From 5499db25d50a95e85cdebfe6bbed08417563f3f9 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Sat, 30 Nov 2024 08:46:56 +0100
Subject: [PATCH] tests: add bug 7422 tests

Tests various forms of RST triggering handling of unACK'd data.
---
 tests/tcp-rst-unacked-stream-01-raw/README.md |   8 +++++++
 .../tcp-rst-unacked-stream-01-raw/input.pcap  | Bin 0 -> 654 bytes
 .../tcp-rst-unacked-stream-01-raw/test.rules  |   2 ++
 tests/tcp-rst-unacked-stream-01-raw/test.yaml |  20 ++++++++++++++++++
 .../writepcap.py                              |  15 +++++++++++++
 .../README.md                                 |   8 +++++++
 .../input.pcap                                | Bin 0 -> 654 bytes
 .../test.rules                                |   2 ++
 .../test.yaml                                 |  20 ++++++++++++++++++
 .../writepcap.py                              |  15 +++++++++++++
 tests/tcp-rst-unacked-stream-03-gap/README.md |   8 +++++++
 .../tcp-rst-unacked-stream-03-gap/input.pcap  | Bin 0 -> 576 bytes
 .../tcp-rst-unacked-stream-03-gap/test.rules  |   2 ++
 tests/tcp-rst-unacked-stream-03-gap/test.yaml |  20 ++++++++++++++++++
 .../writepcap.py                              |  15 +++++++++++++
 .../README.md                                 |   8 +++++++
 .../input.pcap                                | Bin 0 -> 576 bytes
 .../test.rules                                |   2 ++
 .../test.yaml                                 |  20 ++++++++++++++++++
 .../writepcap.py                              |  15 +++++++++++++
 .../README.md                                 |   8 +++++++
 .../input.pcap                                | Bin 0 -> 679 bytes
 .../test.rules                                |   2 ++
 .../test.yaml                                 |  20 ++++++++++++++++++
 .../writepcap.py                              |  17 +++++++++++++++
 .../README.md                                 |   8 +++++++
 .../input.pcap                                | Bin 0 -> 679 bytes
 .../test.rules                                |   2 ++
 .../test.yaml                                 |  20 ++++++++++++++++++
 .../writepcap.py                              |  17 +++++++++++++++
 .../tcp-rst-unacked-stream-07-http/README.md  |   8 +++++++
 .../tcp-rst-unacked-stream-07-http/input.pcap | Bin 0 -> 589 bytes
 .../tcp-rst-unacked-stream-07-http/test.rules |   2 ++
 .../tcp-rst-unacked-stream-07-http/test.yaml  |  20 ++++++++++++++++++
 .../writepcap.py                              |  17 +++++++++++++++
 .../README.md                                 |   8 +++++++
 .../input.pcap                                | Bin 0 -> 589 bytes
 .../test.rules                                |   2 ++
 .../test.yaml                                 |  20 ++++++++++++++++++
 .../writepcap.py                              |  17 +++++++++++++++
 40 files changed, 368 insertions(+)
 create mode 100644 tests/tcp-rst-unacked-stream-01-raw/README.md
 create mode 100644 tests/tcp-rst-unacked-stream-01-raw/input.pcap
 create mode 100644 tests/tcp-rst-unacked-stream-01-raw/test.rules
 create mode 100644 tests/tcp-rst-unacked-stream-01-raw/test.yaml
 create mode 100755 tests/tcp-rst-unacked-stream-01-raw/writepcap.py
 create mode 100644 tests/tcp-rst-unacked-stream-02-raw-ips/README.md
 create mode 100644 tests/tcp-rst-unacked-stream-02-raw-ips/input.pcap
 create mode 100644 tests/tcp-rst-unacked-stream-02-raw-ips/test.rules
 create mode 100644 tests/tcp-rst-unacked-stream-02-raw-ips/test.yaml
 create mode 100755 tests/tcp-rst-unacked-stream-02-raw-ips/writepcap.py
 create mode 100644 tests/tcp-rst-unacked-stream-03-gap/README.md
 create mode 100644 tests/tcp-rst-unacked-stream-03-gap/input.pcap
 create mode 100644 tests/tcp-rst-unacked-stream-03-gap/test.rules
 create mode 100644 tests/tcp-rst-unacked-stream-03-gap/test.yaml
 create mode 100755 tests/tcp-rst-unacked-stream-03-gap/writepcap.py
 create mode 100644 tests/tcp-rst-unacked-stream-04-gap-ips/README.md
 create mode 100644 tests/tcp-rst-unacked-stream-04-gap-ips/input.pcap
 create mode 100644 tests/tcp-rst-unacked-stream-04-gap-ips/test.rules
 create mode 100644 tests/tcp-rst-unacked-stream-04-gap-ips/test.yaml
 create mode 100755 tests/tcp-rst-unacked-stream-04-gap-ips/writepcap.py
 create mode 100644 tests/tcp-rst-unacked-stream-05-http-nogap/README.md
 create mode 100644 tests/tcp-rst-unacked-stream-05-http-nogap/input.pcap
 create mode 100644 tests/tcp-rst-unacked-stream-05-http-nogap/test.rules
 create mode 100644 tests/tcp-rst-unacked-stream-05-http-nogap/test.yaml
 create mode 100755 tests/tcp-rst-unacked-stream-05-http-nogap/writepcap.py
 create mode 100644 tests/tcp-rst-unacked-stream-06-http-nogap-ips/README.md
 create mode 100644 tests/tcp-rst-unacked-stream-06-http-nogap-ips/input.pcap
 create mode 100644 tests/tcp-rst-unacked-stream-06-http-nogap-ips/test.rules
 create mode 100644 tests/tcp-rst-unacked-stream-06-http-nogap-ips/test.yaml
 create mode 100755 tests/tcp-rst-unacked-stream-06-http-nogap-ips/writepcap.py
 create mode 100644 tests/tcp-rst-unacked-stream-07-http/README.md
 create mode 100644 tests/tcp-rst-unacked-stream-07-http/input.pcap
 create mode 100644 tests/tcp-rst-unacked-stream-07-http/test.rules
 create mode 100644 tests/tcp-rst-unacked-stream-07-http/test.yaml
 create mode 100755 tests/tcp-rst-unacked-stream-07-http/writepcap.py
 create mode 100644 tests/tcp-rst-unacked-stream-08-http-ips/README.md
 create mode 100644 tests/tcp-rst-unacked-stream-08-http-ips/input.pcap
 create mode 100644 tests/tcp-rst-unacked-stream-08-http-ips/test.rules
 create mode 100644 tests/tcp-rst-unacked-stream-08-http-ips/test.yaml
 create mode 100755 tests/tcp-rst-unacked-stream-08-http-ips/writepcap.py

