From 3cef8ced5449c586beb972547e2c9e2a0f3e2f8e Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Mon, 18 Jan 2021 10:37:33 +0100
Subject: [PATCH] tests: add bug 814 test

---
 tests/bug-814/input.pcap | Bin 0 -> 831 bytes
 tests/bug-814/test.rules |   3 ++
 tests/bug-814/test.yaml  |  80 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 83 insertions(+)
 create mode 100644 tests/bug-814/input.pcap
 create mode 100644 tests/bug-814/test.rules
 create mode 100644 tests/bug-814/test.yaml

diff --git a/tests/bug-814/input.pcap b/tests/bug-814/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..68dae098a89ee1630f06b9fb3f9b0269e653bed7
GIT binary patch
literal 831
zc-p&ic+)~A1{MYw_+QV!zzC!luzd|m|I5nY2V{eAPzZyNDH8{S`hNeeMh2Gfwz~-+
z<sxhj{~91VnRqn+|NDI20-68o(`u*3hZzE11bTLZ!~&QU7&eqcOwVCpgPRU97h(r)
z(?O=8+r|*^`0&o@deeb6^aKbgFq|-lm>$i{Mm@Lp0Bx8NAOJMo0%H1Fb~c8`Ky{CC
zo4%4n(<Kxb%xf7K++9Ny^pn#wb(1pl^pg{dN{o&4QY%swJVHVO^bPe4dAUN1Q;T#R
z(^K<GtQ36nt1@$P67@~=%uN+E{4%pk^7W1M4E0Pj6*OGS5{onQ^NOwf^7B%G{E*b*
z5-S4`FxKSda?a1oOHD2TDzH-UPE9S)b<D{uOXcPA$Oo!YC@(M9%S$aW)Jsa|<>KW6
zd3mKNJN2S##*08NMNohqUknM*c^2$ci!LukaDWN|O<x2teYQ1~-L3?7JJ56hH)-=!

literal 0
Hc-jL100001

diff --git a/tests/bug-814/test.rules b/tests/bug-814/test.rules
new file mode 100644
index 000000000..97c1dca6c
--- /dev/null
+++ b/tests/bug-814/test.rules
@@ -0,0 +1,3 @@
+#
+alert http any any -> any any (msg:"TEST"; content:"GET"; http_method; content:"/cgi-bin/cart32.exe"; http_raw_uri; sid:1; rev:1;)
+
diff --git a/tests/bug-814/test.yaml b/tests/bug-814/test.yaml
new file mode 100644
index 000000000..cb6287ad2
--- /dev/null
+++ b/tests/bug-814/test.yaml
@@ -0,0 +1,80 @@
+# *** Add configuration here ***
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 1
+      alert.severity: 3
+      alert.signature: TEST
+      alert.signature_id: 1
+      app_proto: http
+      dest_ip: fe80:0000:0000:0000:020c:29ff:faf2:ab42
+      dest_port: 80
+      event_type: alert
+      flow.bytes_toclient: 156
+      flow.bytes_toserver: 461
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 4
+      http.hostname: www.net1.bg
+      http.http_method: GET
+      http.http_user_agent: Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:000003)
+      http.length: 0
+      http.protocol: HTTP/1.1
+      http.url: /cgi-bin/cart32.exe
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: fe80:0000:0000:0000:020c:29ff:fef3:cf38
+      src_port: 58307
+      tx_id: 0
+      vlan[0]: 1111
+- filter:
+    count: 1
+    match:
+      dest_ip: fe80:0000:0000:0000:020c:29ff:faf2:ab42
+      dest_port: 80
+      event_type: http
+      http.hostname: www.net1.bg
+      http.http_method: GET
+      http.http_user_agent: Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:000003)
+      http.length: 0
+      http.protocol: HTTP/1.1
+      http.url: /cgi-bin/cart32.exe
+      proto: TCP
+      src_ip: fe80:0000:0000:0000:020c:29ff:fef3:cf38
+      src_port: 58307
+      tx_id: 0
+      vlan[0]: 1111
+- filter:
+    count: 1
+    match:
+      app_proto: http
+      dest_ip: fe80:0000:0000:0000:020c:29ff:faf2:ab42
+      dest_port: 80
+      event_type: flow
+      flow.age: 0
+      flow.alerted: true
+      flow.bytes_toclient: 234
+      flow.bytes_toserver: 461
+      flow.pkts_toclient: 3
+      flow.pkts_toserver: 4
+      flow.reason: shutdown
+      flow.state: established
+      proto: TCP
+      src_ip: fe80:0000:0000:0000:020c:29ff:fef3:cf38
+      src_port: 58307
+      tcp.ack: true
+      tcp.fin: true
+      tcp.psh: true
+      tcp.state: close_wait
+      tcp.syn: true
+      tcp.tcp_flags: 1b
+      tcp.tcp_flags_tc: '12'
+      tcp.tcp_flags_ts: 1b
+      vlan[0]: 1111
-- 
2.47.2