From 5e6060b8fdca1bc68bef824b51f60ce9a022617b Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Tue, 5 Mar 2019 14:09:05 +0100
Subject: [PATCH] Adds a testcase for http invalid request line

---
 tests/http-request-invalid/README.md  |   7 +++++++
 tests/http-request-invalid/input.pcap | Bin 0 -> 54007 bytes
 tests/http-request-invalid/test.rules |   1 +
 tests/http-request-invalid/test.yaml  |  15 +++++++++++++++
 4 files changed, 23 insertions(+)
 create mode 100644 tests/http-request-invalid/README.md
 create mode 100644 tests/http-request-invalid/input.pcap
 create mode 100644 tests/http-request-invalid/test.rules
 create mode 100644 tests/http-request-invalid/test.yaml
diff --git a/tests/http-request-invalid/README.md b/tests/http-request-invalid/README.md
new file mode 100644
index 000000000..6b145203f
--- /dev/null
+++ b/tests/http-request-invalid/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test http invalid request.
+
+# PCAP
+
+The pcap comes from https://redmine.openinfosecfoundation.org/issues/2655
diff --git a/tests/http-request-invalid/input.pcap b/tests/http-request-invalid/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..fdf5dce580c39bc5f244a8ece71326399a191b1d
GIT binary patch
literal 54007
zc-rk<eUKc*b)P$sk=I<IOHl=>qHwcFAj!KkyL%tpt?mw_yAx9Mb-6nsQAu&0-Ra$(
z-0aLUGkd2K0#uN4VV5C>RQSVz7$giPF%T01F~o7OW4>a?K>`zOa0CWHtONwO06U?`
zdp#dFGrK#dqYy4kUuo`kXS#p=`t|GAuix~q^wjt7y|rC9QJDWZQD}qT2fldsAN~B6
zHsKH8GhR!Db04|tG5CGmUvFM2j0(cQD>q*tT<|IRU;g<UeV>Bsg!?uNV>^%jLPCsN
z+RbHeTq6kWCoZ|~#P+3$!#!{R9o}y{;e?YA`Ny}0kQt_fkH~_6$QuiYis-`FeVcE7
z>Px2pdghkjyOhlQ=RER5C;rnCME8&n0rEOPUDr(J?pOYb$^5SonKOXCZ0|DR<u~?%
zjBSp*h>VCU_O%IZ?E<@^h;47Z@-;;K{AZdXo-Vxn*7;$?v27ERL{fEy?h-3@RU;cF
zC$nC(bxFf2Pyvi&(R+uJAh^om^_iR~6O(`(CAhbLQ%-KwU^QjeG+D|Y~dF>8^n
zlO&rFGiwOk=<QxZcHu8`Cf}PAGpopjv^Z@@xlA?#|FUGgYSNOiOTvd8iM7QdtpTo0
zci9rkl9FpRO)bi{YUt7~yz{wT(YsY`&834Gu|Kt1TFpN7c|hsSvR<ysWtt~uJw3iX
zW!9YnDXOQpPq5ED@R@z+@@tLiMMF{ba-NiTtF;tSXi1Z8+L0JGbQ}7eo}8-zWJrkg
z?Cfm1WSG@--P9-oP-VWtW~!I%N}l9$?4C}GSSwGaDXpbtO`QSo?X|KgD>S`Pw`j3$
z()2jJv`#JCf&u7AbR;yRtm=a$!#JlVTh^>$DuV^t>`0(Nyt*%BVqxR$zIqQD#1H-_
