From 2e665dcb392b32947fb9a03d3ab4765ce215949e Mon Sep 17 00:00:00 2001
From: Juliana Fajardini <jufajardini@oisf.net>
Date: Thu, 24 Feb 2022 18:48:53 +0000
Subject: [PATCH] tests: add tests for unseen http midstream traffic

In a pcap where just `http` midstream traffic is seen, Suri is
unable to see the packtes as `http` traffic (Wireshark tags them
correctly).

This also seems to result in Suri sometimes not adding the packet
payload to the associated alert event in the eve-log.

`bug-5437-01` has the pcap where http packets are not seen `bug-5437-02`
has a more complete pcap, and the same packets are properly
identified by Suri.

Related to
Bug #5437
---
 tests/bug-5437-01/README.md  |  22 ++++++++++++++++++++++
 tests/bug-5437-01/input.pcap | Bin 0 -> 768 bytes
 tests/bug-5437-01/test.rules |   3 +++
 tests/bug-5437-01/test.yaml  |  13 +++++++++++++
 tests/bug-5437-02/README.md  |  19 +++++++++++++++++++
 tests/bug-5437-02/input.pcap | Bin 0 -> 8532 bytes
 tests/bug-5437-02/test.rules |   3 +++
 tests/bug-5437-02/test.yaml  |  13 +++++++++++++
 8 files changed, 73 insertions(+)
 create mode 100644 tests/bug-5437-01/README.md
 create mode 100644 tests/bug-5437-01/input.pcap
 create mode 100644 tests/bug-5437-01/test.rules
 create mode 100644 tests/bug-5437-01/test.yaml
 create mode 100644 tests/bug-5437-02/README.md
 create mode 100644 tests/bug-5437-02/input.pcap
 create mode 100644 tests/bug-5437-02/test.rules
 create mode 100644 tests/bug-5437-02/test.yaml

diff --git a/tests/bug-5437-01/README.md b/tests/bug-5437-01/README.md
new file mode 100644
index 000000000..787099d7f
--- /dev/null
+++ b/tests/bug-5437-01/README.md
@@ -0,0 +1,22 @@
+Test
+====
+
+This is a test for the bug 5437 about unseen http midstream packets/flow.
+
+Behavior
+========
+
+Suri seems unable to properly identify `http` traffic in this payload,
+despite having `-k none` and `midstream=true` set.
+
+Here we only have two `http` GET request packets in the pcap file: the `http`,
+and the stream is not seen (Wireshark tags those correctly).
+
+Compare with `bug-5437-02`, from which the 2 packets in the pcap from
+the present test come from: the `http` stream is seen and logged there.
+
+PCAP
+====
+
+Pcap was shared on Suricata's Discord server by the users who observed this
+behavior.
diff --git a/tests/bug-5437-01/input.pcap b/tests/bug-5437-01/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..99abaa06e914c7a85ba4659a8a8f1a77b4c2324a
GIT binary patch
literal 768
zc-p&ic+)~A1{MYw`2U}Qfe}day7MMge&c3H0dhbX0(dU`=t-~TU~pw%4C~#(!0=E1
z(#fiTe!b??NuLE6I`)Co2(U4*0Vxp%g`oe;%sGa9T8zqI9V$5`4h&{&`-``)PHAKm
z=D7Mwi6LN>lovCL%?tMiNf!5;(LlQyIk*`9-#Tfl{;t^FHAF$bI3qPD$38hlTfZc?
zz`7_`Tem1pTg$pUJ+(wzA)}<Ez)D}=$XL(PM9*B$(A-pCuh^tgKd~s+x;O)@1;keH
z2nh+$H`Fua<q9oMEz)&NPt7Z_Qt$wpoUfx$o?n!c!pr56Ukns8G&0vS076463j<y*
z$K>SH0-$I~YDI~DMoDgtPGUhpPG)jqNoIbYeg#NGy8>M_H^;ir)<DlvCo?xOJypLv
zHK{;HOJ55tXu-?noS&DMnha8ErI4MPTA-VllUbI^%LRnMF#n1*%pLwh!dyI)fk9SZ
wOKL{WVlR|1XJ%jmQp^mT{G31<6!Hv+FgInJD+vnotLkSrp@;c4#*rQ707LHJj{pDw

