From 9a98ed099bab42861b72d7145ac68ce66e5b08b3 Mon Sep 17 00:00:00 2001
From: Juliana Fajardini <jufajardini@gmail.com>
Date: Tue, 24 Sep 2024 18:33:54 -0300
Subject: [PATCH] tests: showcase endswith, distance + within usage

Suricata docs state that `endswith` cannot be mixed with `offset`,
`within` or `distance` for the same pattern, but apparently, at least
from Suricata 7 on, this seems possible.

Tests created based on material and scenarios provided by Brandon
Murphy in the Redmine ticket.

Related to
Task #5030
---
 tests/bug-docs-5030-01/35_bytes.pcap | Bin 0 -> 408 bytes
 tests/bug-docs-5030-01/README.md     |  18 ++++++++++++++++++
 tests/bug-docs-5030-01/test.rules    |   1 +
 tests/bug-docs-5030-01/test.yaml     |   9 +++++++++
 tests/bug-docs-5030-02/39_bytes.pcap | Bin 0 -> 413 bytes
 tests/bug-docs-5030-02/README.md     |  19 +++++++++++++++++++
 tests/bug-docs-5030-02/test.rules    |   1 +
 tests/bug-docs-5030-02/test.yaml     |   9 +++++++++
 8 files changed, 57 insertions(+)
 create mode 100644 tests/bug-docs-5030-01/35_bytes.pcap
 create mode 100644 tests/bug-docs-5030-01/README.md
 create mode 100644 tests/bug-docs-5030-01/test.rules
 create mode 100644 tests/bug-docs-5030-01/test.yaml
 create mode 100644 tests/bug-docs-5030-02/39_bytes.pcap
 create mode 100644 tests/bug-docs-5030-02/README.md
 create mode 100644 tests/bug-docs-5030-02/test.rules
 create mode 100644 tests/bug-docs-5030-02/test.yaml

diff --git a/tests/bug-docs-5030-01/35_bytes.pcap b/tests/bug-docs-5030-01/35_bytes.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..da63604d5d29f38690c5bcf03e3dbdf157fdb89e
GIT binary patch
literal 408
zc-p&ic+)~A1{MYw`2U}Qfe}cjzWkZ!HkpyZ49EuINwbbN=ge{FJiW!yn}flXfk6YL
z%z<sy`~xdinynGo<#1{#LjX`A7s!+VCIyBsn;@pVn}#rD|4glwD-`lWbf&C2fNBcJ
z1dvG#0YGyY7*c?kJ3t6%iY>&HDKinK*guKC$QUj-Pryag2(MeXK^_SZ0GeV4F-2q^
zBSQpG5QOJHUih=Xzi66)>F3p8Q@o(2)M7P7LV@8e4+BF5I;f0910Z|0E<m_;9{2oW
Y?Yh{86(5g&!t3W$Al3!DR)&EA0G`-)2><{9

literal 0
Hc-jL100001

diff --git a/tests/bug-docs-5030-01/README.md b/tests/bug-docs-5030-01/README.md
new file mode 100644
index 000000000..984bb5806
--- /dev/null
+++ b/tests/bug-docs-5030-01/README.md
@@ -0,0 +1,18 @@
+# Test
+
+Showcase the usage of `distance`, `within` and `endswith`, as proposed
+in https://redmine.openinfosecfoundation.org/issues/5030.
+
+## Behavior
+
+There should be an alert. "The distance and within effectively limit how much
+of a payload can be present while ensuring the packet still "endswith" the
+desired content." This happens for this pcap.
+
+## Pcap
+
+35_bytes.pcap Shared by Brandon Murphy in the aforementioned ticket.
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/5030
diff --git a/tests/bug-docs-5030-01/test.rules b/tests/bug-docs-5030-01/test.rules
new file mode 100644
index 000000000..57e1b614f
--- /dev/null
+++ b/tests/bug-docs-5030-01/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"Test"; content:"yYYYYYYYYYYYYYYYY"; distance:9; within:29; endswith; sid:1;)
diff --git a/tests/bug-docs-5030-01/test.yaml b/tests/bug-docs-5030-01/test.yaml
new file mode 100644
index 000000000..b5452bebd
--- /dev/null
+++ b/tests/bug-docs-5030-01/test.yaml
@@ -0,0 +1,9 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+        event_type: alert
+        alert.signature_id: 1
diff --git a/tests/bug-docs-5030-02/39_bytes.pcap b/tests/bug-docs-5030-02/39_bytes.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..79653270480d08af53e79c4b76040ef6c1f64585
GIT binary patch
literal 413
zc-p&ic+)~A1{MYw`2U}Qfe}dSz5bcF*Pe&L49EuIfA`s6>R8suRTkJLaWJ?tFld03
zIk2socVNXz^ECpy98N7|2mmVN0+|xPq`>fHBg7PbXM`ymHU-rME@w7UP0D|YY6{2%
zkVy;yKyw%vQh=B{KnQ4x4aAg{t_V}M>VBNmcsyHiyJ$fWUbk=qacY17&=gyUDNj9l
z7-E5fAe?lq#M&nN9^YP<C11d%_(M%8$7+g%0>j}l28IfB5CH;}k!S#9S+)<t$#1XS
aO8-5fHnC{Nwu^W@o(jZ9U?+<)FaQ8c5qFOO

literal 0
Hc-jL100001

diff --git a/tests/bug-docs-5030-02/README.md b/tests/bug-docs-5030-02/README.md
new file mode 100644
index 000000000..c63bed01b
--- /dev/null
+++ b/tests/bug-docs-5030-02/README.md
@@ -0,0 +1,19 @@
+# Test
+
+Showcase the usage of `distance`, `within` and `endswith`, as proposed
+in https://redmine.openinfosecfoundation.org/issues/5030.
+
+## Behavior
+
+There should be no alert. "The distance and within effectively limit how much
+of a payload can be present while ensuring the packet still "endswith" the
+desired content." As the content is greater than the 38 bytes limit (9+29) set
+by the rule, the signature isn't fired..
+
+## Pcap
+
+39_bytes.pcap shared by Brandon Murphy in the aforementioned ticket.
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/5030
diff --git a/tests/bug-docs-5030-02/test.rules b/tests/bug-docs-5030-02/test.rules
new file mode 100644
index 000000000..57e1b614f
--- /dev/null
+++ b/tests/bug-docs-5030-02/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"Test"; content:"yYYYYYYYYYYYYYYYY"; distance:9; within:29; endswith; sid:1;)
diff --git a/tests/bug-docs-5030-02/test.yaml b/tests/bug-docs-5030-02/test.yaml
new file mode 100644
index 000000000..7e74da891
--- /dev/null
+++ b/tests/bug-docs-5030-02/test.yaml
@@ -0,0 +1,9 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+        event_type: alert
+        alert.signature_id: 1
-- 
2.47.2