From a6d39deb00321377051d5d6d25af0e9ae2a0455c Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Mon, 26 Apr 2021 15:29:25 +0200
Subject: [PATCH] Adds check for http.host.raw keyword on http2 traffic

---
 tests/http2-keywords2/test.rules | 1 +
 tests/http2-keywords2/test.yaml  | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/tests/http2-keywords2/test.rules b/tests/http2-keywords2/test.rules
index 83cbe026e..da9cbe6c4 100644
--- a/tests/http2-keywords2/test.rules
+++ b/tests/http2-keywords2/test.rules
@@ -7,3 +7,4 @@ alert http2 any any -> any any (http.stat_code; content:"404"; sid:21;)
 
 alert http2 any any -> any any (http.server; content:"nghttpx"; sid:30;)
 alert http2 any any -> any any (http.method; content:"GET"; sid:31;)
+alert http2 any any -> any any (http.host.raw; content:"nghttp2.org"; sid:32;)
diff --git a/tests/http2-keywords2/test.yaml b/tests/http2-keywords2/test.yaml
index b6f51bfab..d409e18aa 100644
--- a/tests/http2-keywords2/test.yaml
+++ b/tests/http2-keywords2/test.yaml
@@ -45,3 +45,8 @@ checks:
       match:
         event_type: alert
         alert.signature_id: 31
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 32
-- 
2.47.2