diff --git a/tests/tcp-rst-unacked-stream-01-raw/README.md b/tests/tcp-rst-unacked-stream-01-raw/README.md
new file mode 100644
index 000000000..66bd7beae
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-01-raw/README.md
@@ -0,0 +1,8 @@
+Test
+====
+
+Test series that tests if a RST that comes in before all data is ACK'd the
+unACK'd data is still reassembled and inspected, but does not trigger a GAP
+event.
+
+This test tests raw reassembly inspection of unack'd data w/o GAP.
diff --git a/tests/tcp-rst-unacked-stream-01-raw/input.pcap b/tests/tcp-rst-unacked-stream-01-raw/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a37d82e71d91fe9a6edec8776609eb00a4adb903
GIT binary patch
literal 654
zc-p&ic+)~A1{MYw`2U}Qfe}bw7xhZle8$XR2V{dVD+@CdP@Iv8nT55Hfq{*K!IgnQ
z2c*=2t>hRZ5HJCOfu;Ne28aO+2}}wMk~|Cy%*=dX)9l|MOoNyMF%#1?kVzmD<tG?e
z0`<QDs%J_N`v2cl7-8DY56lc!KnW{cZqtC8b_&gHOh7YU1_=EBA0`d)W$SNd21lTT
zBQAI8Lrpr2=B}3@(*h*^|L3{Mzz~p=npm8w05b3fFgVHb=m(gAQ=1qVd{RrmrhR8+
zVXy^C*y1ux8*18dG}FGoOnWh(fx#EzG<I$>4f_r=?Db>@2G2Z2kYP#!EDY{Iad%u%
iU<x&CFP13y5FqmZ|EqPtU{6j?EiP7YNzKblO#uM!d1Xle

