From e13b11a9062b8e4222be5b19088c2edc4052c35e Mon Sep 17 00:00:00 2001
From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Sat, 22 Jun 2019 14:38:43 +0530
Subject: [PATCH] Add test for uricontent matching regression

Closes redmine ticket #3055.
---
 tests/bug-78-uricontent/README     |   4 ++
 tests/bug-78-uricontent/input.pcap | Bin 0 -> 6292 bytes
 tests/bug-78-uricontent/test.rules |   1 +
 tests/bug-78-uricontent/test.yaml  |  68 +++++++++++++++++++++++++++++
 4 files changed, 73 insertions(+)
 create mode 100644 tests/bug-78-uricontent/README
 create mode 100644 tests/bug-78-uricontent/input.pcap
 create mode 100644 tests/bug-78-uricontent/test.rules
 create mode 100644 tests/bug-78-uricontent/test.yaml

diff --git a/tests/bug-78-uricontent/README b/tests/bug-78-uricontent/README
new file mode 100644
index 000000000..11f678866
--- /dev/null
+++ b/tests/bug-78-uricontent/README
@@ -0,0 +1,4 @@
+This test is for regression matching with uricontent. In order to make suricata-verify more robust,
+it is good to add tests for issues that existed before suricata-verify did.
+There was a bug introduced in the early stages https://redmine.openinfosecfoundation.org/issues/78,
+the pcap and signature mentioned in the bug report has been used to create this test.
diff --git a/tests/bug-78-uricontent/input.pcap b/tests/bug-78-uricontent/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..6af7504c7019a865318e30824d891cbdf569459e
GIT binary patch
literal 6292
zc-pO4UuYx88Q1yl(xBE5N-23NQ#p6sCDN`|mSuURRnBpIJ}0@0gPr8^5X|iENSgER
z&fe}wvLi%88$ux^git7b>ZMR<0_j5=Xz5GR2Kv@C&?bbYh5UJFxzdOBsT7*)H#58P
zO1AG35`)&ev)}yYo8R|$_D^sA{H2-PiCp@3<3=ub4E}%c<M$r8|NODs18^^XxfA_A
zzIP>e*Wb_n_u<=ftGQhB+Uw_X=WhGxt~Y)<bNubqyZ-jVi@A*_>HmH&gs;tf{q55G
zx!lZ&ldqkaxjldEUr$D2{Mhm1UlPdS%Nb;esqhu@%M0gn_1ixDnLrijxs4ZIT%q6n
z2+-fU_SG9VzK0YtpdA<JKe>AT4Y7hi{sAE02cY*IrgQb$8&c<crgVM_&_90qj-2-E
zUx1Fsq`rFsRUrNw5MKqbR}Vw{(Y4<Q#1CIT6!FfS_A5GxxVE~5blbyS9bMSk+RzQH