zV!X?C9)0O`FtH=2CLM$D3>Oil+uDRLoguI*ig?DJt1m~yJ8x@+*ztH6(X%L$%Vfy5
zO&y65&?lOYo+7y}vbJWzlWZT!^yj;B`D~V4xMi{<F+t54YUbgwT&z$jCw7ZaX65!m
zUAOD2Iue^@%T8~Bp(?3V$&(#aNs(+fSx*ZNS~i={_2j#A4%+CX3?rJ%6}$S=J-t0S
zxu=xv@6Yu1CjEgQ2XmpI@4}o-t;W&IX1j7Q6q|6+*5aUnp{iAC)a}8Z6sgL)2EnMq
z13X_gYCXP*<Jcw!&KlV^JbCfhC}A^jZ2P*+8;40UElE4Nh9zlaa)j*MFu7$j$-+#V
zG-cgVu>o0=q|vQOlC0QvEiXx6gyL+MXqaVba@?6OS*+}SOxuB)qGBt_p~L`d5GIjs
z4K{%R74<u{p)4T-XQk8dhY(Ngq+}XZVpk{`p#@deiD9Z>r?N(1G7x8|SOpv`Qm-j6
z@Gw>|KHcd|S329z9!^lu2sUm(>zZ8Gi<O$Jh&r{ULcMHB*<4>=Z+`~LrqfJ}3YC>1
zR&}6CZJE_g!+cR^29rTOCrQ!yHkkAkzJ?SlvT0F!aQo!?bYGH4E|RU<8Xa=1E$7M(
z-73j-%_d{ajcl|D%)Du9KynH@6)k&Cqr`^x+-8cFl_XWFsPbUaDw>q)Ona-zWvoI~
zHbF;ulBw+qUTfGx=(yv2nmoNc0lx}{GM94f<g##$E+`qe)+E^Df?S*~n?_w%(nUiv
zU_zZe(l@ehH0M4qfrip0xvFY&d2$go6<L>4!~#o6gR56dYvxN?>TZhjpk_Nav9svE
z%Fvl2XqlS6l!`hdR%KP6s)6D>K@G?Fz#UWYs4y!W7)7;enhdSmazUf6ShK2vlddn5
z@q6OvEnP5d+o<N9E(Y#vv;=F1T(^zTZ7|46=zePrJNg3G3QL^Ze$H#ez3r(mm(88m
z)fali%pgxJLsOO3x?j(J+~*4@5Op_&woXk~g%#@broZ2l%as#c&x)8vd)D`^Kd&XW
zRfCxuw#{r$Ksi10+6mf0A2#XVoOMMj7@E?uCAC_PG}IMnr#m_d`KB`fL7Ayc8Ko(A
zf?F<ZQKK?cLtF5y25i6^%m!mx#H49Ca86rsvQ4Qrt+o`faRfctx|<v50<w8GGwf&0
z2bNckj8tzxn%>B8xHYFNXXR@$#vihdBMnYr;ix}E_4T1yIe%l+6SV4#W7Y93)l3@c
zW1p*;zNXH+&wbJt5+&?vvJqF~`V$4*9aWk-A+HMyP5VF}9Zb~*y%vw5o1sqno_B%K
zck0%)RO^SD8aG(kXaio|kS`3ad%doC^~RZ3-)R5vx?IE#JezCj$RdkhZpASzeqoWP
zOo){(YbDq4NG{vGKCXJ%q;sw7_pk5o>g)CEizUr~<y9|FQH@qXv<22*R(uhDAr&|5
zp4VXNQE1UHWv5Nu(CM)(7p+>&YpOn-TBy*B3Vno~z(VEZBKF_&$qg=HVQDJHjBkle
zh9opK8%-^K>V*5+qDY{pam7L%Z59g-kE|c<ZRr~q67++p!D}*rJ_8d8_6CLnb-5E)
zOUzrbfM4<={s9bs-MAYn!g30`;lZRIY9^g$;itg}Bsw?z3Qz^36U!_PCM6ZRYe{vs
z2S~%#+YoDdIZ0#<b`tK+U^CoJdMz}dNFUbQMXUyhKNy~jM7gm8W@CFmyX;$UCa
z*zLv`DX#N@iV=6)#21Cco?N?b^C;Q2o(yl>Iyt&^av~rs6R%ktEhbj1eg<HtXVTJO
z@@%;P+wSDhTKqF0$wSA#Mc6cAb|5)4?0ooWTD6J>>|%!|@XtrnVoB9lFAcq<mI?dT
zx?%T=vn!9v5se9(2$1*y<_9ZjSahtZDuYSaCL)?4{-*t`V^Ll+Hy3WM7X0Q;fQo7n
z_=kBA#htXXR4W=)O4$ClZo%?z8?Y!^HY)|oq6saK1}GS3XTc;!iIwzxg2l37L@wF5
zjnXZM;54_O?l}x=&VrG)#0FGQ0f<+SQ4A=KxGY;DYZx6c5#hFz!bv$fo!N?7tgw<U
zxFbjdG~At*Avi2!3ot&g*eFc|D3Lj%PKw|NO&CVNh0@q=3Sv=GrLvCNlkGs4SsvQ!