literal 0
Hc-jL100001

diff --git a/tests/tcp-rst-unacked-stream-01-raw/test.rules b/tests/tcp-rst-unacked-stream-01-raw/test.rules
new file mode 100644
index 000000000..84c751a02
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-01-raw/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (content:"Let Me In"; sid:1;)
+alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; threshold:type backoff, track by_flow, count 1, multiplier 10; classtype:protocol-command-decode; sid:2210048; rev:3;)
diff --git a/tests/tcp-rst-unacked-stream-01-raw/test.yaml b/tests/tcp-rst-unacked-stream-01-raw/test.yaml
new file mode 100644
index 000000000..e489751d5
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-01-raw/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        pkt_src: "stream (flow timeout)"
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2210048
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.tcp.reassembly_gap: 0
diff --git a/tests/tcp-rst-unacked-stream-01-raw/writepcap.py b/tests/tcp-rst-unacked-stream-01-raw/writepcap.py
new file mode 100755
index 000000000..c96dae0f2
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-01-raw/writepcap.py
@@ -0,0 +1,15 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)])
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535)
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1001,ack=2,window=65535)/"Please "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1008,ack=2,window=65535)/"Let "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1012,ack=2,window=65535)/"Me "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1015,ack=2,window=65535)/"In!"
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='RA',seq=2,ack=1008,window=65535)/"Access Denied"
+
+wrpcap('input.pcap', pkts)
diff --git a/tests/tcp-rst-unacked-stream-02-raw-ips/README.md b/tests/tcp-rst-unacked-stream-02-raw-ips/README.md
new file mode 100644
index 000000000..4fe7d6b91
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-02-raw-ips/README.md
@@ -0,0 +1,8 @@
+Test
+====
+
+Test series that tests if a RST that comes in before all data is ACK'd the
+unACK'd data is still reassembled and inspected, but does not trigger a GAP
+event.
+
+This test tests raw reassembly inspection of unack'd data w/o GAP in IPS mode.
diff --git a/tests/tcp-rst-unacked-stream-02-raw-ips/input.pcap b/tests/tcp-rst-unacked-stream-02-raw-ips/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a37d82e71d91fe9a6edec8776609eb00a4adb903
GIT binary patch
literal 654
zc-p&ic+)~A1{MYw`2U}Qfe}bw7xhZle8$XR2V{dVD+@CdP@Iv8nT55Hfq{*K!IgnQ
z2c*=2t>hRZ5HJCOfu;Ne28aO+2}}wMk~|Cy%*=dX)9l|MOoNyMF%#1?kVzmD<tG?e
z0`<QDs%J_N`v2cl7-8DY56lc!KnW{cZqtC8b_&gHOh7YU1_=EBA0`d)W$SNd21lTT
zBQAI8Lrpr2=B}3@(*h*^|L3{Mzz~p=npm8w05b3fFgVHb=m(gAQ=1qVd{RrmrhR8+
zVXy^C*y1ux8*18dG}FGoOnWh(fx#EzG<I$>4f_r=?Db>@2G2Z2kYP#!EDY{Iad%u%
iU<x&CFP13y5FqmZ|EqPtU{6j?EiP7YNzKblO#uM!d1Xle