literal 0
Hc-jL100001

diff --git a/tests/bug-5437-01/test.rules b/tests/bug-5437-01/test.rules
new file mode 100644
index 000000000..19d01d5ed
--- /dev/null
+++ b/tests/bug-5437-01/test.rules
@@ -0,0 +1,3 @@
+alert ip any any -> any any (msg:"SURICATA IPv4 invalid checksum"; ipv4-csum:invalid; classtype:protocol-command-decode; sid:2200073; rev:2;)
+alert tcp any any -> any $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Mirai"; flow:to_server,established; content:"User-Agent|3A| Hello, world"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3908cc1d8001f926031fbe55ce104448dbc20c9795b7c3cfbd9abe7b789f899d/analysis/; classtype:trojan-activity; sid:58992; rev:1;)
+alert http any any -> any any (msg:"ET MALWARE JAWS Webserver Unauthenticated Shell Command Execution"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/shell?cd+/tmp|3b|rm+-rf+*|3b|wget+"; depth:29; fast_pattern; reference:md5,fea9e4132fc9d30bda5eb6b1d9d0b9b9; classtype:web-application-attack; sid:2030092; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2020_05_04, deployment Perimeter, signature_severity Major, updated_at 2020_05_04;)
diff --git a/tests/bug-5437-01/test.yaml b/tests/bug-5437-01/test.yaml
new file mode 100644
index 000000000..7c387e0de
--- /dev/null
+++ b/tests/bug-5437-01/test.yaml
@@ -0,0 +1,13 @@
+requires:
+  min-version: 7
+
+args:
+- -k none
+- --set stream.midstream=true
+
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: flow
+      app_proto: http
diff --git a/tests/bug-5437-02/README.md b/tests/bug-5437-02/README.md
new file mode 100644
index 000000000..027a80a50
--- /dev/null
+++ b/tests/bug-5437-02/README.md
@@ -0,0 +1,19 @@
+Test
+====
+
+This is a test for the bug 5437 about unseen http midstream packets.
+
+
+Behavior
+========
+
+This test shows the desired behavior. This is the pcap from which the traffic
+seen in the extracted pcap for test `bug-5437-01` comes.
+
+In this one Suri is able to identify the `http` packets.
+
+PCAP
+====
+
+Pcap was shared on Suricata's Discord server by the users who observed this
+behavior.
diff --git a/tests/bug-5437-02/input.pcap b/tests/bug-5437-02/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..543da02dd216e4dabe84cb8b72bb4a4574cb8668
GIT binary patch
literal 8532
zc-rlldr(y86~MoJU6zHFWlco~G}~+^RbCeel{X8Bikh}tqo%RG0GCJI7qF>7utkv$
zpf+)8#$@6oI##W%ohU;x)tHnvrlqD4L<}ZX6Cd%>h_y{4w5izdoaHY2y5HRUe_@!r
zbJ@G+cYo)c?|gTM-tFF}Bx)l3JbXxqf*#+}=__J64RO-fPTzl{2gbHnZ_<+agsfRo
zO2{}rE#n41xSf3d_r(U%@eaJl5J5EbU?irc4^_(SxGN)3bMT7fO8VJp+`@x%?3rD&
zo#wc9LaZ65?2o}!>y)NW&r^gb)tbHD=ySqGFM8mOe!7;BnS5hx{@VV}1EQ;lk{(nf
