From 3adeb2f19ac82dedeb2b750a20a22fcfffb51d3e Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Thu, 23 Mar 2023 09:36:55 +0100
Subject: [PATCH] tests: add ticket 5929 test

---
 tests/bug-5929-01/1e3b98e5dad2954.pcap | Bin 0 -> 467 bytes
 tests/bug-5929-01/README.md            |   4 ++++
 tests/bug-5929-01/test.rules           |   4 ++++
 tests/bug-5929-01/test.yaml            |  24 ++++++++++++++++++++++++
 4 files changed, 32 insertions(+)
 create mode 100644 tests/bug-5929-01/1e3b98e5dad2954.pcap
 create mode 100644 tests/bug-5929-01/README.md
 create mode 100644 tests/bug-5929-01/test.rules
 create mode 100644 tests/bug-5929-01/test.yaml

diff --git a/tests/bug-5929-01/1e3b98e5dad2954.pcap b/tests/bug-5929-01/1e3b98e5dad2954.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..6ea98067da71e207d76f0ed8e84246a52fbab390
GIT binary patch
literal 467
zc-p&ic+)~A1{MYw`2U}Qfe}bEI!dRUZslPx1F}K*ztN}lZWkE1=J?;q;b3rOV9)?5
zb6`6=@4$*j8fygN{G(<v1OOFsflLWtQebG`2Qg*$WP~YCWPcYOu$`53X9+Jeswp57
zKqfH+0L@`wNC9H*03o0$o)A-Xry)%7veJ@`zNB+x<2|<xc-_Jc#Hj%SKvTRRrU=a9
zVVDdQ1YwzP^@k+a_FsG5UiuwuN-NY9N35nuC@|d9W?*o44N=ffG}KQ@PD#}($SANc
zuc)lDH8505%gD^Kb#gH`cXM{KG&V4Cb#!$!v@|j`HFGsHF)}rFGI23=RPYE13D7sx
zGvwv+$S*FjQb^0sPf9G(OU}>b<>KW6IWc_>!lSj98M&D{cR9>A&)~ruT&X~u0rF_u
HTLuOI&!=^Z

literal 0
Hc-jL100001

diff --git a/tests/bug-5929-01/README.md b/tests/bug-5929-01/README.md
new file mode 100644
index 000000000..cd25c0782
--- /dev/null
+++ b/tests/bug-5929-01/README.md
@@ -0,0 +1,4 @@
+PCAP
+====
+
+Pcap from https://redmine.openinfosecfoundation.org/issues/5929
diff --git a/tests/bug-5929-01/test.rules b/tests/bug-5929-01/test.rules
new file mode 100644
index 000000000..5bb4b84d2
--- /dev/null
+++ b/tests/bug-5929-01/test.rules
@@ -0,0 +1,4 @@
+alert http any any -> any any (flow:established,to_server; urilen:<70; http.uri; content:".php?"; content:"=01&"; distance:4; within:4; fast_pattern; sid:1;)
+alert http any any -> any any (flow:established,to_server; http.uri; bsize:<70; content:".php?"; content:"=01&"; distance:4; within:4; fast_pattern; sid:2;)
+alert http any any -> any any (flow:established,to_server; urilen:<70; http.uri; content:".php?"; content:"=01&"; distance:4; within:4; sid:3;)
+alert http any any -> any any (flow:established,to_server; http.uri; content:".php?"; content:"=01&"; distance:4; within:4; fast_pattern; sid:4;)
diff --git a/tests/bug-5929-01/test.yaml b/tests/bug-5929-01/test.yaml
new file mode 100644
index 000000000..1c96e4c8c
--- /dev/null
+++ b/tests/bug-5929-01/test.yaml
@@ -0,0 +1,24 @@
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
-- 
2.47.2