literal 0
Hc-jL100001

diff --git a/tests/tcp-rst-unacked-stream-02-raw-ips/test.rules b/tests/tcp-rst-unacked-stream-02-raw-ips/test.rules
new file mode 100644
index 000000000..84c751a02
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-02-raw-ips/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (content:"Let Me In"; sid:1;)
+alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; threshold:type backoff, track by_flow, count 1, multiplier 10; classtype:protocol-command-decode; sid:2210048; rev:3;)
diff --git a/tests/tcp-rst-unacked-stream-02-raw-ips/test.yaml b/tests/tcp-rst-unacked-stream-02-raw-ips/test.yaml
new file mode 100644
index 000000000..ceceeb89b
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-02-raw-ips/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        pcap_cnt: 7
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2210048
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.tcp.reassembly_gap: 0
diff --git a/tests/tcp-rst-unacked-stream-02-raw-ips/writepcap.py b/tests/tcp-rst-unacked-stream-02-raw-ips/writepcap.py
new file mode 100755
index 000000000..c96dae0f2
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-02-raw-ips/writepcap.py
@@ -0,0 +1,15 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)])
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535)
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1001,ack=2,window=65535)/"Please "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1008,ack=2,window=65535)/"Let "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1012,ack=2,window=65535)/"Me "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1015,ack=2,window=65535)/"In!"
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='RA',seq=2,ack=1008,window=65535)/"Access Denied"
+
+wrpcap('input.pcap', pkts)
diff --git a/tests/tcp-rst-unacked-stream-03-gap/README.md b/tests/tcp-rst-unacked-stream-03-gap/README.md
new file mode 100644
index 000000000..cc17663e5
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-03-gap/README.md
@@ -0,0 +1,8 @@
+Test
+====
+
+Test series that tests if a RST that comes in before all data is ACK'd the
+unACK'd data is still reassembled and inspected, but does not trigger a GAP
+event.
+
+This test tests raw reassembly inspection of unack'd data with GAP.
diff --git a/tests/tcp-rst-unacked-stream-03-gap/input.pcap b/tests/tcp-rst-unacked-stream-03-gap/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b20f5d40c1c9ba449cea76a53b60487cce49f32a
GIT binary patch
literal 576
zc-p&ic+)~A1{MYw`2U}Qfe}bgk?~5uype;!4#);!Ru*O^pg1EFGYe}Y0|OfegDV4r
z4oIm3Tgfp-AYcLl155b{3=jht5||ViBzYJZn3?&&rsZr$m<BNiVkV|(Ad^5Q%1<z`
z1nPeQRL_(k^#8x9Fv7HDyEz!FfD%@?+@=9F?G&2Zn1E)y3=sJLKTI0p%R|RF7#x8T
zj=0>V4>jp9n!8?tObd|s|DWe314BSgYGQG!0?5F9XE+#afpWIE4Ah1icpS~ZFE9gN
z%x7Tmg&4+siA=-3!wh>pnSsGGPZ4C8?R5?Ycc8dCu0S(|8nzcppnV7s`TzgbI$%I0
QC#Mz{E4ZZQWu~S80Do~=mH+?%

literal 0
Hc-jL100001

diff --git a/tests/tcp-rst-unacked-stream-03-gap/test.rules b/tests/tcp-rst-unacked-stream-03-gap/test.rules
new file mode 100644
index 000000000..82570ea6f
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-03-gap/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (content:"Me In"; sid:1;)
+alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; threshold:type backoff, track by_flow, count 1, multiplier 10; classtype:protocol-command-decode; sid:2210048; rev:3;)
diff --git a/tests/tcp-rst-unacked-stream-03-gap/test.yaml b/tests/tcp-rst-unacked-stream-03-gap/test.yaml
new file mode 100644
index 000000000..e489751d5
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-03-gap/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        pkt_src: "stream (flow timeout)"
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2210048
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.tcp.reassembly_gap: 0
diff --git a/tests/tcp-rst-unacked-stream-03-gap/writepcap.py b/tests/tcp-rst-unacked-stream-03-gap/writepcap.py
new file mode 100755
index 000000000..df3d93a37
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-03-gap/writepcap.py
@@ -0,0 +1,15 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)])
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535)
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1001,ack=2,window=65535)/"Please "
+#pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1008,ack=2,window=65535)/"Let "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1012,ack=2,window=65535)/"Me "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1015,ack=2,window=65535)/"In!"
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='RA',seq=2,ack=1008,window=65535)/"Access Denied"
+
+wrpcap('input.pcap', pkts)
diff --git a/tests/tcp-rst-unacked-stream-04-gap-ips/README.md b/tests/tcp-rst-unacked-stream-04-gap-ips/README.md
new file mode 100644
index 000000000..26b966a4b
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-04-gap-ips/README.md
@@ -0,0 +1,8 @@
+Test
+====
+
+Test series that tests if a RST that comes in before all data is ACK'd the
+unACK'd data is still reassembled and inspected, but does not trigger a GAP
+event.
+
+This test tests raw reassembly inspection of unack'd data with GAP in IPS mode.
diff --git a/tests/tcp-rst-unacked-stream-04-gap-ips/input.pcap b/tests/tcp-rst-unacked-stream-04-gap-ips/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..da81997e2549d0e885a0939017fb2db15cead602
GIT binary patch
literal 576
zc-p&ic+)~A1{MYw`2U}Qfe}cTZ}du^$;ZH8#{j{sEX+(maYiO)7S=`v1~v``R|W<h
zkWvS>l4FcOzyt&amhuxAAO<ibFexxd@-Q$kGxLE>`!9$v4Pp+&Oia^2CV@<ppI~4K
z)c*pgo+&}-|9?|qglSD83=CEb5RBDr8c@?tp}CC-XvWI`f&c%*q#?eXEycj#$N<4u
z-K7sT=`fnRUV=;ukof<f=OzO~Ku&66ajF8yz`e2z47LmqjMYGGsDa1P4EzE!@Wp%v
z249F_XB5aZ>^sb`*OM6-Jo6MmhTT$TU~p%EV61^=3N>sm)<6^a|NqriU_d1&rxq70
LxTNM~rltS@etB7F

