From b8eca29f32b6a82aca641ea59e3ae8543669c466 Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Thu, 7 May 2020 09:27:07 -0400
Subject: [PATCH] tests: Add file_data/strip-ws transform tests

---
 tests/detect-strip_whitespace-01/input.rules |   1 +
 tests/detect-strip_whitespace-01/test.yaml   |  12 ++++++++++++
 tests/detect-strip_whitespace-02/input.pcap  | Bin 0 -> 5318 bytes
 tests/detect-strip_whitespace-02/input.rules |   1 +
 tests/detect-strip_whitespace-02/test.yaml   |  12 ++++++++++++
 5 files changed, 26 insertions(+)
 create mode 100644 tests/detect-strip_whitespace-01/input.rules
 create mode 100644 tests/detect-strip_whitespace-01/test.yaml
 create mode 100644 tests/detect-strip_whitespace-02/input.pcap
 create mode 100644 tests/detect-strip_whitespace-02/input.rules
 create mode 100644 tests/detect-strip_whitespace-02/test.yaml

diff --git a/tests/detect-strip_whitespace-01/input.rules b/tests/detect-strip_whitespace-01/input.rules
new file mode 100644
index 000000000..f10a3ecd5
--- /dev/null
+++ b/tests/detect-strip_whitespace-01/input.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"HTTP strip_whitespace 1"; flow:established; file_data; strip_whitespace; content:"embrace holistically"; sid:1;)
diff --git a/tests/detect-strip_whitespace-01/test.yaml b/tests/detect-strip_whitespace-01/test.yaml
new file mode 100644
index 000000000..086536f72
--- /dev/null
+++ b/tests/detect-strip_whitespace-01/test.yaml
@@ -0,0 +1,12 @@
+requires:
+    min-version: 6
+    pcap: false
+
+exit-code: 1
+args:
+ - --engine-analysis
+
+checks:
+  - shell:
+      args: grep "incompatible with strip_whitespace transform" stderr| wc -l | xargs
+      expect: 1
diff --git a/tests/detect-strip_whitespace-02/input.pcap b/tests/detect-strip_whitespace-02/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..cc069dc98261b91bcd2ec631df67f52a60e714da
GIT binary patch
literal 5318
zc-oCvTWlOx86GDEMTQj#DpjA*=}K*qc4u#n9cQbOScwy-vGF#$!6_9gXJ^jt4xTw@
zI_J!KH&EaSQ3(kU2vzM9AR(keK|J*ViAxbGq9T#F2wo8F1L7hiP+ve5D&K!*cfGrI
zms%d%doJJkFW>+DXZ)L&fAIAq&Rx#v>#esOX92%&Hs08HrRq2<PWCt_@=KR)I5#dW
z<xd=Q)*a{6-5+$E3-9iH@yFkG7QTD`mz!1JsXNa5K1GY`NA9_^^P>#qOJV}W?$59?
zl*OMBO8i$sAS9;_9OuY$Kzh3V{(J7+xI06+`RqJfUi~$py!eM1Tb>5e^Y!CE`9Oxk
ze(5;>UdWzVl!d?Te1lN(R}V$G_ntc+K|HRkH(9A2grXXIJTA4AKQN+ijL_!(sxW=S
zHk!?PsZy-u7B`eOHMW<8xy2h=B<@;ANDOSLTR|A|(sHrPPVEHJS9_X$xXCKzV)<dV
zv%Rx&<}_Q2<528~*0sQtmY2>JmsZ%RYa7k2%>oO9UBRvhZ&#gW7rTjyL}{g3EEkum
z<!bR9Yw$Ktg3+e>TC={rU4J~cxaN5x#_?ossUL*}jw1q(n?T8fpSvasAEHsaoIXAL
z)Fb8Mx$JWs@<7^w)j|;Qjwr>lQ+TlSpdDKt9p-Lw*-0^7V?w&AE(kfZU|o934`ipt
zI=6zj;EQ(1jTlc~?D9kl7=5*|?XIpapK~jP)U@4I3v;%Rop(03cuk1dT?>OAj#?_0
zbBh<1l)@ulYHXJ#IZfskbBn}-zx;O|C;#*l;=yx&pW)>5pv-w<Q=^fw>HFmc=WAdR
zJ+mkapa0#b3FVu=Iur$Ldgh~!GvW%Xmdk8=H@A2R-q+aWBq*?Ig*8NsnaV1wEY+5l
zYt<EYWviK6Y>1>Mk{UR|y{;%#i`C*1J9SC40xnOp`bHhp0wLVhhlKIEl`@Nz|D@L8
zaOHL^WTUZJLN<%5UT$%dYvXPq4edbqHSova@G^Up%i-bGTDek#Iri}NCP%jNe6?Kh
z+)AtE<5#tMrn0hfrko!q?m7}Lbd9x89olBYfcx&IkR8)Sik8aN>7<z;5-K&1RF(@Y