zGA5E9fq_g$=eg&iA^MNs&nXIye(<<|^f)aux&x!@!$;S&dgFQ-ywT5XDI!JOi4KSi
z1jO1-?)}E}G9@stGv;Vp&S3N&Z}g2?ruijkK1sy9$?M$fe=@p->wFBXhl{?r#y@(`
zj0o}QE5BU;(H|+0ocGy;6w$nII2@FBGhAh*rFUer5C@{i#7BsmU-^L%%s*?FoOg`Q
zbFak&<=q$k@=gEfFD7Y83w_-Z?%ti>se^kreku9h^9xJh-cz0u?tN&CSa&X2p@*yX
zDyI#kq<gDQt<>rWsrfFPSEy7<V9_OqW0^4FJkty&8tzFpfh;_??zmtgm}Tv5ah8!3
zCd+1Ixh=UL@^4{39B7>EhoQ08NAHbLo+*2c*)Lq2=m%gaFl@O6Jd`B@SlUvVIcmZj
zjY#eeWU+7_<79UPvizz>oaN7Rb;LtI))S7U%KAfKiB(Ikm(0R>ST8Gs>SYS$x!Y>c
z^h9;hoG36q9|8+7Jed`aVIntG10Kjt-MHjBK?YhUy+L*2V<@;6%J5mXj*%1V2Jm3`
zD#U}5M9_ncSXaDqxE)Cp-kfxILVav01%^{IhWdeF(J#|lytSI6{r4*YIr-ARR*6MN
z*3%&df59w@6;?a47^UV!@r}Y#$VqZ-*qlt)^sE~4`4|Qt3+FF0@eMULyWLW`K8g1@
z+<Enmq?G!qq{O_9)izI(sm9}R=kk2U6RA0wsadJ%S>NJQ8#0^t@_I*JLk(U6uT5pk
zmRb4q)O5XWd4sJ!rMTMW^yHe#=qJ09O&eYH_Vs#QnX7@GOV7wkO{2f*x!GxYU2$cl
z%}vjGY>ghi#^bOjm%H8e+RAcIt;@+b!kMJT;Ij^UUR^<2YEE*kqrBS2Z?sjolN0$w
zJejT6&2u@Own}(wu4#kK=1wWM*Z#<+*XecOTx${S0~7572RgqZ(YcA%;QS(z&Lw9D
zIUh&ov6>#;OM%XTA=)BZgC<&oPGq<snIV6{AA!OAy1;N=Ng0->#tQ4@vYi3z<*<JZ
z8p76~w<i@V1{$#^by9oMTZ25ewm)o7(i(g|_y09GBW(WBInDn-6FNUD(fLIF)3~R<
zCO8ky|4&E7^FPxfx+c?p7{J+GcR?}>_Cp%C_SK;L`}!e&JhUG+7c+f4hYbA^XEyb5
zA7}RN?@!L`^Gf|E-y_tC5$5EAZw9Q%_kl&2lm9Jd_NEJab6Dcco?x+Xwtr5}>_C>O
zzZYj|Dq+sc7W8so@?IvhJ|4Wp-wN8x+=cwK8c1_Vk~cR32Qd7rgt>2UqmOaPdl+P}
zaDUqzw1@FA#Jm^EaPdQ?hmX+1%Q8G9pog1bJUm1XkNX(@BQSh1%=9pT9$uB<Apt$K
zhVg(5F}<M-pA|(jX4ldfV2H6upIr<7gmdG~pt)hB^{IgUljpk7tF@~jAHZ;n&0s)=
zLKzHw$nZv32D)B&u7xrT7DqGIth2YF9^AFk*DUZr*UyBY_0#9!(Be>rYix!)$WSGN
zp${42!!l40hZco0l$1s@)~cm5Fc&Ej_p)@YA`a+_%wl0L3k-wP+ML2(c9z+Ht!h*G
z&yky}Sw04J=%Y;X8lE|*1eUix4O+t$)X7xZAN5Bz3H{Ng1}DJq>>6fm^62AH$!j+<
zSh%j{ptak_&>R=YaFQ~prm~(dR?h(jb%BiMi!OY=m?!#tkrj}WXM~&pi+L`qKGwVm
zEXo&T)Q1!6qe!eiX8taKrCMNl2fig^dfAi+EZ6g7c-e+tO2oX3x%^qSe%+sC0n^J*
zdV%Fiy9_Tb^kNb7k}w*;!V4^ape*}xSzg|L16cMSmEmPOdMOt3a{sbFOMACJ%jMN9
zFTJ~fW$!T=Ufk%VP|QnwRRBw`z;c?h^mVYjBwhuUxm#s;*@0e)#JqfQ(x0Vc$e-oT
zuUTGF_5sTi2V{7uLoWqlUZ$4@uv`^b{z6%9991y(Lfs$3I{W-fGWJ3<aW8Zu>|W>*
z(wuifSmQb?U>^buyN)p#E+NB<qO&jG@XT-P{J+Nm1`C%Ui=nYw!I(GQSCPRjW8SE6
z-h2{v-o%pngR}e@YF7b68=K)8GPopqm|(DQCuK2Q+#kVUIDQ@&IyTAhphgdu#TX8Z
z`WQL|hRR<s87?40vkVVv^dOnx1IqA^g=z*v-*RARdLYAt20dI7WjO3(7#0{t%a{yL
zBg0oRJZR8^WQH@8q3axLA9i&SFszG|;ekUB7eyKL0z+4Wz+fC=GAu?0tqczwdXUU;
zmNJ~^pTb~xG!Gce(`9&wKo5TvW7t0=Fl;*_Fzgs$GUOveoD2^U=s_~W1<EkJUBzJ7
znF|cZ<ap4chmXY=_EiWBKbs{m>|!%uE{@6ZphXXo8Lq>3uCt>U46ZU@IH!~0Ard`&
zB*w6(Rbcoz5f}>D3`>w9LWYM(^dOnx0cA*fH;OU4$47u+Uc2=D!=Mg4RJ;%Sm~ad^
z+XRL^eFDQFHp5+H*eZSh01OuHZRPF4Q8O^?I3LKMDF|fXqx2Q+r&tUbE?_XIWq61}
z52wXEJgyQLj#>o<^?Ol_@09Lbf_<eY^!bb<96Ybu)2AdV%t)e|WUz3b{$LLoa|6Tf
MlYtCTvjZ9a2az0M7ytkO