literal 0
Hc-jL100001

diff --git a/tests/tcp-rst-unacked-stream-04-gap-ips/test.rules b/tests/tcp-rst-unacked-stream-04-gap-ips/test.rules
new file mode 100644
index 000000000..82570ea6f
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-04-gap-ips/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (content:"Me In"; sid:1;)
+alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; threshold:type backoff, track by_flow, count 1, multiplier 10; classtype:protocol-command-decode; sid:2210048; rev:3;)
diff --git a/tests/tcp-rst-unacked-stream-04-gap-ips/test.yaml b/tests/tcp-rst-unacked-stream-04-gap-ips/test.yaml
new file mode 100644
index 000000000..2e993fed1
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-04-gap-ips/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        pcap_cnt: 6
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2210048
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.tcp.reassembly_gap: 0
diff --git a/tests/tcp-rst-unacked-stream-04-gap-ips/writepcap.py b/tests/tcp-rst-unacked-stream-04-gap-ips/writepcap.py
new file mode 100755
index 000000000..cbe933939
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-04-gap-ips/writepcap.py
@@ -0,0 +1,15 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)])
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535)
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1001,ack=2,window=65535)/"Please "
+#pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1008,ack=2,window=65535)/"Let "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1012,ack=2,window=65535)/"Me "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1015,ack=2,window=65535)/"In!"
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='RA',seq=2,ack=1001,window=65535)/"Access Denied"
+
+wrpcap('input.pcap', pkts)
diff --git a/tests/tcp-rst-unacked-stream-05-http-nogap/README.md b/tests/tcp-rst-unacked-stream-05-http-nogap/README.md
new file mode 100644
index 000000000..b577a6a9b
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-05-http-nogap/README.md
@@ -0,0 +1,8 @@
+Test
+====
+
+Test series that tests if a RST that comes in before all data is ACK'd the
+unACK'd data is still reassembled and inspected, but does not trigger a GAP
+event.
+
+This test tests HTTP reassembly inspection of unack'd data w/o GAP.
diff --git a/tests/tcp-rst-unacked-stream-05-http-nogap/input.pcap b/tests/tcp-rst-unacked-stream-05-http-nogap/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b0272f70e7f5cbc5150a212f2c008b6393565b8b
GIT binary patch
literal 679
zc-p&ic+)~A1{MYw`2U}Qfe}cDZTCv|D&}CY1F}Jwm4%rJD9*^l%);8pz`(}A;L5<D
z15)b1R&tCH2$+Dtz*2q!1H=G^1SSOrNgf6UW@bLHY3s`nra{bsn2Bi`$Rv=7@)Ha!
zf%;zn)iWgs{r_(&j4;ivl7qntC}D-mZ5mM1PNBJt324U40D=Gi!=xd;jIHNj@B&JB
z;WEhrYSJ!TCbg6@Fu1#hDCjGAgoFg>8|oSGa)C^4Zz9uVA(+W0k{KAB^YgPaQ>_#d
zlaf<X(;z0VXyssV11faGWwHs><b7x+E5S^TJ;%ThTAW&>>zJOJS7N0AGId)AST7i3
zHPsku>V7m+^<bv1X<=aS&9BPL$w}npf;jbTHzK02Mms#B(4ze%C?EnvfDy&czyJWx
CuWK*>