zw%cJ4U$z^-85k~xC;|>ON>ejYmD-$0E{2A!ic!}TSUrYJTGQkrbt<8G4@iX}vQjgO
zn3`$^KVaKK(u{0kUW{ds0?G0L2_CK@1zIvp%92g0UdQHPu$`f#*l{!1nV@zCq*`zm
zG&e6-c`~#hLl|XNWeqLLbW8;MObbr`WnF>&f_|<|rgdW$#*k^$RW)d*0h-O3lv~C$
z3g9~CqQl{7wpa(7)omzH*X0>m)zHrnr4G6@8h~*@hKVHWMcULF5EvT-S3p2dmTK8n
ziqv3pY&m*_xW#Y%T#LvG?Bk)3i9tf629IH8huuhX7vekl1}EbDI9{>t&d_Zzm@_J!
zJ#K!*nR(EA&k1<Wr5KU}C!Sg=Q5+pVA=>~}uYvZcTx|}LVzy(|G?<Psat7Ec^bYg5
zxB`GJ+iDdyKnmt{8=!HhP1*7Cv#MS3T!w8Jnk9mJq!Ec7N7c+AVTP9K8rYa(6zjN3
zK$EK8P)w>@resxMN=Q&pk{$g><D+Xwwv397BNNNJac+xboPutc`(<+;f=o0lY^DL%
zYn6#9l9Aw7zb2b*u3xe(s+E{uD>SOSgt0Iw%n`X*q?X0}0@U{xTd6ARby-UeIe&4T
zC8{$w(CN6nN`p|$&$RHpAdqYYJS21Q=n-9S6P+vzt!2@{(q!;HHtRif(=)}O5@J^)
zG*21Tu4%@sm5-CggkWEy_WXDz_CQ?ge!(3`DY3^b{CNy`YldlC?tS=PH54liJ_nqN
z;upjRt3?Pslu+H(^VRS}L$yd5^g>o#p-`_(8tPYFYgDuUP*Yn!bQhnX0+=Cqu?9NX
z@L<J3;Y=1W6sXm0r+!VPV3#m6$`rnuXsN1R)asa4fxV6fYc)23-xk#htVk6Kv)q<V
z4EVtHMCOgyS|1WBq{U-=Gud}r?CbPf*z5Gi!!N&Idj007Zr{0gS=&W{*Xj3puhS0!
z;zXywuIRhY&e5x{Ld5%i5`Nct`%d<*^K{`z`wiiDoyRt$^OoxmsI1M(bCx>*fj4V$
zP>lvKKgs~<g`Elo{|xIVWy7GsGD_K?GAWvR^pJChIMy`*_r<2=tQLL<<@!H}5G>np
zmI+y(!<VBUaG)1f;&4N!QFXrS47vh|sW`RJkObX;Q-yUBABASW`%F<WfHzDP8fNi|
z8apj&I2DR@O*W%Tp{~|y)VAD!8&(4J=pcU`x|AYi4T3Ul5!26<%eZ1eRq)p{s%gW*
zLMnz8S?}SwNv#@X*&&FMkJmWCax&*cuGkU_vBAq&b5+c6F*oByl5r@-CZp}m57i9x
zBo1VC+HXq&#5x8oI4n+t0%51SNhnZv6qGnL=tZ5a=osBssD?r8LM9gXJiHBe-^7C)
z7`a=b;zTs~O1@ZD(*;$>XCiz)|I#`&=LY2*)xl_zL+%HRB~r(=Jw>(L2Axj}w%9y|
z`Dj&yGuhD*e)>q1<TdGjT)52z_2lf_bmh0KOPrLBE}eDkBhaPSr28?Hm};d-5s#NN
zI0~HNY**}T2w;T-*TD7~c#6vj|Bs_jB+x<GoMYQ+H?QFad1QobsM$&e>o@H2<DjSx
zF5b}DOP(3oRMEMCYj;<|Ry#d6gx4umF#2n@bqV~iFb>u|SleNxQk)$gONwBq4&k9K
zDqh6ytc{@1K-^lioivFUJ5+_CVNe7*R0fUvJ2Zk2uCwOC=5SVp;8Zu9#2!oFFrgNR
zmYS+#p-~Qg4+iq?UVpKvhCs3bwsodq*e#O{-sY2xLn-T+8eTBV(0tFgZqCz9%G<mt
z2Fwi9u#DR_cLNIwHjR3@;z#oZ6Sj10Z{4_&r_~_{0tY1c>ja51F1Ak2$^gUmGHzh2
z!3<lAU@hu6@Q)%o*1^06Xw$+of)Xr6cuir33=Bqe4zJbf1x+nZIXSx~ULzRJtz^3w
