From 5f980473fa0cfcca7d4f49d0257e2bbcbe9d9030 Mon Sep 17 00:00:00 2001
From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Fri, 20 Jan 2023 13:18:43 +0530
Subject: [PATCH] tcp: add test for bug 5379

---
 tests/tcp-5379/README.md  |   8 ++++++++
 tests/tcp-5379/input.pcap | Bin 0 -> 174 bytes
 tests/tcp-5379/test.rules |   2 ++
 tests/tcp-5379/test.yaml  |  13 +++++++++++++
 4 files changed, 23 insertions(+)
 create mode 100644 tests/tcp-5379/README.md
 create mode 100644 tests/tcp-5379/input.pcap
 create mode 100644 tests/tcp-5379/test.rules
 create mode 100644 tests/tcp-5379/test.yaml

diff --git a/tests/tcp-5379/README.md b/tests/tcp-5379/README.md
new file mode 100644
index 000000000..c51e3f471
--- /dev/null
+++ b/tests/tcp-5379/README.md
@@ -0,0 +1,8 @@
+Description
+===========
+Illustration that if there are trailing bytes in a TCP packet, unlike UDP, TCP parses the
+correct data and alerts on it too.
+
+PCAP
+====
+Created with Scapy.
diff --git a/tests/tcp-5379/input.pcap b/tests/tcp-5379/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..5508813ff47f9d5741aa4b04c3908066317bebe3
GIT binary patch
literal 174
zc-p&ic+)~A1{MYw`2U}Qfe}deIG##2)#PSq1G3w|;vfJ~!@=Onz>oq`=D=1nu^y-a
Zgc(E_0$`>DFexxNd|+U3qyV^J0RVF{C-49O

literal 0
Hc-jL100001

diff --git a/tests/tcp-5379/test.rules b/tests/tcp-5379/test.rules
new file mode 100644
index 000000000..2d487261f
--- /dev/null
+++ b/tests/tcp-5379/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (msg:"Ends with AAA"; content:"AAA"; endswith; sid:1; rev:1;)
+alert tcp any any -> any any (msg:"Ends with DDD"; content:"DDD"; endswith; sid:2; rev:1;)
diff --git a/tests/tcp-5379/test.yaml b/tests/tcp-5379/test.yaml
new file mode 100644
index 000000000..7c3296df4
--- /dev/null
+++ b/tests/tcp-5379/test.yaml
@@ -0,0 +1,13 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 1
+
+- filter:
+    count: 0
+    match:
+      alert.signature_id: 2
-- 
2.47.2