPT*t^AD)xz-1HHuB&^gTaa`EK!z`iSo^
w#O;e9E@Oy0T@hCS;+aasw*j$^&|YNR?yN7g4{oE}uHNOs?T1X%@8`Jx0I)?K>;M1&

literal 0
Hc-jL100001

diff --git a/tests/bug-2576-02/test.rules b/tests/bug-2576-02/test.rules
new file mode 100644
index 000000000..8c2aa9218
--- /dev/null
+++ b/tests/bug-2576-02/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"filemd5"; filemd5:md5list.2576; sid: 3; rev: 1;)
diff --git a/tests/bug-2576-02/test.yaml b/tests/bug-2576-02/test.yaml
new file mode 100644
index 000000000..8663071fc
--- /dev/null
+++ b/tests/bug-2576-02/test.yaml
@@ -0,0 +1,17 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - HAVE_NSS
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.md5: 090fe607a5be1228362614ccaa088577
+
diff --git a/tests/bug-2576-03-ips/md5list.2576 b/tests/bug-2576-03-ips/md5list.2576
new file mode 100644
index 000000000..f754e17b2
--- /dev/null
+++ b/tests/bug-2576-03-ips/md5list.2576
@@ -0,0 +1 @@
+090fe607a5be1228362614ccaa088577
diff --git a/tests/bug-2576-03-ips/suricata.yaml b/tests/bug-2576-03-ips/suricata.yaml
new file mode 100644
index 000000000..1e40c3aaa
--- /dev/null
+++ b/tests/bug-2576-03-ips/suricata.yaml
@@ -0,0 +1,146 @@
+%YAML 1.1
+---
+
+outputs:
+  # Extensible Event Format (nicknamed EVE) event log in JSON format
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      #prefix: "@cee: " # prefix to prepend to each log entry
+      # the following are valid when type: syslog above
+      #identity: "suricata"
+      #facility: local5
+      #level: Info ## possible levels: Emergency, Alert, Critical,
+                   ## Error, Warning, Notice, Info, Debug
+      #redis:
+      #  server: 127.0.0.1
+      #  port: 6379
+      #  async: true ## if redis replies are read asynchronously
+      #  mode: list ## possible values: list|lpush (default), rpush, channel|publish
+      #             ## lpush and rpush are using a Redis list. "list" is an alias for lpush
+      #             ## publish is using a Redis channel. "channel" is an alias for publish
+      #  key: suricata ## key or channel to use (default to suricata)
+      # Redis pipelining set up. This will enable to only do a query every
+      # 'batch-size' events. This should lower the latency induced by network
+      # connection at the cost of some memory. There is no flushing implemented
+      # so this setting as to be reserved to high traffic suricata.
+      #  pipelining:
+      #    enabled: yes ## set enable to yes to enable query pipelining
+      #    batch-size: 10 ## number of entry to keep in buffer
+
+      # Include top level metadata. Default yes.
+      #metadata: no
+
+      pcap-file: false
+
+      # HTTP X-Forwarded-For support by adding an extra field or overwriting
+      # the source or destination IP address (depending on flow direction)
+      # with the one reported in the X-Forwarded-For HTTP header. This is
+      # helpful when reviewing alerts for traffic that is being reverse
+      # or forward proxied.
+      xff:
+        enabled: no
+        # Two operation modes are available, "extra-data" and "overwrite".
+        mode: extra-data
+        # Two proxy deployments are supported, "reverse" and "forward". In
+        # a "reverse" deployment the IP address used is the last one, in a
+        # "forward" deployment the first IP address is used.
+        deployment: reverse
+        # Header name where the actual IP address will be reported, if more
+        # than one IP address is present, the last IP address will be the
+        # one taken into consideration.
+        header: X-Forwarded-For
+
+      types:
+        - alert:
+            # payload: yes             # enable dumping payload in Base64
+            # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+            # payload-printable: yes   # enable dumping payload in printable (lossy) format
+            # packet: yes              # enable dumping of packet (without stream segments)
+            # http-body: yes           # enable dumping of http body in Base64
+            # http-body-printable: yes # enable dumping of http body in printable format
+            # metadata: no             # enable inclusion of app layer metadata with alert. Default yes
+
+            # Enable the logging of tagged packets for rules using the
+            # "tag" keyword.
+            tagged-packets: yes
+        - http:
+            extended: yes     # enable this for extended logging information
+            # custom allows additional http fields to be included in eve-log
+            # the example below adds three additional fields when uncommented
+            #custom: [Accept-Encoding, Accept-Language, Authorization]
+        - dns:
+            # This configuration uses the new DNS logging format,
+            # the old configuration is still available:
+            # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format
+            # Use version 2 logging with the new format:
+            # DNS answers will be logged in one single event
+            # rather than an event for each of it.
+            # Without setting a version the version
+            # will fallback to 1 for backwards compatibility.
+            version: 2
+
+            # Enable/disable this logger. Default: enabled.
+            #enabled: no
+
+            # Control logging of requests and responses:
+            # - requests: enable logging of DNS queries
+            # - responses: enable logging of DNS answers
+            # By default both requests and responses are logged.
+            #requests: no
+            #responses: no
+
+            # Format of answer logging:
+            # - detailed: array item per answer
+            # - grouped: answers aggregated by type
+            # Default: all
+            #formats: [detailed, grouped]
+
+            # Answer types to log.
+            # Default: all
+            #types: [a, aaaa, cname, mx, ns, ptr, txt]
+        - tls:
+            extended: yes     # enable this for extended logging information
+            # output TLS transaction where the session is resumed using a
+            # session id
+            #session-resumption: no
+            # custom allows to control which tls fields that are included
+            # in eve-log
+            #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain]
+        - files:
+            force-magic: no   # force logging magic on all logged files
+            # force logging of checksums, available hash functions are md5,
+            # sha1 and sha256
+            force-hash: [md5]
+        #- drop:
+        #    alerts: yes      # log alerts that caused drops
+        #    flows: all       # start or all: 'start' logs only a single drop
+        #                     # per flow direction. All logs each dropped pkt.
+        - smtp:
+            #extended: yes # enable this for extended logging information
+            # this includes: bcc, message-id, subject, x_mailer, user-agent
+            # custom fields logging from the list:
+            #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
+            #  x-originating-ip, in-reply-to, references, importance, priority,
+            #  sensitivity, organization, content-md5, date
+            #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
+            # output md5 of fields: body, subject
+            # for the body you need to set app-layer.protocols.smtp.mime.body-md5
+            # to yes
+            #md5: [body, subject]
+
+        - ssh
+        - stats:
+            totals: yes       # stats for all threads merged together
+            threads: no       # per thread stats
+            deltas: no        # include delta values
+        # bi-directional flows
+        - flow
+        # uni-directional flows
+        #- netflow
+
+        # Metadata event type. Triggered whenever a pktvar is saved
+        # and will include the pktvars, flowvars, flowbits and
+        # flowints.