zH{4t0M}hM>2ge#$qT>K9G$z&NPlj5nL^pkB`gt@bY>=4(y?g^fOK1S{R75q4f=m!a
zt+eV8B(m+kBa>y$xH(8n5mx0nHmh+`Lp*6yjP+UTEi)agWxxA#K5%dw-mn1;PnyU+
zzI9%~n}EKJ1w{bOG-O&`2Y#_pZ@|MXM^&D7)2qg;9tw6r%R0V0@X$m*NAG9K8q>%I
z9_yG<jk<*|$T1V?MddZqm{Aq@TA;S=yppJ!sy#<AG2$lb3&yS(wR}K#;X4aF2iek7
zj8ojnp;e7JDOKyZr6k9k3@xrq-d@XnO9~P?^8&Mes7#YdMNo2gL25wrl1Y9dYd(1>
zk`2Zz<{(o9iWH~812j~h_Xv1!6dMx5r$-&pq|aGkBSq@jadL?6f_VY@YCr@GS8n#!
z%S-H=zJg_#U$a<DTwGes)mu;}7>cMRwTQZM_j~j6du+oPb36tnW~^1sj5QF<xcY;Y
zA6>Q^Jv5{#TZ-%%r~f7*U^T&y0psys*e4^!U^QlM=m*#Y22f0~9F9-g+{%(Rk2NN3
z9#Ho#Yx`=mq|K!p6LE<97~-Q%5j%s3@BY$5T)8O`cZmKA>=6Ag!fBufR6sqtw^KOs
zQoEl9x&cuUv3FCfjQg34k3?iV3aEb)?)AGz5cOF=oVxYo82-!ihY@l5G9PiPFm_$#
z$)7dlzx1B^oX3Ab<Uikc^5Xa}Tfckw=H-C?9P(e@`FW84@`FD^bPstyAh*`S^RF<O
zuZqb09H6fV@m~NDkrD9-AU@e9u&aUp^8M#uMMU+@rijRYIVFt9`7ev*zxZ^Pt`D2e
zlIuv|06)F|<d~^=?Li#ihi;4*<BIDl2d9yJ@)v*TO-08L5%H9-pDg@kT3}ZcF@5c|
zPa)!U15FW67ml3y(=g&9`7C{$&%*gEoX^7fES%56`7E5z!uc$m&%*gEoX^7fES%56
z`7E5z!uc$m&%*gEoX^7fES%56`7E5z!uc$m&%*gEoX_&R&u8IW5zZCiToKL{;am~U
z72#YF&K2QY5zZCiToKL{;am~U72#YF&K3E@aYgW`_V0f^mM`#Mj4!Y^e7gVO^mh+G
zaYcwV(R=FicwGCZfcS;&C&eNDk|AE%6fwvZ={-&L5Kr52QrrRc=h*@EFNcqlKXC=1
zYRDB)9`TNoKaxXKL_B*(tc*vPj8{Zt)ByF$aIaCuM{@rSh`Zlh8p9RY{WpmCZ}<C%
zW5U?ry~>K_T#-x8_P8R5{PbH(7snMDdtuMRmjn7a$Q3#DdqJ+qGlvk}L;f`&x7Nb$
zZ!(#`6Os8GK))i)6}jYWL`K9v{?$_9wKjoW4P22!yYE88A1!N&h+L6W7?E>Dj_3cC
z@*xsQKtde-1HW1tGf!Xa$I&lmB9?l^;Jx$!5=rho&6}r=l_FyG?WHk9k{9!c*#DEJ
zh#?}$GcO?G;)o<&=W!wlCz5a?2`7?pA_*swa3TpOl5ipkCz5a?2`7?pA_*swa3TpO
zl5ipkCz5a?2`7?pA_*swa3TpOl5ipkCz5a?2`7?pA_*swa3TpOl5ipkCz5a?2`7?p
zA_*swa3TpOl5ipkCz5a?2`7^L&JjuQsP^8sW61<}Gcv(L;iLcbzzcg`dnQb&xMVpV
z*G9zE?<^Hov<vKt9{z4W?Zsh4q{HFE->*I69sb_3zs2G2?o5WPlNI8gZ2yo>fk#hi
zcV)8SGuTB9R>YRaujfw#tCo@O>+9)Hv-9@zC$ibO>%fWZjiZz6og>-oNlwhLL)h+7
z>LK@RvU{31(r5qNuzR4vJ<Tvs$qt1|!S@7M`o-vey*R)^Z!UvnvNGQ589&d9yKdNE
zqm45643VX-hyw)^&o?uR9H^M^OI8#xZfmHyKFNgpn$afN+<9U~#DN>bY1Nm3N$b{4