literal 0
Hc-jL100001

diff --git a/tests/tcp-rst-unacked-stream-05-http-nogap/test.rules b/tests/tcp-rst-unacked-stream-05-http-nogap/test.rules
new file mode 100644
index 000000000..5979085d5
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-05-http-nogap/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (content:"User-Agent: Mozilla"; sid:1;)
+alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; threshold:type backoff, track by_flow, count 1, multiplier 10; classtype:protocol-command-decode; sid:2210048; rev:3;)
diff --git a/tests/tcp-rst-unacked-stream-05-http-nogap/test.yaml b/tests/tcp-rst-unacked-stream-05-http-nogap/test.yaml
new file mode 100644
index 000000000..e489751d5
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-05-http-nogap/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        pkt_src: "stream (flow timeout)"
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2210048
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.tcp.reassembly_gap: 0
diff --git a/tests/tcp-rst-unacked-stream-05-http-nogap/writepcap.py b/tests/tcp-rst-unacked-stream-05-http-nogap/writepcap.py
new file mode 100755
index 000000000..e5f7df890
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-05-http-nogap/writepcap.py
@@ -0,0 +1,17 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)])
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535)
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)/"GET / HTTP/1.0\r\n"
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=18,ack=1001,window=65535)/"Cookie: abcdef\r\n"
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=34,ack=1001,window=65535)/"User-Agent: "
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=46,ack=1001,window=65535)/"Mozilla\r\n\r\n"
+
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='RA',seq=1001,ack=18,window=65535)
+
+wrpcap('input.pcap', pkts)
diff --git a/tests/tcp-rst-unacked-stream-06-http-nogap-ips/README.md b/tests/tcp-rst-unacked-stream-06-http-nogap-ips/README.md
new file mode 100644
index 000000000..f82be04a1
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-06-http-nogap-ips/README.md
@@ -0,0 +1,8 @@
+Test
+====
+
+Test series that tests if a RST that comes in before all data is ACK'd the
+unACK'd data is still reassembled and inspected, but does not trigger a GAP
+event.
+
+This test tests HTTP reassembly inspection of unack'd data w/o GAP in IPS mode.
diff --git a/tests/tcp-rst-unacked-stream-06-http-nogap-ips/input.pcap b/tests/tcp-rst-unacked-stream-06-http-nogap-ips/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b0272f70e7f5cbc5150a212f2c008b6393565b8b
GIT binary patch
literal 679
zc-p&ic+)~A1{MYw`2U}Qfe}cDZTCv|D&}CY1F}Jwm4%rJD9*^l%);8pz`(}A;L5<D
z15)b1R&tCH2$+Dtz*2q!1H=G^1SSOrNgf6UW@bLHY3s`nra{bsn2Bi`$Rv=7@)Ha!
zf%;zn)iWgs{r_(&j4;ivl7qntC}D-mZ5mM1PNBJt324U40D=Gi!=xd;jIHNj@B&JB
z;WEhrYSJ!TCbg6@Fu1#hDCjGAgoFg>8|oSGa)C^4Zz9uVA(+W0k{KAB^YgPaQ>_#d
zlaf<X(;z0VXyssV11faGWwHs><b7x+E5S^TJ;%ThTAW&>>zJOJS7N0AGId)AST7i3
zHPsku>V7m+^<bv1X<=aS&9BPL$w}npf;jbTHzK02Mms#B(4ze%C?EnvfDy&czyJWx
CuWK*>