zJez+sCQ)g*LjrE1$2)|>s9|W;+5EEOkPrs%*6*IpUtlrZ4h93Q!&t{7n#26r{0a*K
z;&93W6Fo>sSX%aIpUmcG^FsMMw`X$KPv+!rn&^{%dHK2^`u!)Si2nFV`pMGMcc5oa
z{y`}ZivLq=Ak`RE%T;uVade*b0vB|^PM4HG6CN?oL}5hxn3E#%@ooushy`1`9|lZx
zKB7fr)X>8YN0oAU3GU5m)r66?i(9k#)!mRrBsNjWkQ?K`NNH;?gqfV|a=puauYsH{
zj$*>C_05M%_4>k+5Z)wFpF}3=4C2}R<<jNN&C*81cuGuJ3`#9cba8!i6SX7eBW*VS
z7{w+MJJQU08J&r*_NaSyl2pfIvE;KUmTxt?1iP)KPdG+h&chOcIep7XwB?{JN*=7j
zO|>qxnw)Zvv;><av;j=*liJkPyJpPy;GawTMeY{00AYDC`!uGUxI>3|EHdZH<?=}5
zF%mM|8HU((Y0xp{AdJ{Un?)`-8Hjs0jER}vfB+r3G!8wyXVSo<!C^xsj%^QKblqXd
zU|~TFwqxe?IB5*1%e$r#?l!uFcDh{Nau%8;1JojZgMn$<9vhfl>bfKtY3)?)TCE08
zo>RndO$Qejoe}JEP}Hub+Z4AL?9nH1SJZ65f_)eZFmrlvVZp$48^#qtG8_>X_Bph%
zv(t$L;pUvX;JWSk#y+Esl*WZ{7r~}Rnms1cW}Gu$Y!v|w)J1diH3tNEDj*1$etTu8
zxSFpLAIMBKl<#QzgqO;=TpwvT8R$eraQ4*LBmn~(fkSA)(8p1S26C-RStywJ2cWgV
z2TL)1ikL<@<RdvKNmFkI%2YP<+|gWs`!<f?Rl0=jF=uC_#oW!{)GMb(+HUM;hH8s2
z<iJLHQ4FevjDq7wjpVV510dOpxth_&KK1rY98v5QV;saKNPD#1$Y{C<o&(Opse`=|
z_Gl+CeefCKdR}aQYM6zLFKYD#aKUjvp!(5Ea6As2d9Ymi1GLc`4{@a^uJiI*O(iAw
zOG2X413j{IRZnG>g`6p(0`ft!Xe88wSwQ?S(X~<$ChXYVB3#@f9LZU77u!a5x5=aw
z1>9C-{w8Gpn-s#|%0hT{vTS{_v_hYM4hrGwYmbb})-xje3&fXhj`*fTJaZ`G*8uV2
zLBwC$H?2<pkk#q(WOaJ}xwJZc<N9QEI*^!TSP0sa3{@_lO3jp7F9~DtJM>NJhb-ba
z;76FLc)-L4xJM)F2*w1?=$ubniV^m_Ay~)|W}VL(yOG4NT*TCbqfWUdfF?cy2^4eF
zBW*q!VTpz%+<xlIt}I{4ZMei?5thWr#IZlOq7aH2WcZz<a7dD4Ol=X=L*)_i4<wMp
z8AYLjH6kB-qd6zwLs9+}^>tAO9FO1#Ch+daX6~M-XQHfWVG-XnvSBl+5{6V^E_SEl
z>|jd6VKz-wPmP+os-*d5>_jx=tpN>OmiAKCaA$ShEL0zS=!wn##+8+ewNlU_+r9q%
z53DQ~iaV>9H{i9gSXo#qR?5{SqgXNKD{yZt)@sE{#V9X|YaK@5-y+Od*<4@!%rnd(
z`Al;NJyPdUap%HAW`P8SQ6rx})9wYbpE+}OI68agYy;>}G&FV9&<K+tyCdDenrq8H
z1n#Gpx8{+$QQm9Kx0+x(L|scbXR8@78?H7qOE`{U%xFDM?51wFP!rmuh_tPOXqHS}
zr#|#Kai)b$M(*wTmT{UA>(Q<ArTXa@TbE9EJ&OdVq4%%`w2;AGmou6=J_z5ZE@4@8
zIS_;AIo(?<(a$dNn4EU#5<c`z*%id|Eug(D^hJ<A6gVJ*31IPj3*aCNd<o<a1)e-J
z=wZa%p2Kg2-Ogffc3Bugnmd9K>P<32J^kJcl%ItXng4f?`D>8$Ylqd6Gr63oCExzf
zbS)9W8*o<r@^{n$_4+$Es~@j8qJI4OgUR~w{rR+hG<jM-)?`&$6Ka1N{-DY6bQ0(+
z6cH8c`<sKX=(T(nk*3~jq0<q*+G7m?+0<2p=nyr~_KR*hnZ#`*6O*OVqe$>bCQVD!