+        #- metadata
diff --git a/tests/bug-2576-03-ips/temp6.pcap b/tests/bug-2576-03-ips/temp6.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..cdaa6625d7e47e4631d0001882f0cbcf1edf75e4
GIT binary patch
literal 4594
zc-oa$Yj7J^72eoRXhp;%JjNXgnOlJ$c}OeCcH+od#ctv@rg0)-g$8KG-N%)*_G)*t
zdnMUrI@mxMIwYj&D>P2il!@ao$<P!$Z6>W77-nFG{(u=WlRx}OXRJJab%2!D58&Lp
zE9>En3>ry$_w2dfcg}Yo=kE1i|NM<6u7#_7TDVp4|F1*2Z|-^Slbi`{`s3Da?D*4h
z_@DXh;Rm=uj+6X{`ni7o;!D50z_r5fvmA#HULp^EoEzklUpu2uF|T;*U%+ck$5G#C
z_`^@#c&lS}1DEXhXkRylJlizZ|Fa&BYie1YY-xJHckRi8zoGV3&CQ>n{Ow!THsUw?
zxe&iFUCr+>J5f~lLu<AlrQ9?IE;+lQv(;{b7<$fr8gb7Q%KWQpK9oNS{7(V(Q(pXg
z{fGaD{5xC!%JP4`F8>~gp*gv3tp9}zj@B5sJ^-2zyto$p7UTMIL#~sp_ZS!N$@S1!
z|Bclg_xNB6@o0A{mE<F#h~Ia>##V43gLM)^Pi8Qo)^60Psd|1Qn9=ha{k{QN#wI-8
z#BcKZb{jS{i^XC{5>+K1l8v0-x6{ydEECnxW9SKt&ESBh7O>yv_tDh!Kdj{>$V&1`
zE#*Ji&u!v=m2EJL{aokNzrkzG^^v+^Y=-pCCD%QDZ{|pO`clT&^|jn3NS6NU8CRe2
z|Clnq_r*qxt0$)ZLm7YHbU(%i5yzEfMA2{<?R%muRdBzkXRsYZ(j>t)$Ro;G90ZYw
zWoR*ET53Tgcni{vpiCdJmQ4%`TBc=8Oa?7n5H(dPdl5_2?X+PvkeZ^yAO`nfJwviF
z6z%GbRII5<6UPw26NJx_oaXoK0_Yfe%u=_YNEi*|Gmt{07lpUSx}z~@JU*QA`v!@a
ziJ?GGZ|~M{w;~6(cPjzEZ;xn`;IN^nX%#CmG;HWwfDL^`)G5X`6zPgZx5aw4Iv7by
z%;dz_Qm%gA2(}8?0&&t9v<ruNLy=x;C7_Tou0mLk?%KEi8$xtjSEQ#8<;01gn88Bt
z*6wh)4=F}YRCS>;`}&Y6lB~ef*%p6f*S?*puO|l)%`!m^!Qe=0Aa!5_h9?+I#F-t%
zvshFT@f;>1coH*+59if_AiHW2Pz$*?!jfoxa#pl#OoTj12YZ+IJ{UYO04d}k997aP
z07HYqppwCEhq6`FisGb=bTNko3#YMVVJi`bWjBs2tO+)m)Uch!m>?RB6NPNsC=1R4
zWsUK?9SKQ_O@L3PO7IpB>yl?O^O9m%&+v{)IaLoq-$b0KM8k>OufAWpdVcZB)Z&#N
ze)Qha#f7t_%WvI&efIA3i*ep@iStY$6qgKT649uHFNNVF%V1N~0#X&BXo;o?K`$BH
zF7!^;MB8SD(ONg>fjvqmvxjMP8K{<lwwlYJtg7I&A?Iy@Sb2<WOBQ&(W*_3g4e}n<
zjEoTpnR*5lRRyL-bXyo@v6{&eArjpVa6Dkcg%VN<c4Y&RMj~5U%aCn1$}|mH)y=#+
zED)4}b*D2^d=$Jfg2kK1LgfCwYT3t`OZW9lyKW6!EW0o&nJZILKUJAn*^%h34@*B0
zw@p~tPWk~UgX~e&Brr~agbM%)ju)M-MP+F;!O4N43s_^Dk`V3bL1La5ppmIzf(0X;
zW(GE{FzM*toxI+#=)TGdp|(QN{g@TP*Xj!4xz5&!k>omZ^E*RMok#)KJkZR0ah>;{
zVwLGL4J*^sG)L>iAOBffCniQ%op|W!dpmx|aa2MNAtj<$3&}>p&PzF!iE8KFaj0Ie
zwf$)hZ#33xhUqo7f?j`PdY$&r>mt=_`p=GDv%qx%YU&BEy82!JX;xRe8`jlB)2mor
zeYj4qi)FpO`Z<mxI*7tE)nK){dxg7d-HW?D<mp5fYj#B)7wyW@b?5ZhD6!}RSHGMt
z7818!xqSEJyK!Dz20<5pRx~2ft~v<ESPkM>yg+iI=@|yts{u-<FPCQC_W~$*b}zs_
zXjB8-nfw0TpPcXlAS#wbPZ0K`24sG|^!%Iyq8qks!TR--rLreF6$Un2s4f{by@R#d
z#hlqkObt+3Gtc_Abq%ydAA@fVLR&Q5)|IYon{8c6WGP05=0>PVP_y1GExhc+$5#dD
zHWb)Ea!^)7MN1{Pv!fh%;Qxr+jXE!MY(`j@4Fw<AKSb-fp#ySfQPmZr7}5+`q$MIm
z@i(JoW*du^oJE2lpg;iaK!F_r1ZSxBz{breP{~z@P(w$+$v03=I8a{SniQzYxnpA=
zEQh*5sn040=SO}?Kgm*6IBU3gaEI8DLI^0TZEE5qoWCIE@xDOf*35kA+^NN@bEOxj
zU4d&>TJ3^M6F5`W-4@~AWW_qWY|dmM*-DU!(ve>*Uj31?qj^nP)v9tHkPO%sAEozh
zU}l*~HWTf#VNUkZBWJrV*=8T}bD9n3t&%5`d}49o+U=JvIDwR&J65`O<j$LHFK`g*
z;~G;%eNwGLafOx5U>ajZ66Nv4t?wPbGdEp2e(dh~A5@SQuU;D3nY{Dnbhryb?J6CA
zr_4Z4HTOHlWNbP!%PD&f2v5&u^y;2<=>~o5M#Ez88Y>3b6^g;%SuvPdUJRbSnOyhn
zDeDVPF?hK#*BQo@S%K>xjO&yq*LvW3*x_3LEq|j|$hTRc9%}pwIo-@&A@|l6o@Z|Y
z-z<Hhdw#C^74oNz8Q)=yyH{XrVT{9`jO&5%d^O|Sz}P^~D@@Pf#(F-oi|V;yZ=IgA
N!1^H@yU%mne*qBh@2da+

literal 0
Hc-jL100001

diff --git a/tests/bug-2576-03-ips/test.rules b/tests/bug-2576-03-ips/test.rules
new file mode 100644
index 000000000..4840cdb97
--- /dev/null
+++ b/tests/bug-2576-03-ips/test.rules
@@ -0,0 +1 @@
+alert ip any any -> any any (msg:"filemd5"; filemd5:md5list.2576; sid: 3; rev: 1;)
diff --git a/tests/bug-2576-03-ips/test.yaml b/tests/bug-2576-03-ips/test.yaml
new file mode 100644
index 000000000..8663071fc
--- /dev/null
+++ b/tests/bug-2576-03-ips/test.yaml
@@ -0,0 +1,17 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - HAVE_NSS
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.md5: 090fe607a5be1228362614ccaa088577
+
diff --git a/tests/bug-2576-03/md5list.2576 b/tests/bug-2576-03/md5list.2576
new file mode 100644
index 000000000..f754e17b2
--- /dev/null
+++ b/tests/bug-2576-03/md5list.2576
@@ -0,0 +1 @@
+090fe607a5be1228362614ccaa088577
diff --git a/tests/bug-2576-03/suricata.yaml b/tests/bug-2576-03/suricata.yaml
new file mode 100644
index 000000000..1e40c3aaa
--- /dev/null
+++ b/tests/bug-2576-03/suricata.yaml
@@ -0,0 +1,146 @@
+%YAML 1.1
+---
+
+outputs:
+  # Extensible Event Format (nicknamed EVE) event log in JSON format
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      #prefix: "@cee: " # prefix to prepend to each log entry
+      # the following are valid when type: syslog above
+      #identity: "suricata"
+      #facility: local5
+      #level: Info ## possible levels: Emergency, Alert, Critical,
+                   ## Error, Warning, Notice, Info, Debug
+      #redis:
+      #  server: 127.0.0.1
+      #  port: 6379
+      #  async: true ## if redis replies are read asynchronously
+      #  mode: list ## possible values: list|lpush (default), rpush, channel|publish
+      #             ## lpush and rpush are using a Redis list. "list" is an alias for lpush
+      #             ## publish is using a Redis channel. "channel" is an alias for publish
+      #  key: suricata ## key or channel to use (default to suricata)
+      # Redis pipelining set up. This will enable to only do a query every
+      # 'batch-size' events. This should lower the latency induced by network
+      # connection at the cost of some memory. There is no flushing implemented
+      # so this setting as to be reserved to high traffic suricata.
+      #  pipelining:
+      #    enabled: yes ## set enable to yes to enable query pipelining
+      #    batch-size: 10 ## number of entry to keep in buffer
+
