From eccbc7800b075602e303c93fa6c694c4067074b1 Mon Sep 17 00:00:00 2001
From: Jason Ish <jason.ish@oisf.net>
Date: Thu, 22 Sep 2022 12:07:34 -0600
Subject: [PATCH] incomplete hex: test with strict content keyword

With strict content parsing, -T should fail out for version 6 and 7.
---
 tests/content-incomplete-hex-t-version-6-strict/README.md   | 6 ++++++
 .../content-incomplete-hex-t-version-6-strict/suricata.yaml | 2 ++
 tests/content-incomplete-hex-t-version-6-strict/test.rules  | 1 +
 tests/content-incomplete-hex-t-version-6-strict/test.yaml   | 6 ++++++
 4 files changed, 15 insertions(+)
 create mode 100644 tests/content-incomplete-hex-t-version-6-strict/README.md
 create mode 100644 tests/content-incomplete-hex-t-version-6-strict/suricata.yaml
 create mode 100644 tests/content-incomplete-hex-t-version-6-strict/test.rules
 create mode 100644 tests/content-incomplete-hex-t-version-6-strict/test.yaml

diff --git a/tests/content-incomplete-hex-t-version-6-strict/README.md b/tests/content-incomplete-hex-t-version-6-strict/README.md
new file mode 100644
index 000000000..ef2785201
--- /dev/null
+++ b/tests/content-incomplete-hex-t-version-6-strict/README.md
@@ -0,0 +1,6 @@
+Tests the behaviour of -T when a rule contains incomplete hex.
+
+For Suricata 6.0.x, -T should pass unless
+--strict-rule-keywords=content is provided.
+
+For Suricata 7.0+, -T should fail.
diff --git a/tests/content-incomplete-hex-t-version-6-strict/suricata.yaml b/tests/content-incomplete-hex-t-version-6-strict/suricata.yaml
new file mode 100644
index 000000000..6917d8538
--- /dev/null
+++ b/tests/content-incomplete-hex-t-version-6-strict/suricata.yaml
@@ -0,0 +1,2 @@
+%YAML 1.1
+---
diff --git a/tests/content-incomplete-hex-t-version-6-strict/test.rules b/tests/content-incomplete-hex-t-version-6-strict/test.rules
new file mode 100644
index 000000000..397a5f1ce
--- /dev/null
+++ b/tests/content-incomplete-hex-t-version-6-strict/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"incomplete hex test rule"; content:"|22 2 22|"; sid:12346; rev:1;)
diff --git a/tests/content-incomplete-hex-t-version-6-strict/test.yaml b/tests/content-incomplete-hex-t-version-6-strict/test.yaml
new file mode 100644
index 000000000..05de7930a
--- /dev/null
+++ b/tests/content-incomplete-hex-t-version-6-strict/test.yaml
@@ -0,0 +1,6 @@
+args:
+  - -T --strict-rule-keywords=content
+
+pcap: false
+
+exit-code: 1
-- 
2.47.2