zE0Bd*ZAhvpz&^1$F@lpvm${ZWNMae%mag0zWZe|hL48?3EQsLNEw(ctb~jYkDj<34
zunKDoVjrzZA#{QH1P&|I@1QtxtU?m8y2m<fJNC5>1y@OQUMQm^MJy~p;p0|<p_&=1
zjQVki9by@kmg0rGQg6jUA=@x5W{Rtz#e~+afHE7K<moU@v;8r&af;0>O92~17#N~K
z*yBhX-Yj)UQFM1bv0M)n18$C#632~HP9E)#7NujsiF05^S`=+1dliY|WmOGvj`m2<
zfxSXisHX^HV{J<F7r<{bIC0PRX@XR+d9YSU=cVFf?x)z8pcSkYh%^r*oeu0cY^ZDM
zQaX0~IB<x&oupV5^l46MEhn#$T2z`G;y{6n;|wwqX_JV6WSk(d9*3=13UwcEV_#6Y
zkI*mKi7t$*OFx(x5z({%Lix$q9UbC%iIXKy!avp1bQl6vX@M-v&Cl0rj+2B%BAL3r
zAw9oP_?)X|R#Ruw!dQ>gZ$*!z+~gi3VYO+uCO;)4!%&O`7XcrW^I27!3ZE;|ln2wo
z9?W5b?E#Jgn5MFW;$zHDHQi;kg|@l`g+k#H0@bH-lME->N0gAuNDLe2BJ+Rp&KFTX
zPQE*nTRonWzv=pMeDM`m)Q`VDGg&`=_`a+kccN#%m7lC1i0smsYY0hN?C1-jc(d05
zPGy}jn?0}9^k{3POPn3Vfwwq>$uJSIwtNQAh{Q44V?CJ#Tp_;Rmd`i>c}_hKb#Y(J
zfi?it^5Y^3q4dP$R%I{lh2mI{7Iy51jman#BjavDJP>Lf-kr*~&~IE;DAWS8ZnuTA
zZpY&d%Xbc!pVpw#m3pxnaiM7uH+|w-<(1|2N5al3TV5`-<cA;0!v*4nXoZN65h_gx
z=2B}oa=g`q@aaYg(NC#<cB%?hM8Q!41xTgH=7ns?m5lw;3OQd@Iu&iAWXe{ew9o3e
zZ@@0}3?em(vtA4fsW}@F>qOX(56pv8P@h7^gGu-GKwemQQyg)HR~)&D{0i&rY2x!^
x0TQQtI$9?iY?;U|i~FSbEBcbOA)6QJ*eQp)I5vngg!nY7J~@Bo-On4E{|9&|Q;Glp

literal 0
Hc-jL100001

diff --git a/tests/bug-78-uricontent/test.rules b/tests/bug-78-uricontent/test.rules
new file mode 100644
index 000000000..3e3897184
--- /dev/null
+++ b/tests/bug-78-uricontent/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"msg escape tests"; uricontent:"blah"; sid: 100;)
diff --git a/tests/bug-78-uricontent/test.yaml b/tests/bug-78-uricontent/test.yaml
new file mode 100644
index 000000000..765abc885
--- /dev/null
+++ b/tests/bug-78-uricontent/test.yaml
@@ -0,0 +1,68 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+args:
+ - -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.signature: msg escape tests
+      alert.signature_id: 100
+      app_proto: http
+      dest_ip: 208.69.36.231
+      dest_port: 80
+      event_type: alert
+      flow:
+        bytes_toclient: 1588
+        bytes_toserver: 379
+        pkts_toclient: 2
+        pkts_toserver: 4
+        start: 2009-10-16T16:44:16.083524+0000
+      http:
+        hostname: www.google.com
+        http_content_type: text/html
+        http_method: GET
+        http_user_agent: Wget/1.11.4
+        length: 1194
+        protocol: HTTP/1.0
+        status: 404
+        url: /blah/
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 192.168.2.3
+      src_port: 37010
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      app_proto: http
+      dest_ip: 208.69.36.231
+      dest_port: 80
+      event_type: flow
+      flow:
+        age: 0
+        alerted: true
+        bytes_toclient: 5453
+        bytes_toserver: 607
+        end: 2009-10-16T16:44:16.185868+0000
+        pkts_toclient: 5
+        pkts_toserver: 8
+        reason: shutdown
+        start: 2009-10-16T16:44:16.083524+0000
+        state: closed
+      proto: TCP
+      src_ip: 192.168.2.3
+      src_port: 37010
+      tcp:
+        ack: true
+        psh: true
+        rst: true
+        state: closed
+        syn: true
+        tcp_flags: 1e
+        tcp_flags_tc: 1a
+        tcp_flags_ts: 1e
-- 
2.47.2