+      # Include top level metadata. Default yes.
+      #metadata: no
+
+      pcap-file: false
+
+      # HTTP X-Forwarded-For support by adding an extra field or overwriting
+      # the source or destination IP address (depending on flow direction)
+      # with the one reported in the X-Forwarded-For HTTP header. This is
+      # helpful when reviewing alerts for traffic that is being reverse
+      # or forward proxied.
+      xff:
+        enabled: no
+        # Two operation modes are available, "extra-data" and "overwrite".
+        mode: extra-data
+        # Two proxy deployments are supported, "reverse" and "forward". In
+        # a "reverse" deployment the IP address used is the last one, in a
+        # "forward" deployment the first IP address is used.
+        deployment: reverse
+        # Header name where the actual IP address will be reported, if more
+        # than one IP address is present, the last IP address will be the
+        # one taken into consideration.
+        header: X-Forwarded-For
+
+      types:
+        - alert:
+            # payload: yes             # enable dumping payload in Base64
+            # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+            # payload-printable: yes   # enable dumping payload in printable (lossy) format
+            # packet: yes              # enable dumping of packet (without stream segments)
+            # http-body: yes           # enable dumping of http body in Base64
+            # http-body-printable: yes # enable dumping of http body in printable format
+            # metadata: no             # enable inclusion of app layer metadata with alert. Default yes
+
+            # Enable the logging of tagged packets for rules using the
+            # "tag" keyword.
+            tagged-packets: yes
+        - http:
+            extended: yes     # enable this for extended logging information
+            # custom allows additional http fields to be included in eve-log
+            # the example below adds three additional fields when uncommented
+            #custom: [Accept-Encoding, Accept-Language, Authorization]
+        - dns:
+            # This configuration uses the new DNS logging format,
+            # the old configuration is still available:
+            # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format
+            # Use version 2 logging with the new format:
+            # DNS answers will be logged in one single event
+            # rather than an event for each of it.
+            # Without setting a version the version
+            # will fallback to 1 for backwards compatibility.
+            version: 2
+
+            # Enable/disable this logger. Default: enabled.
+            #enabled: no
+
+            # Control logging of requests and responses:
+            # - requests: enable logging of DNS queries
+            # - responses: enable logging of DNS answers
+            # By default both requests and responses are logged.
+            #requests: no
+            #responses: no
+
+            # Format of answer logging:
+            # - detailed: array item per answer
+            # - grouped: answers aggregated by type
+            # Default: all
+            #formats: [detailed, grouped]
+
+            # Answer types to log.
+            # Default: all
+            #types: [a, aaaa, cname, mx, ns, ptr, txt]
+        - tls:
+            extended: yes     # enable this for extended logging information
+            # output TLS transaction where the session is resumed using a
+            # session id
+            #session-resumption: no
+            # custom allows to control which tls fields that are included
+            # in eve-log
+            #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain]
+        - files:
+            force-magic: no   # force logging magic on all logged files
+            # force logging of checksums, available hash functions are md5,
+            # sha1 and sha256
+            force-hash: [md5]
+        #- drop:
+        #    alerts: yes      # log alerts that caused drops
+        #    flows: all       # start or all: 'start' logs only a single drop
+        #                     # per flow direction. All logs each dropped pkt.
+        - smtp:
+            #extended: yes # enable this for extended logging information
+            # this includes: bcc, message-id, subject, x_mailer, user-agent
+            # custom fields logging from the list:
+            #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
+            #  x-originating-ip, in-reply-to, references, importance, priority,
+            #  sensitivity, organization, content-md5, date
+            #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
+            # output md5 of fields: body, subject
+            # for the body you need to set app-layer.protocols.smtp.mime.body-md5
+            # to yes
+            #md5: [body, subject]
+
+        - ssh
+        - stats:
+            totals: yes       # stats for all threads merged together
+            threads: no       # per thread stats
+            deltas: no        # include delta values
+        # bi-directional flows
+        - flow
+        # uni-directional flows
+        #- netflow
+
+        # Metadata event type. Triggered whenever a pktvar is saved
+        # and will include the pktvars, flowvars, flowbits and
+        # flowints.