zxQ6K2AsS8QomexxhneAnjb?cCK`_H_H8aDZcVbx$BaGFsB5a07A7p0ODIB@#*{~TR
zqPX(YaWeiblkwY4WPE6EXGq43C*$GOpN^Apl*za}BI84VdJvfxS3Ty-_!6SN4Tujv
z`WfLr01dA;;gT!g|4l+TR}k76;u9DDJKXJ@xd+hNUVs1n-#q&2Nt$r~`Oj`iPmHb|
zAKpM#2e~@iCMNN}FX<O^Jw5J~$!GhKrLbk~);vjCmQu^J4Id1867KF~bQ7#rH+6U-
zYw0RP6{>TJJq^KN9?eZHQuZ(pg||<Pj;GgNIJy-oU1%6(h(?DYl&w;!w;v3stGoX^
zF$>ecB?IB)dI$O`rIy6-wl*;i)O&yLkHxq!w(tGIzUI8GYkb}oBA=gLvN+z>c-sxT
zCjfmv^0xMWG059`QATtRc`G2dwx3OmW%b@aMr7U(=#ydI)-}r!84<4s#P75T>}ud`
z-Lr`~@Bh1?DdOqE%WwW~7?Ja~7Qx&45NTN5j!A3ck{D;O<0c%;H+~c`yvcp<D`%oJ
zSbK`+44Ba^N5mgXON1|-A+Rfoc*dR`HzVTHf7%MM<MA-!;%Hdi{QvXeG%QZT;xsHy
z!{Rh7PQ&6fEKbAXG%QZT;xsHy!{Rh7PQ&6fEKbAXG%QZT;xsHy!{Rh7PQ&6fEKbAX
zG%QZT`UKFh@Xh42QtYd6cHHB=2g5I}l{4FJxbddF%i1n#_9}cTvqYHa6xbDg*V#F`
zV;>?Ox<CA`^TwOlyUx>vBkebY-*s}T7^jMHsu-t=ajF=nigBtKr;2f^7^jMHsu-t=
zajF=nigBtKr;2^zsA8C6p_$mE4dcJO_wB}{%^i1zsbcd<n=^AuVyI#}Zb!t|4~3I9
zciiPAZGQIE76;T9M-@BPlj@u*_S>h5q0ubQ#hT%_m>K><qZ!`$l`vK8niZZIcI9H3
z7k4n`#rMKyc;{D`8FmUsIuA55FHSo@R>pgoj1M%C@%k`T?3$IHj9*(9E8{nqj1Na-
zydF?Li(HP*ANn#D5S8U%e;7*@dy-Mb?*4dF#omQ}e)h@OejZ@`yzArL&tId>9gOYg
MLDtW2e!Tnn|9dvQJ^%m!

literal 0
Hc-jL100001

diff --git a/tests/http-request-invalid/test.rules b/tests/http-request-invalid/test.rules
new file mode 100644
index 000000000..03a06775e
--- /dev/null
+++ b/tests/http-request-invalid/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"test"; flow:established,to_server; content:"login=foo&password=bar"; http_client_body; app-layer-event:http.request_body_unexpected; sid:1; rev:1;)
diff --git a/tests/http-request-invalid/test.yaml b/tests/http-request-invalid/test.yaml
new file mode 100644
index 000000000..e2e2f7d61
--- /dev/null
+++ b/tests/http-request-invalid/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 4.1.0
+
+# disables checksum verification
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 1
-- 
2.47.2