literal 0
Hc-jL100001

diff --git a/tests/tcp-rst-unacked-stream-06-http-nogap-ips/test.rules b/tests/tcp-rst-unacked-stream-06-http-nogap-ips/test.rules
new file mode 100644
index 000000000..5979085d5
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-06-http-nogap-ips/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (content:"User-Agent: Mozilla"; sid:1;)
+alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; threshold:type backoff, track by_flow, count 1, multiplier 10; classtype:protocol-command-decode; sid:2210048; rev:3;)
diff --git a/tests/tcp-rst-unacked-stream-06-http-nogap-ips/test.yaml b/tests/tcp-rst-unacked-stream-06-http-nogap-ips/test.yaml
new file mode 100644
index 000000000..ceceeb89b
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-06-http-nogap-ips/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        pcap_cnt: 7
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2210048
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.tcp.reassembly_gap: 0
diff --git a/tests/tcp-rst-unacked-stream-06-http-nogap-ips/writepcap.py b/tests/tcp-rst-unacked-stream-06-http-nogap-ips/writepcap.py
new file mode 100755
index 000000000..e5f7df890
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-06-http-nogap-ips/writepcap.py
@@ -0,0 +1,17 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)])
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535)
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)/"GET / HTTP/1.0\r\n"
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=18,ack=1001,window=65535)/"Cookie: abcdef\r\n"
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=34,ack=1001,window=65535)/"User-Agent: "
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=46,ack=1001,window=65535)/"Mozilla\r\n\r\n"
+
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='RA',seq=1001,ack=18,window=65535)
+
+wrpcap('input.pcap', pkts)
diff --git a/tests/tcp-rst-unacked-stream-07-http/README.md b/tests/tcp-rst-unacked-stream-07-http/README.md
new file mode 100644
index 000000000..e20c87b9a
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-07-http/README.md
@@ -0,0 +1,8 @@
+Test
+====
+
+Test series that tests if a RST that comes in before all data is ACK'd the
+unACK'd data is still reassembled and inspected, but does not trigger a GAP
+event.
+
+This test tests HTTP reassembly inspection of unack'd data with GAP.
diff --git a/tests/tcp-rst-unacked-stream-07-http/input.pcap b/tests/tcp-rst-unacked-stream-07-http/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..921bbaa575ef8cb771a1033da6bd33b66eaa183d
GIT binary patch
literal 589
zc-p&ic+)~A1{MYw`2U}Qfe}cX@9;{GKE}mh2V{dVD+@CdP@Iv8nT55Hfq{*K!IgnQ
z2c*=2t>hRZ5HJCOfu;Ne28aO+2}}wMk~|Cy%*=dX(+-|Qm<BNiVkV|(Ad^5Q%1<z`
z1nPeQRL_(k^#8x9Fv2vaGh7T-KnW{cZqtC8b_&gHOh7YU1_=EBA0`d;<s~i#FQ9}M
zE|V;vChfvyQcEcVgS%^pg1&-BNJxObp`HOR7s%v}t6U6jK!t9&Og4d<ybsM}C78*v
z=NK45i&Kkq9n(|uN~{z>rY^t11=0(~SWPvCnz|p&R6UrfYg!l>eDkX^b8-@Sxgbv6
bdK(d(SR)4>oM@5r5~yA%Km-_^><kP5M5$Z3