+        #- metadata
diff --git a/tests/bug-2576-03/temp6.pcap b/tests/bug-2576-03/temp6.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..cdaa6625d7e47e4631d0001882f0cbcf1edf75e4
GIT binary patch
literal 4594
zc-oa$Yj7J^72eoRXhp;%JjNXgnOlJ$c}OeCcH+od#ctv@rg0)-g$8KG-N%)*_G)*t
zdnMUrI@mxMIwYj&D>P2il!@ao$<P!$Z6>W77-nFG{(u=WlRx}OXRJJab%2!D58&Lp
zE9>En3>ry$_w2dfcg}Yo=kE1i|NM<6u7#_7TDVp4|F1*2Z|-^Slbi`{`s3Da?D*4h
z_@DXh;Rm=uj+6X{`ni7o;!D50z_r5fvmA#HULp^EoEzklUpu2uF|T;*U%+ck$5G#C
z_`^@#c&lS}1DEXhXkRylJlizZ|Fa&BYie1YY-xJHckRi8zoGV3&CQ>n{Ow!THsUw?
zxe&iFUCr+>J5f~lLu<AlrQ9?IE;+lQv(;{b7<$fr8gb7Q%KWQpK9oNS{7(V(Q(pXg
z{fGaD{5xC!%JP4`F8>~gp*gv3tp9}zj@B5sJ^-2zyto$p7UTMIL#~sp_ZS!N$@S1!
z|Bclg_xNB6@o0A{mE<F#h~Ia>##V43gLM)^Pi8Qo)^60Psd|1Qn9=ha{k{QN#wI-8
z#BcKZb{jS{i^XC{5>+K1l8v0-x6{ydEECnxW9SKt&ESBh7O>yv_tDh!Kdj{>$V&1`
zE#*Ji&u!v=m2EJL{aokNzrkzG^^v+^Y=-pCCD%QDZ{|pO`clT&^|jn3NS6NU8CRe2
z|Clnq_r*qxt0$)ZLm7YHbU(%i5yzEfMA2{<?R%muRdBzkXRsYZ(j>t)$Ro;G90ZYw
zWoR*ET53Tgcni{vpiCdJmQ4%`TBc=8Oa?7n5H(dPdl5_2?X+PvkeZ^yAO`nfJwviF
z6z%GbRII5<6UPw26NJx_oaXoK0_Yfe%u=_YNEi*|Gmt{07lpUSx}z~@JU*QA`v!@a
ziJ?GGZ|~M{w;~6(cPjzEZ;xn`;IN^nX%#CmG;HWwfDL^`)G5X`6zPgZx5aw4Iv7by
z%;dz_Qm%gA2(}8?0&&t9v<ruNLy=x;C7_Tou0mLk?%KEi8$xtjSEQ#8<;01gn88Bt
z*6wh)4=F}YRCS>;`}&Y6lB~ef*%p6f*S?*puO|l)%`!m^!Qe=0Aa!5_h9?+I#F-t%
zvshFT@f;>1coH*+59if_AiHW2Pz$*?!jfoxa#pl#OoTj12YZ+IJ{UYO04d}k997aP
z07HYqppwCEhq6`FisGb=bTNko3#YMVVJi`bWjBs2tO+)m)Uch!m>?RB6NPNsC=1R4
zWsUK?9SKQ_O@L3PO7IpB>yl?O^O9m%&+v{)IaLoq-$b0KM8k>OufAWpdVcZB)Z&#N
ze)Qha#f7t_%WvI&efIA3i*ep@iStY$6qgKT649uHFNNVF%V1N~0#X&BXo;o?K`$BH
zF7!^;MB8SD(ONg>fjvqmvxjMP8K{<lwwlYJtg7I&A?Iy@Sb2<WOBQ&(W*_3g4e}n<
zjEoTpnR*5lRRyL-bXyo@v6{&eArjpVa6Dkcg%VN<c4Y&RMj~5U%aCn1$}|mH)y=#+
zED)4}b*D2^d=$Jfg2kK1LgfCwYT3t`OZW9lyKW6!EW0o&nJZILKUJAn*^%h34@*B0
zw@p~tPWk~UgX~e&Brr~agbM%)ju)M-MP+F;!O4N43s_^Dk`V3bL1La5ppmIzf(0X;
zW(GE{FzM*toxI+#=)TGdp|(QN{g@TP*Xj!4xz5&!k>omZ^E*RMok#)KJkZR0ah>;{
zVwLGL4J*^sG)L>iAOBffCniQ%op|W!dpmx|aa2MNAtj<$3&}>p&PzF!iE8KFaj0Ie
zwf$)hZ#33xhUqo7f?j`PdY$&r>mt=_`p=GDv%qx%YU&BEy82!JX;xRe8`jlB)2mor
zeYj4qi)FpO`Z<mxI*7tE)nK){dxg7d-HW?D<mp5fYj#B)7wyW@b?5ZhD6!}RSHGMt
z7818!xqSEJyK!Dz20<5pRx~2ft~v<ESPkM>yg+iI=@|yts{u-<FPCQC_W~$*b}zs_
zXjB8-nfw0TpPcXlAS#wbPZ0K`24sG|^!%Iyq8qks!TR--rLreF6$Un2s4f{by@R#d
z#hlqkObt+3Gtc_Abq%ydAA@fVLR&Q5)|IYon{8c6WGP05=0>PVP_y1GExhc+$5#dD
zHWb)Ea!^)7MN1{Pv!fh%;Qxr+jXE!MY(`j@4Fw<AKSb-fp#ySfQPmZr7}5+`q$MIm
z@i(JoW*du^oJE2lpg;iaK!F_r1ZSxBz{breP{~z@P(w$+$v03=I8a{SniQzYxnpA=
zEQh*5sn040=SO}?Kgm*6IBU3gaEI8DLI^0TZEE5qoWCIE@xDOf*35kA+^NN@bEOxj
zU4d&>TJ3^M6F5`W-4@~AWW_qWY|dmM*-DU!(ve>*Uj31?qj^nP)v9tHkPO%sAEozh
zU}l*~HWTf#VNUkZBWJrV*=8T}bD9n3t&%5`d}49o+U=JvIDwR&J65`O<j$LHFK`g*
z;~G;%eNwGLafOx5U>ajZ66Nv4t?wPbGdEp2e(dh~A5@SQuU;D3nY{Dnbhryb?J6CA
zr_4Z4HTOHlWNbP!%PD&f2v5&u^y;2<=>~o5M#Ez88Y>3b6^g;%SuvPdUJRbSnOyhn
zDeDVPF?hK#*BQo@S%K>xjO&yq*LvW3*x_3LEq|j|$hTRc9%}pwIo-@&A@|l6o@Z|Y
z-z<Hhdw#C^74oNz8Q)=yyH{XrVT{9`jO&5%d^O|Sz}P^~D@@Pf#(F-oi|V;yZ=IgA
N!1^H@yU%mne*qBh@2da+

literal 0
Hc-jL100001

diff --git a/tests/bug-2576-03/test.rules b/tests/bug-2576-03/test.rules
new file mode 100644
index 000000000..4840cdb97
--- /dev/null
+++ b/tests/bug-2576-03/test.rules
@@ -0,0 +1 @@
+alert ip any any -> any any (msg:"filemd5"; filemd5:md5list.2576; sid: 3; rev: 1;)
diff --git a/tests/bug-2576-03/test.yaml b/tests/bug-2576-03/test.yaml
new file mode 100644
index 000000000..8663071fc
--- /dev/null
+++ b/tests/bug-2576-03/test.yaml
@@ -0,0 +1,17 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - HAVE_NSS
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.md5: 090fe607a5be1228362614ccaa088577
+
diff --git a/tests/bug-2576-04-ips/md5list.2576 b/tests/bug-2576-04-ips/md5list.2576
new file mode 100644
index 000000000..f754e17b2
--- /dev/null
+++ b/tests/bug-2576-04-ips/md5list.2576
@@ -0,0 +1 @@
+090fe607a5be1228362614ccaa088577
diff --git a/tests/bug-2576-04-ips/suricata.yaml b/tests/bug-2576-04-ips/suricata.yaml
new file mode 100644
index 000000000..1e40c3aaa
--- /dev/null
+++ b/tests/bug-2576-04-ips/suricata.yaml
@@ -0,0 +1,146 @@
+%YAML 1.1
+---
+
+outputs:
+  # Extensible Event Format (nicknamed EVE) event log in JSON format
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      #prefix: "@cee: " # prefix to prepend to each log entry
+      # the following are valid when type: syslog above
+      #identity: "suricata"
+      #facility: local5
+      #level: Info ## possible levels: Emergency, Alert, Critical,
+                   ## Error, Warning, Notice, Info, Debug
+      #redis:
+      #  server: 127.0.0.1
+      #  port: 6379
+      #  async: true ## if redis replies are read asynchronously
+      #  mode: list ## possible values: list|lpush (default), rpush, channel|publish
+      #             ## lpush and rpush are using a Redis list. "list" is an alias for lpush
+      #             ## publish is using a Redis channel. "channel" is an alias for publish
+      #  key: suricata ## key or channel to use (default to suricata)
+      # Redis pipelining set up. This will enable to only do a query every
+      # 'batch-size' events. This should lower the latency induced by network
+      # connection at the cost of some memory. There is no flushing implemented
+      # so this setting as to be reserved to high traffic suricata.
