From 81315504cccb4f4bab68cae87866968c1f19d1aa Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Wed, 14 Aug 2024 22:24:58 +0200
Subject: [PATCH] http/gap: fix check for payload_length

Change to suricata.yaml illustrates bug 7213

There is not yet a valid http1.response frame for the second request
after the gap
---
 tests/eve-payload-07-http-gap/suricata.yaml | 3 +++
 tests/eve-payload-07-http-gap/test.yaml     | 8 +-------
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/tests/eve-payload-07-http-gap/suricata.yaml b/tests/eve-payload-07-http-gap/suricata.yaml
index 472f7d88b..941508867 100644
--- a/tests/eve-payload-07-http-gap/suricata.yaml
+++ b/tests/eve-payload-07-http-gap/suricata.yaml
@@ -7,6 +7,9 @@ outputs:
       filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
       filename: eve.json
       types:
+        - frame:
+            # this should not affect detection (but it did)
+            enabled: yes
         - alert:
             payload: yes             # enable dumping payload in Base64
             payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
diff --git a/tests/eve-payload-07-http-gap/test.yaml b/tests/eve-payload-07-http-gap/test.yaml
index 92d5e50f3..b469a94fc 100644
--- a/tests/eve-payload-07-http-gap/test.yaml
+++ b/tests/eve-payload-07-http-gap/test.yaml
@@ -40,13 +40,6 @@ checks:
       alert.signature_id: 2
       payload_printable: "HTTP/1.0 200 OK\r\nDate: Mon, 31 Aug 2009 20:25:50 GMT\r\nServer: Apache\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length: 12\r\n\r\n"
       payload_length: 136
-- filter:
-    count: 1
-    match:
-      event_type: alert
-      alert.signature_id: 3
-      payload_printable: "HTTP/1.0 200 OK\r\nDate: Mon, 31 Aug 2009 20:25:50 GMT\r\nServer: Apache\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length: 12\r\n\r\n[127 bytes missing]AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHTTP/1.0 200 OK\r\nServer: Apache\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length: 12\r\n\r\nHello People\r\n"
-      payload_length: 324
 - filter:
     count: 1
     match:
@@ -59,6 +52,7 @@ checks:
       event_type: alert
       alert.signature_id: 4
       payload_printable: "HTTP/1.0 200 OK\r\nDate: Mon, 31 Aug 2009 20:25:50 GMT\r\nServer: Apache\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length: 12\r\n\r\n[127 bytes missing]AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHTTP/1.0 200 OK\r\nServer: Apache\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length: 12\r\n\r\nHello People\r\n"
+      payload_length: 324
 - filter:
     count: 1
     match:
-- 
2.47.2