From 4dacc4304136217bf4aefe3f92b3724846424bd8 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Mon, 18 Jan 2021 10:44:17 +0100
Subject: [PATCH] tests: add bug 2558 tests

---
 tests/bug-2558-01/1.rules       |   4 ++++
 tests/bug-2558-01/2008.mp4.pcap | Bin 0 -> 1517 bytes
 tests/bug-2558-01/test.yaml     |  20 ++++++++++++++++++++
 tests/bug-2558-02/1.rules       |   4 ++++
 tests/bug-2558-02/2008.mp4.pcap | Bin 0 -> 1517 bytes
 tests/bug-2558-02/test.yaml     |  26 ++++++++++++++++++++++++++
 6 files changed, 54 insertions(+)
 create mode 100644 tests/bug-2558-01/1.rules
 create mode 100644 tests/bug-2558-01/2008.mp4.pcap
 create mode 100644 tests/bug-2558-01/test.yaml
 create mode 100644 tests/bug-2558-02/1.rules
 create mode 100644 tests/bug-2558-02/2008.mp4.pcap
 create mode 100644 tests/bug-2558-02/test.yaml

diff --git a/tests/bug-2558-01/1.rules b/tests/bug-2558-01/1.rules
new file mode 100644
index 000000000..06f8d0c38
--- /dev/null
+++ b/tests/bug-2558-01/1.rules
@@ -0,0 +1,4 @@
+alert http any any -> any any (filestore; fileext:!"mp4"; sid:1; rev:1;)
+alert http any any -> any any (filestore; filename:!"2008.mp4"; sid:2; rev:1;)
+alert http any any -> any any (filestore; filename:!"tar.gz"; sid:3; rev:1;)
+
diff --git a/tests/bug-2558-01/2008.mp4.pcap b/tests/bug-2558-01/2008.mp4.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..3f2cf528380b7e599cbac9fdd4e8ed728349b936
GIT binary patch
literal 1517
zc-noGT}TvB6vyvwTFbzIl~9kDda-hLXZ9o3Nzv6@B^52#T*%Vdo!dIJ^TF)haeXQZ
zA0ja6Ia3iK34$W%p%0@TgI=<rw+N&M?V-1V#Lk^%SKPL}aJh5O-23C4|2gNbzk9mm
zMRlk&c6Jc*!20|1p^^GgA36u$Y&JDr-u{^U^XqYE@UahdBh;F_)PXwoFWq_b(9?V!
zE`3`^LthRz>Ws4JwHv0k5%Sj6KdbZlI27wY&Fr3i`wlSj`Rp#a$Sm@UWQ00UWPjav
zMrCv~^lklS+!+VDv3Mvt*M4o6+&eD*Ve}ID1CTp`+F8x#aB|G``Cf(32GA#NG@y-@
zuVD1J{ze&@5f^nIS_9fzHR6-xWtZ4km3S0w++W{I?CDP6fD#}DD;o%kV$`o&VceTY
z3<V^=#B(D#VhgbhF{q43GlVj0$REZ{S<T27gp83t!E>>6npkk)WZ)#v^_n^OB#xMM
zh~Km`JlAC!21!%RG-TXIh$Y0bnnQSw=U6ynw{`{kNBVGlo=N}ue1-HA5Yi?HWUqWG
zh6AB&vyd2ZcE*P;dXYOTiQeA$14ew=T9tSd*_)5{5=&ZOPzMk8@!VO35)gx^%{Umr
z1BwlQqzINGa#)nZ67CsD@Z2!59b(HkW+~}Oh_zqIQDMMTwW}IYtKSYq<#4okyE~y|
zWPB_X7DZ7N(jg%t1tpRSim6~IsvavTE?iKI49UqjHBCv*6`De(gnnXV=%kFLmI%)!
zh2-$CFl3vwlmqDu)=ibPrLt!F8aoiT6`cr!7W)mf9PCV6%V-AA?dD6yR0DgSwndt;
zt`yoNQT%^yORglQEx74uDlr34SuE+0=f<ma+R}2S+nZpPU|G;j(}6XsJCiE2zt8`C
z%O>)S&$&;5r}z?-$DYl<`wmodu+yjVDpg=TzDkTVI)adsO=HpD0tKF<Hc@m8@mhHb
zM|@Kd16y@fp{&YQXKFU~6}JuND%x=KX1qY5ZhtIym)o#~RT?9{x?Phv?h@}-B_0G~
zSD7f6hzs*Iduze%t--yWP@q8F0;0YAqTC5PjLL}5=WF^n;rcjR;o}xi^KR7bWgpKl
F>R%H8t}p-q