+      #  pipelining:
+      #    enabled: yes ## set enable to yes to enable query pipelining
+      #    batch-size: 10 ## number of entry to keep in buffer
+
+      # Include top level metadata. Default yes.
+      #metadata: no
+
+      pcap-file: false
+
+      # HTTP X-Forwarded-For support by adding an extra field or overwriting
+      # the source or destination IP address (depending on flow direction)
+      # with the one reported in the X-Forwarded-For HTTP header. This is
+      # helpful when reviewing alerts for traffic that is being reverse
+      # or forward proxied.
+      xff:
+        enabled: no
+        # Two operation modes are available, "extra-data" and "overwrite".
+        mode: extra-data
+        # Two proxy deployments are supported, "reverse" and "forward". In
+        # a "reverse" deployment the IP address used is the last one, in a
+        # "forward" deployment the first IP address is used.
+        deployment: reverse
+        # Header name where the actual IP address will be reported, if more
+        # than one IP address is present, the last IP address will be the
+        # one taken into consideration.
+        header: X-Forwarded-For
+
+      types:
+        - alert:
+            # payload: yes             # enable dumping payload in Base64
+            # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+            # payload-printable: yes   # enable dumping payload in printable (lossy) format
+            # packet: yes              # enable dumping of packet (without stream segments)
+            # http-body: yes           # enable dumping of http body in Base64
+            # http-body-printable: yes # enable dumping of http body in printable format
+            # metadata: no             # enable inclusion of app layer metadata with alert. Default yes
+
+            # Enable the logging of tagged packets for rules using the
+            # "tag" keyword.
+            tagged-packets: yes
+        - http:
+            extended: yes     # enable this for extended logging information
+            # custom allows additional http fields to be included in eve-log
+            # the example below adds three additional fields when uncommented
+            #custom: [Accept-Encoding, Accept-Language, Authorization]
+        - dns:
+            # This configuration uses the new DNS logging format,
+            # the old configuration is still available:
+            # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format
+            # Use version 2 logging with the new format:
+            # DNS answers will be logged in one single event
+            # rather than an event for each of it.
+            # Without setting a version the version
+            # will fallback to 1 for backwards compatibility.
+            version: 2
+
+            # Enable/disable this logger. Default: enabled.
+            #enabled: no
+
+            # Control logging of requests and responses:
+            # - requests: enable logging of DNS queries
+            # - responses: enable logging of DNS answers
+            # By default both requests and responses are logged.
+            #requests: no
+            #responses: no
+
+            # Format of answer logging:
+            # - detailed: array item per answer
+            # - grouped: answers aggregated by type
+            # Default: all
+            #formats: [detailed, grouped]
+
+            # Answer types to log.
+            # Default: all
+            #types: [a, aaaa, cname, mx, ns, ptr, txt]
+        - tls:
+            extended: yes     # enable this for extended logging information
+            # output TLS transaction where the session is resumed using a
+            # session id
+            #session-resumption: no
+            # custom allows to control which tls fields that are included
+            # in eve-log
+            #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain]
+        - files:
+            force-magic: no   # force logging magic on all logged files
+            # force logging of checksums, available hash functions are md5,
+            # sha1 and sha256
+            force-hash: [md5]
+        #- drop:
+        #    alerts: yes      # log alerts that caused drops
+        #    flows: all       # start or all: 'start' logs only a single drop
+        #                     # per flow direction. All logs each dropped pkt.
+        - smtp:
+            #extended: yes # enable this for extended logging information
+            # this includes: bcc, message-id, subject, x_mailer, user-agent
+            # custom fields logging from the list:
+            #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
+            #  x-originating-ip, in-reply-to, references, importance, priority,
+            #  sensitivity, organization, content-md5, date
+            #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
+            # output md5 of fields: body, subject
+            # for the body you need to set app-layer.protocols.smtp.mime.body-md5
+            # to yes
+            #md5: [body, subject]
+
+        - ssh
+        - stats:
+            totals: yes       # stats for all threads merged together
+            threads: no       # per thread stats
+            deltas: no        # include delta values
+        # bi-directional flows
+        - flow
+        # uni-directional flows
+        #- netflow
+
+        # Metadata event type. Triggered whenever a pktvar is saved
+        # and will include the pktvars, flowvars, flowbits and
+        # flowints.