literal 0
Hc-jL100001

diff --git a/tests/tcp-rst-unacked-stream-07-http/test.rules b/tests/tcp-rst-unacked-stream-07-http/test.rules
new file mode 100644
index 000000000..5979085d5
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-07-http/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (content:"User-Agent: Mozilla"; sid:1;)
+alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; threshold:type backoff, track by_flow, count 1, multiplier 10; classtype:protocol-command-decode; sid:2210048; rev:3;)
diff --git a/tests/tcp-rst-unacked-stream-07-http/test.yaml b/tests/tcp-rst-unacked-stream-07-http/test.yaml
new file mode 100644
index 000000000..e489751d5
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-07-http/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        pkt_src: "stream (flow timeout)"
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2210048
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.tcp.reassembly_gap: 0
diff --git a/tests/tcp-rst-unacked-stream-07-http/writepcap.py b/tests/tcp-rst-unacked-stream-07-http/writepcap.py
new file mode 100755
index 000000000..81952ff74
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-07-http/writepcap.py
@@ -0,0 +1,17 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)])
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535)
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)/"GET / HTTP/1.0\r\n"
+#pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=18,ack=1001,window=65535)/"Cookie: abcdef\r\n"
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=34,ack=1001,window=65535)/"User-Agent: "
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=46,ack=1001,window=65535)/"Mozilla\r\n\r\n"
+
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='RA',seq=1001,ack=18,window=65535)
+
+wrpcap('input.pcap', pkts)
diff --git a/tests/tcp-rst-unacked-stream-08-http-ips/README.md b/tests/tcp-rst-unacked-stream-08-http-ips/README.md
new file mode 100644
index 000000000..305ccf6ef
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-08-http-ips/README.md
@@ -0,0 +1,8 @@
+Test
+====
+
+Test series that tests if a RST that comes in before all data is ACK'd the
+unACK'd data is still reassembled and inspected, but does not trigger a GAP
+event.
+
+This test tests HTTP reassembly inspection of unack'd data with GAP in IPS mode.
diff --git a/tests/tcp-rst-unacked-stream-08-http-ips/input.pcap b/tests/tcp-rst-unacked-stream-08-http-ips/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..921bbaa575ef8cb771a1033da6bd33b66eaa183d
GIT binary patch
literal 589
zc-p&ic+)~A1{MYw`2U}Qfe}cX@9;{GKE}mh2V{dVD+@CdP@Iv8nT55Hfq{*K!IgnQ
z2c*=2t>hRZ5HJCOfu;Ne28aO+2}}wMk~|Cy%*=dX(+-|Qm<BNiVkV|(Ad^5Q%1<z`
z1nPeQRL_(k^#8x9Fv2vaGh7T-KnW{cZqtC8b_&gHOh7YU1_=EBA0`d;<s~i#FQ9}M
zE|V;vChfvyQcEcVgS%^pg1&-BNJxObp`HOR7s%v}t6U6jK!t9&Og4d<ybsM}C78*v
z=NK45i&Kkq9n(|uN~{z>rY^t11=0(~SWPvCnz|p&R6UrfYg!l>eDkX^b8-@Sxgbv6
bdK(d(SR)4>oM@5r5~yA%Km-_^><kP5M5$Z3

literal 0
Hc-jL100001

diff --git a/tests/tcp-rst-unacked-stream-08-http-ips/test.rules b/tests/tcp-rst-unacked-stream-08-http-ips/test.rules
new file mode 100644
index 000000000..5979085d5
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-08-http-ips/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (content:"User-Agent: Mozilla"; sid:1;)
+alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; threshold:type backoff, track by_flow, count 1, multiplier 10; classtype:protocol-command-decode; sid:2210048; rev:3;)
diff --git a/tests/tcp-rst-unacked-stream-08-http-ips/test.yaml b/tests/tcp-rst-unacked-stream-08-http-ips/test.yaml
new file mode 100644
index 000000000..2e993fed1
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-08-http-ips/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        pcap_cnt: 6
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2210048
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.tcp.reassembly_gap: 0
diff --git a/tests/tcp-rst-unacked-stream-08-http-ips/writepcap.py b/tests/tcp-rst-unacked-stream-08-http-ips/writepcap.py
new file mode 100755
index 000000000..81952ff74
--- /dev/null
+++ b/tests/tcp-rst-unacked-stream-08-http-ips/writepcap.py
@@ -0,0 +1,17 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)])
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535)
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)/"GET / HTTP/1.0\r\n"
+#pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=18,ack=1001,window=65535)/"Cookie: abcdef\r\n"
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=34,ack=1001,window=65535)/"User-Agent: "
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=46,ack=1001,window=65535)/"Mozilla\r\n\r\n"
+
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='RA',seq=1001,ack=18,window=65535)
+
+wrpcap('input.pcap', pkts)
-- 
2.47.2