literal 0
Hc-jL100001

diff --git a/tests/bug-2558-01/test.yaml b/tests/bug-2558-01/test.yaml
new file mode 100644
index 000000000..7d7c55e9a
--- /dev/null
+++ b/tests/bug-2558-01/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
diff --git a/tests/bug-2558-02/1.rules b/tests/bug-2558-02/1.rules
new file mode 100644
index 000000000..26593b982
--- /dev/null
+++ b/tests/bug-2558-02/1.rules
@@ -0,0 +1,4 @@
+alert http any any -> any any (filestore; fileext:!"mp4"; sid:1; rev:1;)
+alert http any any -> any any (filestore; file.name; content:!"2008.mp4"; sid:2; rev:1;)
+alert http any any -> any any (filestore; file.name; content:!"tar.gz"; sid:3; rev:1;)
+alert http any any -> any any (file.name; content:"/a/expl/2008.mp4"; startswith; endswith; sid:4; rev:1;)
diff --git a/tests/bug-2558-02/2008.mp4.pcap b/tests/bug-2558-02/2008.mp4.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..3f2cf528380b7e599cbac9fdd4e8ed728349b936
GIT binary patch
literal 1517
zc-noGT}TvB6vyvwTFbzIl~9kDda-hLXZ9o3Nzv6@B^52#T*%Vdo!dIJ^TF)haeXQZ
zA0ja6Ia3iK34$W%p%0@TgI=<rw+N&M?V-1V#Lk^%SKPL}aJh5O-23C4|2gNbzk9mm
zMRlk&c6Jc*!20|1p^^GgA36u$Y&JDr-u{^U^XqYE@UahdBh;F_)PXwoFWq_b(9?V!
zE`3`^LthRz>Ws4JwHv0k5%Sj6KdbZlI27wY&Fr3i`wlSj`Rp#a$Sm@UWQ00UWPjav
zMrCv~^lklS+!+VDv3Mvt*M4o6+&eD*Ve}ID1CTp`+F8x#aB|G``Cf(32GA#NG@y-@
zuVD1J{ze&@5f^nIS_9fzHR6-xWtZ4km3S0w++W{I?CDP6fD#}DD;o%kV$`o&VceTY
z3<V^=#B(D#VhgbhF{q43GlVj0$REZ{S<T27gp83t!E>>6npkk)WZ)#v^_n^OB#xMM
zh~Km`JlAC!21!%RG-TXIh$Y0bnnQSw=U6ynw{`{kNBVGlo=N}ue1-HA5Yi?HWUqWG
zh6AB&vyd2ZcE*P;dXYOTiQeA$14ew=T9tSd*_)5{5=&ZOPzMk8@!VO35)gx^%{Umr
z1BwlQqzINGa#)nZ67CsD@Z2!59b(HkW+~}Oh_zqIQDMMTwW}IYtKSYq<#4okyE~y|
zWPB_X7DZ7N(jg%t1tpRSim6~IsvavTE?iKI49UqjHBCv*6`De(gnnXV=%kFLmI%)!
zh2-$CFl3vwlmqDu)=ibPrLt!F8aoiT6`cr!7W)mf9PCV6%V-AA?dD6yR0DgSwndt;
zt`yoNQT%^yORglQEx74uDlr34SuE+0=f<ma+R}2S+nZpPU|G;j(}6XsJCiE2zt8`C
z%O>)S&$&;5r}z?-$DYl<`wmodu+yjVDpg=TzDkTVI)adsO=HpD0tKF<Hc@m8@mhHb
zM|@Kd16y@fp{&YQXKFU~6}JuND%x=KX1qY5ZhtIym)o#~RT?9{x?Phv?h@}-B_0G~
zSD7f6hzs*Iduze%t--yWP@q8F0;0YAqTC5PjLL}5=WF^n;rcjR;o}xi^KR7bWgpKl
F>R%H8t}p-q

literal 0
Hc-jL100001

diff --git a/tests/bug-2558-02/test.yaml b/tests/bug-2558-02/test.yaml
new file mode 100644
index 000000000..3e79c8c94
--- /dev/null
+++ b/tests/bug-2558-02/test.yaml
@@ -0,0 +1,26 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 5.0.0
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
-- 
2.47.2