+        #- metadata
diff --git a/tests/bug-2576-04-ips/temp6.pcap b/tests/bug-2576-04-ips/temp6.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..cdaa6625d7e47e4631d0001882f0cbcf1edf75e4
GIT binary patch
literal 4594
zc-oa$Yj7J^72eoRXhp;%JjNXgnOlJ$c}OeCcH+od#ctv@rg0)-g$8KG-N%)*_G)*t
zdnMUrI@mxMIwYj&D>P2il!@ao$<P!$Z6>W77-nFG{(u=WlRx}OXRJJab%2!D58&Lp
zE9>En3>ry$_w2dfcg}Yo=kE1i|NM<6u7#_7TDVp4|F1*2Z|-^Slbi`{`s3Da?D*4h
z_@DXh;Rm=uj+6X{`ni7o;!D50z_r5fvmA#HULp^EoEzklUpu2uF|T;*U%+ck$5G#C
z_`^@#c&lS}1DEXhXkRylJlizZ|Fa&BYie1YY-xJHckRi8zoGV3&CQ>n{Ow!THsUw?
zxe&iFUCr+>J5f~lLu<AlrQ9?IE;+lQv(;{b7<$fr8gb7Q%KWQpK9oNS{7(V(Q(pXg
z{fGaD{5xC!%JP4`F8>~gp*gv3tp9}zj@B5sJ^-2zyto$p7UTMIL#~sp_ZS!N$@S1!
z|Bclg_xNB6@o0A{mE<F#h~Ia>##V43gLM)^Pi8Qo)^60Psd|1Qn9=ha{k{QN#wI-8
z#BcKZb{jS{i^XC{5>+K1l8v0-x6{ydEECnxW9SKt&ESBh7O>yv_tDh!Kdj{>$V&1`
zE#*Ji&u!v=m2EJL{aokNzrkzG^^v+^Y=-pCCD%QDZ{|pO`clT&^|jn3NS6NU8CRe2
z|Clnq_r*qxt0$)ZLm7YHbU(%i5yzEfMA2{<?R%muRdBzkXRsYZ(j>t)$Ro;G90ZYw
zWoR*ET53Tgcni{vpiCdJmQ4%`TBc=8Oa?7n5H(dPdl5_2?X+PvkeZ^yAO`nfJwviF
z6z%GbRII5<6UPw26NJx_oaXoK0_Yfe%u=_YNEi*|Gmt{07lpUSx}z~@JU*QA`v!@a
ziJ?GGZ|~M{w;~6(cPjzEZ;xn`;IN^nX%#CmG;HWwfDL^`)G5X`6zPgZx5aw4Iv7by
z%;dz_Qm%gA2(}8?0&&t9v<ruNLy=x;C7_Tou0mLk?%KEi8$xtjSEQ#8<;01gn88Bt
z*6wh)4=F}YRCS>;`}&Y6lB~ef*%p6f*S?*puO|l)%`!m^!Qe=0Aa!5_h9?+I#F-t%
zvshFT@f;>1coH*+59if_AiHW2Pz$*?!jfoxa#pl#OoTj12YZ+IJ{UYO04d}k997aP
z07HYqppwCEhq6`FisGb=bTNko3#YMVVJi`bWjBs2tO+)m)Uch!m>?RB6NPNsC=1R4
zWsUK?9SKQ_O@L3PO7IpB>yl?O^O9m%&+v{)IaLoq-$b0KM8k>OufAWpdVcZB)Z&#N
ze)Qha#f7t_%WvI&efIA3i*ep@iStY$6qgKT649uHFNNVF%V1N~0#X&BXo;o?K`$BH
zF7!^;MB8SD(ONg>fjvqmvxjMP8K{<lwwlYJtg7I&A?Iy@Sb2<WOBQ&(W*_3g4e}n<
zjEoTpnR*5lRRyL-bXyo@v6{&eArjpVa6Dkcg%VN<c4Y&RMj~5U%aCn1$}|mH)y=#+
zED)4}b*D2^d=$Jfg2kK1LgfCwYT3t`OZW9lyKW6!EW0o&nJZILKUJAn*^%h34@*B0
zw@p~tPWk~UgX~e&Brr~agbM%)ju)M-MP+F;!O4N43s_^Dk`V3bL1La5ppmIzf(0X;
zW(GE{FzM*toxI+#=)TGdp|(QN{g@TP*Xj!4xz5&!k>omZ^E*RMok#)KJkZR0ah>;{
zVwLGL4J*^sG)L>iAOBffCniQ%op|W!dpmx|aa2MNAtj<$3&}>p&PzF!iE8KFaj0Ie
zwf$)hZ#33xhUqo7f?j`PdY$&r>mt=_`p=GDv%qx%YU&BEy82!JX;xRe8`jlB)2mor
zeYj4qi)FpO`Z<mxI*7tE)nK){dxg7d-HW?D<mp5fYj#B)7wyW@b?5ZhD6!}RSHGMt
z7818!xqSEJyK!Dz20<5pRx~2ft~v<ESPkM>yg+iI=@|yts{u-<FPCQC_W~$*b}zs_
zXjB8-nfw0TpPcXlAS#wbPZ0K`24sG|^!%Iyq8qks!TR--rLreF6$Un2s4f{by@R#d
z#hlqkObt+3Gtc_Abq%ydAA@fVLR&Q5)|IYon{8c6WGP05=0>PVP_y1GExhc+$5#dD
zHWb)Ea!^)7MN1{Pv!fh%;Qxr+jXE!MY(`j@4Fw<AKSb-fp#ySfQPmZr7}5+`q$MIm
z@i(JoW*du^oJE2lpg;iaK!F_r1ZSxBz{breP{~z@P(w$+$v03=I8a{SniQzYxnpA=
zEQh*5sn040=SO}?Kgm*6IBU3gaEI8DLI^0TZEE5qoWCIE@xDOf*35kA+^NN@bEOxj
zU4d&>TJ3^M6F5`W-4@~AWW_qWY|dmM*-DU!(ve>*Uj31?qj^nP)v9tHkPO%sAEozh
zU}l*~HWTf#VNUkZBWJrV*=8T}bD9n3t&%5`d}49o+U=JvIDwR&J65`O<j$LHFK`g*
z;~G;%eNwGLafOx5U>ajZ66Nv4t?wPbGdEp2e(dh~A5@SQuU;D3nY{Dnbhryb?J6CA
zr_4Z4HTOHlWNbP!%PD&f2v5&u^y;2<=>~o5M#Ez88Y>3b6^g;%SuvPdUJRbSnOyhn
zDeDVPF?hK#*BQo@S%K>xjO&yq*LvW3*x_3LEq|j|$hTRc9%}pwIo-@&A@|l6o@Z|Y
z-z<Hhdw#C^74oNz8Q)=yyH{XrVT{9`jO&5%d^O|Sz}P^~D@@Pf#(F-oi|V;yZ=IgA
N!1^H@yU%mne*qBh@2da+

literal 0
Hc-jL100001

diff --git a/tests/bug-2576-04-ips/test.rules b/tests/bug-2576-04-ips/test.rules
new file mode 100644
index 000000000..2a16eefd7
--- /dev/null
+++ b/tests/bug-2576-04-ips/test.rules
@@ -0,0 +1,2 @@
+alert ip any any -> any any (msg:"file_data"; file_data; content:"content=IE=Edge"; sid: 3; rev: 1;)
+alert ip any any -> any any (msg:"mix stream with file_data"; content:"content=IE=Edge"; file_data; content:"content=IE=Edge"; sid: 4; rev: 1;)
diff --git a/tests/bug-2576-04-ips/test.yaml b/tests/bug-2576-04-ips/test.yaml
new file mode 100644
index 000000000..2e65954ff
--- /dev/null
+++ b/tests/bug-2576-04-ips/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - HAVE_NSS
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.md5: 090fe607a5be1228362614ccaa088577
+
diff --git a/tests/bug-2576-04/md5list.2576 b/tests/bug-2576-04/md5list.2576
new file mode 100644
index 000000000..f754e17b2
--- /dev/null
+++ b/tests/bug-2576-04/md5list.2576
@@ -0,0 +1 @@
+090fe607a5be1228362614ccaa088577
diff --git a/tests/bug-2576-04/suricata.yaml b/tests/bug-2576-04/suricata.yaml
new file mode 100644
index 000000000..1e40c3aaa
--- /dev/null
+++ b/tests/bug-2576-04/suricata.yaml
@@ -0,0 +1,146 @@
+%YAML 1.1
+---
+
+outputs:
+  # Extensible Event Format (nicknamed EVE) event log in JSON format
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      #prefix: "@cee: " # prefix to prepend to each log entry
+      # the following are valid when type: syslog above
+      #identity: "suricata"
+      #facility: local5
+      #level: Info ## possible levels: Emergency, Alert, Critical,
+                   ## Error, Warning, Notice, Info, Debug
+      #redis:
+      #  server: 127.0.0.1
+      #  port: 6379
+      #  async: true ## if redis replies are read asynchronously
+      #  mode: list ## possible values: list|lpush (default), rpush, channel|publish
+      #             ## lpush and rpush are using a Redis list. "list" is an alias for lpush
+      #             ## publish is using a Redis channel. "channel" is an alias for publish
+      #  key: suricata ## key or channel to use (default to suricata)
+      # Redis pipelining set up. This will enable to only do a query every
+      # 'batch-size' events. This should lower the latency induced by network
+      # connection at the cost of some memory. There is no flushing implemented
+      # so this setting as to be reserved to high traffic suricata.