literal 0
Hc-jL100001

diff --git a/tests/bug-5437-02/test.rules b/tests/bug-5437-02/test.rules
new file mode 100644
index 000000000..19d01d5ed
--- /dev/null
+++ b/tests/bug-5437-02/test.rules
@@ -0,0 +1,3 @@
+alert ip any any -> any any (msg:"SURICATA IPv4 invalid checksum"; ipv4-csum:invalid; classtype:protocol-command-decode; sid:2200073; rev:2;)
+alert tcp any any -> any $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Mirai"; flow:to_server,established; content:"User-Agent|3A| Hello, world"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3908cc1d8001f926031fbe55ce104448dbc20c9795b7c3cfbd9abe7b789f899d/analysis/; classtype:trojan-activity; sid:58992; rev:1;)
+alert http any any -> any any (msg:"ET MALWARE JAWS Webserver Unauthenticated Shell Command Execution"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/shell?cd+/tmp|3b|rm+-rf+*|3b|wget+"; depth:29; fast_pattern; reference:md5,fea9e4132fc9d30bda5eb6b1d9d0b9b9; classtype:web-application-attack; sid:2030092; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2020_05_04, deployment Perimeter, signature_severity Major, updated_at 2020_05_04;)
diff --git a/tests/bug-5437-02/test.yaml b/tests/bug-5437-02/test.yaml
new file mode 100644
index 000000000..7c387e0de
--- /dev/null
+++ b/tests/bug-5437-02/test.yaml
@@ -0,0 +1,13 @@
+requires:
+  min-version: 7
+
+args:
+- -k none
+- --set stream.midstream=true
+
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: flow
+      app_proto: http
-- 
2.47.2