From ef6b13ace933e17b53441ca0422a85619f76c08a Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Mon, 18 Jan 2021 10:46:37 +0100
Subject: [PATCH] tests: add issue 3341 test

---
 tests/issue-3341-tcphdr-01/test.rules            |   1 +
 tests/issue-3341-tcphdr-01/test.yaml             |  12 ++++++++++++
 .../urgent11_cve_2019_12260.pcap                 | Bin 0 -> 1778 bytes
 3 files changed, 13 insertions(+)
 create mode 100644 tests/issue-3341-tcphdr-01/test.rules
 create mode 100644 tests/issue-3341-tcphdr-01/test.yaml
 create mode 100644 tests/issue-3341-tcphdr-01/urgent11_cve_2019_12260.pcap

diff --git a/tests/issue-3341-tcphdr-01/test.rules b/tests/issue-3341-tcphdr-01/test.rules
new file mode 100644
index 000000000..746d1be35
--- /dev/null
+++ b/tests/issue-3341-tcphdr-01/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"EXPLOIT - Suricata 5.0 tcp.hdr test for CVE-2019-12260"; flow:to_server; tcp.hdr; content:"|1d 03 61 00|"; offset:20; depth:4; sid:1; rev:1;)
diff --git a/tests/issue-3341-tcphdr-01/test.yaml b/tests/issue-3341-tcphdr-01/test.yaml
new file mode 100644
index 000000000..2d936f5db
--- /dev/null
+++ b/tests/issue-3341-tcphdr-01/test.yaml
@@ -0,0 +1,12 @@
+requires:
+  min-version: 5.0.0
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+
+args:
+- -k none
diff --git a/tests/issue-3341-tcphdr-01/urgent11_cve_2019_12260.pcap b/tests/issue-3341-tcphdr-01/urgent11_cve_2019_12260.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..5e3d301885f170b2fa5cdd80c04304c83f7900aa
GIT binary patch
literal 1778
zc-p&ic+)~A1{MYcU|}c(lCFOb#)@BKV$cDybs)lw3~UTMniuMRFfeeiF)(s4uz|$D
zA_rD5N<ef2S&SgP&u=m@*a7)=5MiL+GY%KJQ;s3&WrB!+bfB9819O<`^gyNw=rS|d
z0QokUE@5y5IgpWo!GWzJ2xP*hhCYj`Ovc?XGZL5-7@BPv7-X3f!M=JC&5X-s5VIH@
z7|ht5f<fkh%wybLl{szh<Rc)p2|`5zwYm%pOf0ND$sa+ciN!E8SOBFgu)9nHWSRq;
zML3$v7(vPdfWdC)1PN=m{RGT`_%IBc4+E4H7zCvlxIpH#N3xJ^4!@HF*c@O;o%;%L
zPiPkl>7lfN>kQB=M^GpoJ`4#Z@g|UIbzLl^hZ4{vSSY>w1aZ~Vr$BRnd=SPohXv}p
a5=`F#%?c1uVCb06!0>+*jDk@xVgUd$CZDeW

literal 0
Hc-jL100001

-- 
2.47.2