+      #  pipelining:
+      #    enabled: yes ## set enable to yes to enable query pipelining
+      #    batch-size: 10 ## number of entry to keep in buffer
+
+      # Include top level metadata. Default yes.
+      #metadata: no
+
+      pcap-file: false
+
+      # HTTP X-Forwarded-For support by adding an extra field or overwriting
+      # the source or destination IP address (depending on flow direction)
+      # with the one reported in the X-Forwarded-For HTTP header. This is
+      # helpful when reviewing alerts for traffic that is being reverse
+      # or forward proxied.
+      xff:
+        enabled: no
+        # Two operation modes are available, "extra-data" and "overwrite".
+        mode: extra-data
+        # Two proxy deployments are supported, "reverse" and "forward". In
+        # a "reverse" deployment the IP address used is the last one, in a
+        # "forward" deployment the first IP address is used.
+        deployment: reverse
+        # Header name where the actual IP address will be reported, if more
+        # than one IP address is present, the last IP address will be the
+        # one taken into consideration.
+        header: X-Forwarded-For
+
+      types:
+        - alert:
+            # payload: yes             # enable dumping payload in Base64
+            # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+            # payload-printable: yes   # enable dumping payload in printable (lossy) format
+            # packet: yes              # enable dumping of packet (without stream segments)
+            # http-body: yes           # enable dumping of http body in Base64
+            # http-body-printable: yes # enable dumping of http body in printable format
+            # metadata: no             # enable inclusion of app layer metadata with alert. Default yes
+
+            # Enable the logging of tagged packets for rules using the
+            # "tag" keyword.
+            tagged-packets: yes
+        - http:
+            extended: yes     # enable this for extended logging information
+            # custom allows additional http fields to be included in eve-log
+            # the example below adds three additional fields when uncommented
+            #custom: [Accept-Encoding, Accept-Language, Authorization]
+        - dns:
+            # This configuration uses the new DNS logging format,
+            # the old configuration is still available:
+            # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format
+            # Use version 2 logging with the new format:
+            # DNS answers will be logged in one single event
+            # rather than an event for each of it.
+            # Without setting a version the version
+            # will fallback to 1 for backwards compatibility.
+            version: 2
+
+            # Enable/disable this logger. Default: enabled.
+            #enabled: no
+
+            # Control logging of requests and responses:
+            # - requests: enable logging of DNS queries
+            # - responses: enable logging of DNS answers
+            # By default both requests and responses are logged.
+            #requests: no
+            #responses: no
+
+            # Format of answer logging:
+            # - detailed: array item per answer
+            # - grouped: answers aggregated by type
+            # Default: all
+            #formats: [detailed, grouped]
+
+            # Answer types to log.
+            # Default: all
+            #types: [a, aaaa, cname, mx, ns, ptr, txt]
+        - tls:
+            extended: yes     # enable this for extended logging information
+            # output TLS transaction where the session is resumed using a
+            # session id
+            #session-resumption: no
+            # custom allows to control which tls fields that are included
+            # in eve-log
+            #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain]
+        - files:
+            force-magic: no   # force logging magic on all logged files
+            # force logging of checksums, available hash functions are md5,
+            # sha1 and sha256
+            force-hash: [md5]
+        #- drop:
+        #    alerts: yes      # log alerts that caused drops
+        #    flows: all       # start or all: 'start' logs only a single drop
+        #                     # per flow direction. All logs each dropped pkt.
+        - smtp:
+            #extended: yes # enable this for extended logging information
+            # this includes: bcc, message-id, subject, x_mailer, user-agent
+            # custom fields logging from the list:
+            #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
+            #  x-originating-ip, in-reply-to, references, importance, priority,
+            #  sensitivity, organization, content-md5, date
+            #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
+            # output md5 of fields: body, subject
+            # for the body you need to set app-layer.protocols.smtp.mime.body-md5
+            # to yes
+            #md5: [body, subject]
+
+        - ssh
+        - stats:
+            totals: yes       # stats for all threads merged together
+            threads: no       # per thread stats
+            deltas: no        # include delta values
+        # bi-directional flows
+        - flow
+        # uni-directional flows
+        #- netflow
+
+        # Metadata event type. Triggered whenever a pktvar is saved
+        # and will include the pktvars, flowvars, flowbits and
+        # flowints.
