From 69e147b381c03b6d77efa993e57964ab974a3103 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Wed, 29 Mar 2023 19:06:12 +0200
Subject: [PATCH] Adds test about http.connection with to client

Ticket: #5746
---
 tests/http-connection-toclient/README.md  |   9 +++++++++
 tests/http-connection-toclient/input.pcap | Bin 0 -> 1215 bytes
 tests/http-connection-toclient/test.rules |   1 +
 tests/http-connection-toclient/test.yaml  |  11 +++++++++++
 4 files changed, 21 insertions(+)
 create mode 100644 tests/http-connection-toclient/README.md
 create mode 100644 tests/http-connection-toclient/input.pcap
 create mode 100644 tests/http-connection-toclient/test.rules
 create mode 100644 tests/http-connection-toclient/test.yaml

diff --git a/tests/http-connection-toclient/README.md b/tests/http-connection-toclient/README.md
new file mode 100644
index 000000000..aebb0f5ff
--- /dev/null
+++ b/tests/http-connection-toclient/README.md
@@ -0,0 +1,9 @@
+PCAP
+----
+
+Coming from https://redmine.openinfosecfoundation.org/issues/5746
+
+Test
+----
+
+Test that keyword `http.connection` works in the to client direction
diff --git a/tests/http-connection-toclient/input.pcap b/tests/http-connection-toclient/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..6ee4ea7ef0b38bdeabe7dff864cf597047e88937
GIT binary patch
literal 1215
zc-noFPfXKL9LL|rM5va4?!ZCxaUnwNx(yW4G?Ot9lo+R(dU1r=J-3FgZMFy7E@lz%
zpa<fglU{&bJa95bZp1{+9F&WS1pg$Om=F^c4Hx{qE^KZtG-=bm_kEvyf4}dqt1q9<
z*^vX4E(fx~^Yq9)rTZj@&cQpoQSd8Q-`YQoE*|+<hXxRm*KhTr-rB^E1t)3~TAklE
zMp1BP`Q39Sp0#g(*M1^ockFxSu-9>$Hx~VD-BwexpOF{dl*k2Ufe&PiWQ2NAd#!SX
zQ5hWtH%6CQu4RC}ID2SkCw-<w&NPI-FglRy8Tk{C`+(Y4&2!iKq~&?L!t)}~v$;mw
zRvtXtY?j|KMrOpDZ#lFAu$5}W7wc0NF;SJ+Y}<N&wwyRP5W*rJ3Wb8A$K~O<%PEo+
z{4t_a315v73aehXs}mpBRDC=n#PsoYp7SdTF+tEFcI<u#1G-{FRXrwQH43Lyn&r76
zBL%8-I_-+6#F%g?MuO)8hOQHZs)jD%VM0v7uc;G+=Xj1)cj^8CGzNjQyD|w|IPi)k
zaa5^DB0ICZ7RWWD$-@r{)nyt+oUFp#y0F*n#utWp4yv0VNeLS!(UT-avuwB1b&8c9
zjZh-tP<;FZcK6_ZqQEJy7rQ&9u5QWW!Gq^RJf|2sh4KWNH9;IPO-)rItQgTyD4{}%
zCP^ew(rHAG(YS;??w-oSlw_zFrwPs4DE36rjFi<5neF-HIEh4kGBi{pzOq)zVqsAh
z3zF+bGz)T1r3zML(-$xjkPc26hVGI@6HXQMmIEJa{S>r*k5Qer2J27xV66p~TEg=%
zs=www7YFMRYd<4C`G@%5Z`Boe&B8o(w>-@7ycK2>n#@m?hslVW5BKzV+w%CkipPAe
l2|Ru%dVIX=(J39=%j2r$@lJ)uJW%^{jo`7Z=+V!pe*rtdZFv9y

literal 0
Hc-jL100001

diff --git a/tests/http-connection-toclient/test.rules b/tests/http-connection-toclient/test.rules
new file mode 100644
index 000000000..8232a2893
--- /dev/null
+++ b/tests/http-connection-toclient/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"tfo test15"; flow: to_client; http.connection; content:"close"; sid:15;)
diff --git a/tests/http-connection-toclient/test.yaml b/tests/http-connection-toclient/test.yaml
new file mode 100644
index 000000000..5743ee65f
--- /dev/null
+++ b/tests/http-connection-toclient/test.yaml
@@ -0,0 +1,11 @@
+requires:
+  min-version: 7
+
+args:
+- -k none --set stream.midstream=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
-- 
2.47.2