z;{8X?otw_#{@Q)C<{-w-N!lvU2;*v#2p)}c-S-yeD987{Kv{Z~P1pR1^Nw@$P0ICS
zZ)CZ?fF%DJGD**DuJ8K&KU_k2=Js^1kG?s|_3ft|XU(uWH?dOjpuqM7>++sp9;%la
z#df9IV_iJ>yBFvbY`rBI904CX@GcAoMYc2C6ep@DBw^TXrppZr+H9aw7DSMZ2*F{U
zP_<|qrm>dhB0gX|)QV|A;9V64+Du@_N#F~nQdC^n6Pih7n36zHl15oOl{Oi$&A^3L
zYV5F7(uEs1x6imA1v0Q^V<F?xpPE*&$YzSH*$w0_O!5*1VSqTI^aCmUB3q-N#9R(C
z$2`z5GniIzX<*PE^pl;!q^9u2Dv;(hYYE0%p^aw5O%n83n+K-bPOX2<u3(YCu%}sD
zCG7eGml#hlrto7=grS>CUnJTn<x?;bwSiqgQP83fh^xkiPzw>kL<uMTz%wct#v(8$
zH3RXosNTo65gQ}Cu2iAwz!|=am;x4tYQwmWL2b=cn_UjM?%G&AT3uhasUS|<%w@Sw
zS}eaws^8`qOR^52mCWzw2wqb%wjNj;Cx*8I$`noMffPvxLEI<N6!S6);akHxG_xd&
zVn2uu(2&+jnil;yRM;ch?Z68JB?jmO<g1aV>8)FPD)Cvqg~0D>7f!lfNPp&Sr~nrU
zF3&HHDg*v<Z%9fONYLB}-(tb2h~;(AcXiN-IQIDgM-bA)L;uKI$BZSFbtXdZ9a9_$
zZn-V40X3l(nt^x-DLD&oQ?JV|HX4N?YvGtwX{XC>QrETcmUbGp32PBLcZ$#q*e7_>
z0o(H{<x=%b>1=6fWf}HdQnu=BusK7=l$304ONipv5;g_GZKWE_*ZTahDB>{f*hpay
zLi$*Wc-0WpNjNGIkQSb2$VBNxbW(Ir8cQXOqMTfsKzWD`rO+?1UHE|X3aZISB%V0W
z9w)N2QokdN#lbCw%9K>^*e~X3XL_4d?_Ga9sGY}NAnn|`m}%#oH|J?*?_ol5embq4
z$6gp|=as(WkWad+($KeMZdfSLw2*~F2-`X|1!u|&gQN%w1_~E96ht@+TPu*6I3XD~
zw>CG7iLZ;NQd^Tq{92=q4agHxtw;t?5|k&ZRE&Z%vL(Vm^hR2Pa|@PoC#iNkPMorp
zbRXM+{Gg{%{iL2r6BtvlNwh=?xwng)xpA7rN?SuoGTMS;DT+?ma@1f6%)&tsQn9bP
zxP=L+12TelI!OJ#;%eIjNTS+7Cml*LpxO!fX$2H>8e*SNK~QBS==~nJ*@a`aeH8aA
zGSJg(N9eJWf@5{t!)g?F0haP81dW+$wNvd4b$(tb(G93AP;&oIAcwVw+XM1Q>NF)T
zp2BsyrO4ABLX?P}3RByul0n{@KtUH#3)(W>_X^|2XzL1AjB914KhE<b3N!`f9r<A!
z#4R!1w53!%Ix;{iV8@|NTS(}xXBz@(2(8)|C60^-?SW-RtoAbfP9;@I7b`Lv`oc?W
za>-Cyi5D2|4LgLFh5&^TS*sMT;dseOz#2|H&QfvI28v^5Pttdm+UT%{iZThPEuL5<
z2Cf}c;p;eBAJAc2nPVmln-39z$0jf-U0vD}cH3NLaUI<@V6m&(F7~)B)qh76_fkXQ
zas_k+d8XUSxT&Cs(3+u^-Y{t6$O}@vXNyPXXs7czQoT=}JgA+yCrCRtzLII@$N3TG
zhesXz%xdS+7tg*zC>Nfb*3R4$BklZG({ZE?woXxPE;1-}jBAZm0dms@YATBOoQN!|
z6O5ekFoGBv;&CrXY_Fcenk3fv7J-!}<-^Mur6V&bYe=&<hpgLI%H?ut#eR<)>(sqr
zrYooM0bb(;l6vd72q1Z>cUS>fLG>-eGJzK}7wnna(Wn}zmZzdRx*v^B_6L$j6W8q7
zdYF<cx~V|G@zQj#EbwA?peU|hZHz-l_6}?QJX@0kI;dkez?mfbNb1<(iJu8I)C*l@
z5FrFsoQ79m+A^t6zCf`d;=Dsi_ul5MLPQxmW?oumZx=&8yiG?3t=ujT+hp5pM-L?R
znxJPl?@Ph{>yjBW6uU?2GO6hkx441CYCYOTmm#`FyWGCMqAiX`Qo1$Tm>_KX5^-?k
zz;)15E;<fE>gS90P4v`P=P82s8LH)biw70q_-mvH>$yx3{`vDGbN+Yntu~?j_VTnM
z9DmI!!U>?fH$!>pKl5zaQiM|c&>^<GZfzN&e710O4$5thP`-2ZP!zJ|JsHZzlSk)x
V^zt^Ly!5ddk6s7T1#1gX{s)OMuEPKT

literal 0
Hc-jL100001

diff --git a/tests/detect-strip_whitespace-02/input.rules b/tests/detect-strip_whitespace-02/input.rules
new file mode 100644
index 000000000..63c453ca0
--- /dev/null
+++ b/tests/detect-strip_whitespace-02/input.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"HTTP strip_whitespace 1"; flow:established; file_data; strip_whitespace; content:"embraceholistically"; sid:1;)
diff --git a/tests/detect-strip_whitespace-02/test.yaml b/tests/detect-strip_whitespace-02/test.yaml
new file mode 100644
index 000000000..808abea47
--- /dev/null
+++ b/tests/detect-strip_whitespace-02/test.yaml
@@ -0,0 +1,12 @@
+requires:
+    min-version: 6
+
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
-- 
2.47.2