+        #- metadata
diff --git a/tests/bug-2576-04/temp6.pcap b/tests/bug-2576-04/temp6.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..cdaa6625d7e47e4631d0001882f0cbcf1edf75e4
GIT binary patch
literal 4594
zc-oa$Yj7J^72eoRXhp;%JjNXgnOlJ$c}OeCcH+od#ctv@rg0)-g$8KG-N%)*_G)*t
zdnMUrI@mxMIwYj&D>P2il!@ao$<P!$Z6>W77-nFG{(u=WlRx}OXRJJab%2!D58&Lp
zE9>En3>ry$_w2dfcg}Yo=kE1i|NM<6u7#_7TDVp4|F1*2Z|-^Slbi`{`s3Da?D*4h
z_@DXh;Rm=uj+6X{`ni7o;!D50z_r5fvmA#HULp^EoEzklUpu2uF|T;*U%+ck$5G#C
z_`^@#c&lS}1DEXhXkRylJlizZ|Fa&BYie1YY-xJHckRi8zoGV3&CQ>n{Ow!THsUw?
zxe&iFUCr+>J5f~lLu<AlrQ9?IE;+lQv(;{b7<$fr8gb7Q%KWQpK9oNS{7(V(Q(pXg
z{fGaD{5xC!%JP4`F8>~gp*gv3tp9}zj@B5sJ^-2zyto$p7UTMIL#~sp_ZS!N$@S1!
z|Bclg_xNB6@o0A{mE<F#h~Ia>##V43gLM)^Pi8Qo)^60Psd|1Qn9=ha{k{QN#wI-8
z#BcKZb{jS{i^XC{5>+K1l8v0-x6{ydEECnxW9SKt&ESBh7O>yv_tDh!Kdj{>$V&1`
zE#*Ji&u!v=m2EJL{aokNzrkzG^^v+^Y=-pCCD%QDZ{|pO`clT&^|jn3NS6NU8CRe2
z|Clnq_r*qxt0$)ZLm7YHbU(%i5yzEfMA2{<?R%muRdBzkXRsYZ(j>t)$Ro;G90ZYw
zWoR*ET53Tgcni{vpiCdJmQ4%`TBc=8Oa?7n5H(dPdl5_2?X+PvkeZ^yAO`nfJwviF
z6z%GbRII5<6UPw26NJx_oaXoK0_Yfe%u=_YNEi*|Gmt{07lpUSx}z~@JU*QA`v!@a
ziJ?GGZ|~M{w;~6(cPjzEZ;xn`;IN^nX%#CmG;HWwfDL^`)G5X`6zPgZx5aw4Iv7by
z%;dz_Qm%gA2(}8?0&&t9v<ruNLy=x;C7_Tou0mLk?%KEi8$xtjSEQ#8<;01gn88Bt
z*6wh)4=F}YRCS>;`}&Y6lB~ef*%p6f*S?*puO|l)%`!m^!Qe=0Aa!5_h9?+I#F-t%
zvshFT@f;>1coH*+59if_AiHW2Pz$*?!jfoxa#pl#OoTj12YZ+IJ{UYO04d}k997aP
z07HYqppwCEhq6`FisGb=bTNko3#YMVVJi`bWjBs2tO+)m)Uch!m>?RB6NPNsC=1R4
zWsUK?9SKQ_O@L3PO7IpB>yl?O^O9m%&+v{)IaLoq-$b0KM8k>OufAWpdVcZB)Z&#N
ze)Qha#f7t_%WvI&efIA3i*ep@iStY$6qgKT649uHFNNVF%V1N~0#X&BXo;o?K`$BH
zF7!^;MB8SD(ONg>fjvqmvxjMP8K{<lwwlYJtg7I&A?Iy@Sb2<WOBQ&(W*_3g4e}n<
zjEoTpnR*5lRRyL-bXyo@v6{&eArjpVa6Dkcg%VN<c4Y&RMj~5U%aCn1$}|mH)y=#+
zED)4}b*D2^d=$Jfg2kK1LgfCwYT3t`OZW9lyKW6!EW0o&nJZILKUJAn*^%h34@*B0
zw@p~tPWk~UgX~e&Brr~agbM%)ju)M-MP+F;!O4N43s_^Dk`V3bL1La5ppmIzf(0X;
zW(GE{FzM*toxI+#=)TGdp|(QN{g@TP*Xj!4xz5&!k>omZ^E*RMok#)KJkZR0ah>;{
zVwLGL4J*^sG)L>iAOBffCniQ%op|W!dpmx|aa2MNAtj<$3&}>p&PzF!iE8KFaj0Ie
zwf$)hZ#33xhUqo7f?j`PdY$&r>mt=_`p=GDv%qx%YU&BEy82!JX;xRe8`jlB)2mor
zeYj4qi)FpO`Z<mxI*7tE)nK){dxg7d-HW?D<mp5fYj#B)7wyW@b?5ZhD6!}RSHGMt
z7818!xqSEJyK!Dz20<5pRx~2ft~v<ESPkM>yg+iI=@|yts{u-<FPCQC_W~$*b}zs_
zXjB8-nfw0TpPcXlAS#wbPZ0K`24sG|^!%Iyq8qks!TR--rLreF6$Un2s4f{by@R#d
z#hlqkObt+3Gtc_Abq%ydAA@fVLR&Q5)|IYon{8c6WGP05=0>PVP_y1GExhc+$5#dD
zHWb)Ea!^)7MN1{Pv!fh%;Qxr+jXE!MY(`j@4Fw<AKSb-fp#ySfQPmZr7}5+`q$MIm
z@i(JoW*du^oJE2lpg;iaK!F_r1ZSxBz{breP{~z@P(w$+$v03=I8a{SniQzYxnpA=
zEQh*5sn040=SO}?Kgm*6IBU3gaEI8DLI^0TZEE5qoWCIE@xDOf*35kA+^NN@bEOxj
zU4d&>TJ3^M6F5`W-4@~AWW_qWY|dmM*-DU!(ve>*Uj31?qj^nP)v9tHkPO%sAEozh
zU}l*~HWTf#VNUkZBWJrV*=8T}bD9n3t&%5`d}49o+U=JvIDwR&J65`O<j$LHFK`g*
z;~G;%eNwGLafOx5U>ajZ66Nv4t?wPbGdEp2e(dh~A5@SQuU;D3nY{Dnbhryb?J6CA
zr_4Z4HTOHlWNbP!%PD&f2v5&u^y;2<=>~o5M#Ez88Y>3b6^g;%SuvPdUJRbSnOyhn
zDeDVPF?hK#*BQo@S%K>xjO&yq*LvW3*x_3LEq|j|$hTRc9%}pwIo-@&A@|l6o@Z|Y
z-z<Hhdw#C^74oNz8Q)=yyH{XrVT{9`jO&5%d^O|Sz}P^~D@@Pf#(F-oi|V;yZ=IgA
N!1^H@yU%mne*qBh@2da+

literal 0
Hc-jL100001

diff --git a/tests/bug-2576-04/test.rules b/tests/bug-2576-04/test.rules
new file mode 100644
index 000000000..2a16eefd7
--- /dev/null
+++ b/tests/bug-2576-04/test.rules
@@ -0,0 +1,2 @@
+alert ip any any -> any any (msg:"file_data"; file_data; content:"content=IE=Edge"; sid: 3; rev: 1;)
+alert ip any any -> any any (msg:"mix stream with file_data"; content:"content=IE=Edge"; file_data; content:"content=IE=Edge"; sid: 4; rev: 1;)
diff --git a/tests/bug-2576-04/test.yaml b/tests/bug-2576-04/test.yaml
new file mode 100644
index 000000000..2e65954ff
--- /dev/null
+++ b/tests/bug-2576-04/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - HAVE_NSS
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.md5: 090fe607a5be1228362614ccaa088577
+
-- 
2.47.2