From c693b1a00597f971443f0d81ddd936bb8df87aaf Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 20 Jun 2023 12:02:57 +0200 Subject: [PATCH] Adds test about http event on chunk extension --- tests/http-event-chunk/README.md | 8 ++++++++ tests/http-event-chunk/input.pcap | Bin 0 -> 1129 bytes tests/http-event-chunk/test.rules | 1 + tests/http-event-chunk/test.yaml | 12 ++++++++++++ 4 files changed, 21 insertions(+) create mode 100644 tests/http-event-chunk/README.md create mode 100644 tests/http-event-chunk/input.pcap create mode 100644 tests/http-event-chunk/test.rules create mode 100644 tests/http-event-chunk/test.yaml diff --git a/tests/http-event-chunk/README.md b/tests/http-event-chunk/README.md new file mode 100644 index 000000000..78d4e2dc2 --- /dev/null +++ b/tests/http-event-chunk/README.md @@ -0,0 +1,8 @@ +# Description + +Test http event on chunk extension +https://redmine.openinfosecfoundation.org/issues/6159 + +# PCAP + +The pcap comes from running htptopcap on data from https://github.com/OISF/libhtp/issues/83 diff --git a/tests/http-event-chunk/input.pcap b/tests/http-event-chunk/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..0b9c0564b874291e0f22c5f84e176ee9a6cf65f1 GIT binary patch literal 1129 zc-ocHJxjwt7zglcE7IN|)v23D2XX03nt(Mbwy3q#p@R7Wv59(ElA4}qT@;)Z+?)h= z3*zSNB0}xbf}5+L;OYxlpR<-&Z6(d+;7IcP?$48}U0s~IQ6I9e=K65^NISmqp;=h- z>4rInP=eoyeuQ=ra`9Q898TZW&Jw)l+}&t=Nbqgn^qtG&>36xj`0Xj=`BL3Y^V)$q zoUTva`wvBMljlQ!&1Ci9g}W`Y3T7OvxNS;Zawfr*_WXgzk5PE|osWCmsX1`Ivq{|g z>9jI&XQ1Lk4XAI}&ilW40^mHi=UL1yDI~J7rH9p`M$(G17!kq(PMbw06CpMhj=~VI zVyQ-PMYlq8M$Xizu_}|?+NQCtYk0;qm~OC;QYz>&Nfruuno}7yjmR=JRI7w>oM2|c zP??G)SW`xEluQuVRh)ut#R;;rofD^m77LcdAZC_I^ZJ@*2{M6op6ZqcwSxU3*7hQX zF>l9srI)srz0lT&PHm;&WS~A{JE?!20622H(`qD%MWZCUfSU>TohM9v$%CB}o>ZJ3 l#Il!L-45bqZ_a!-XXLg=XRx!Ay>;B5d9ZxH{@^ROJ^?(~Ey4f* literal 0 Hc-jL100001 diff --git a/tests/http-event-chunk/test.rules b/tests/http-event-chunk/test.rules new file mode 100644 index 000000000..8f19e50a6 --- /dev/null +++ b/tests/http-event-chunk/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"SURICATA HTTP request chunk extension"; flow:established,to_server; app-layer-event:http.request_chunk_extension; classtype:protocol-command-decode; sid:2221054; rev:1;) diff --git a/tests/http-event-chunk/test.yaml b/tests/http-event-chunk/test.yaml new file mode 100644 index 000000000..d74346ce6 --- /dev/null +++ b/tests/http-event-chunk/test.yaml @@ -0,0 +1,12 @@ +requires: + min-version: 7 + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2221054 -- 2.47.2