From a57fb5f46db4940c683bed3aad58f1c473279d5d Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Fri, 8 Sep 2023 10:25:15 -0400
Subject: [PATCH] detect/bytejump: Handle post_offset changes

Issue: 4624

Update test case and add one to reflect post_offset handling
differences. post_offset values that move before the buffer are treated
as though they move to the buffer start.
---
 tests/detect-bytejump-05/README.md  |   1 +
 tests/detect-bytejump-05/input.pcap | Bin 0 -> 243 bytes
 tests/detect-bytejump-05/test.rules |   3 +++
 tests/detect-bytejump-05/test.yaml  |  23 +++++++++++++++++++++++
 4 files changed, 27 insertions(+)
 create mode 100644 tests/detect-bytejump-05/README.md
 create mode 100644 tests/detect-bytejump-05/input.pcap
 create mode 100644 tests/detect-bytejump-05/test.rules
 create mode 100644 tests/detect-bytejump-05/test.yaml

diff --git a/tests/detect-bytejump-05/README.md b/tests/detect-bytejump-05/README.md
new file mode 100644
index 000000000..76f3c8044
--- /dev/null
+++ b/tests/detect-bytejump-05/README.md
@@ -0,0 +1 @@
+Tests using rules and pcap file from https://redmine.openinfosecfoundation.org/issues/4624
diff --git a/tests/detect-bytejump-05/input.pcap b/tests/detect-bytejump-05/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c4b2577283ec01bed9a720172cf745bd5205aa5d
GIT binary patch
literal 243
zc-p&ic+)~A1{MYcU}0bclId!yi52^p7)}G(Abh24fnMUmo;Th}$B%O`xH2&8O~`j(
zXkarJI<SH%Mfr90p~EIj+LjC73uHZB?hqis!ccdKfx$1>$DeB|gTe-&36<N~z~(bS
z?U8i9a<f<DcJ@c^N#eiV(;r1_(G%&CO{<x<B}Aj<_t%XTjJ4g0Tn7{+TDKoO6js(4
zdi)UIW^EnawYoQS?j7{jxWU6_$k}vI`lq(r$L9Xy&EHjAouAoWm|U#2_AFD}f;ICu
dZjL=DD`MOiX1Le#^ZomtH4m&9U%cfH0RR*9Sd;(&

literal 0
Hc-jL100001

diff --git a/tests/detect-bytejump-05/test.rules b/tests/detect-bytejump-05/test.rules
new file mode 100644
index 000000000..e84a0de4b
--- /dev/null
+++ b/tests/detect-bytejump-05/test.rules
@@ -0,0 +1,3 @@
+drop tcp any any -> any any ( msg:"neg post_offset: buffer start"; rev:1; content:"|0A 95 00 20|"; byte_jump:0,0,relative,post_offset -8; pcre:"/\x4e\x53\x4c\x4f/R"; sid:1; )
+drop tcp any any -> any any ( msg:"neg post_offset: before buffer start #1"; rev:1; content:"|0A 95 00 20|"; byte_jump:0,0,relative,post_offset -10; pcre:"/\x4e\x53\x4c\x4f/R"; sid:2; )
+drop tcp any any -> any any ( msg:"neg post_offset: before buffer start #2"; rev:1; content:"|0A 95 00 20|"; byte_jump:0,0,relative,post_offset -10; sid:3; )
diff --git a/tests/detect-bytejump-05/test.yaml b/tests/detect-bytejump-05/test.yaml
new file mode 100644
index 000000000..4678506c3
--- /dev/null
+++ b/tests/detect-bytejump-05/test.yaml
@@ -0,0 +1,23 @@
+requires:
+    gt-version: 7.0.0
+
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
-- 
2.47.2