From f0c6d491e2517008b656d0140dad43b7a309ec97 Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Fri, 27 Oct 2023 09:00:57 -0400
Subject: [PATCH] detect/bytejump: Test from issue 4623

Issue: 4623

This commit uses the pcap and rules from issue 4623 to validate the
fixes.
---
 tests/bug-4623/input.pcap | Bin 0 -> 243 bytes
 tests/bug-4623/test.rules |   8 ++++++++
 tests/bug-4623/test.yaml  |  21 +++++++++++++++++++++
 3 files changed, 29 insertions(+)
 create mode 100644 tests/bug-4623/input.pcap
 create mode 100644 tests/bug-4623/test.rules
 create mode 100644 tests/bug-4623/test.yaml

diff --git a/tests/bug-4623/input.pcap b/tests/bug-4623/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c4b2577283ec01bed9a720172cf745bd5205aa5d
GIT binary patch
literal 243
zc-p&ic+)~A1{MYcU}0bclId!yi52^p7)}G(Abh24fnMUmo;Th}$B%O`xH2&8O~`j(
zXkarJI<SH%Mfr90p~EIj+LjC73uHZB?hqis!ccdKfx$1>$DeB|gTe-&36<N~z~(bS
z?U8i9a<f<DcJ@c^N#eiV(;r1_(G%&CO{<x<B}Aj<_t%XTjJ4g0Tn7{+TDKoO6js(4
zdi)UIW^EnawYoQS?j7{jxWU6_$k}vI`lq(r$L9Xy&EHjAouAoWm|U#2_AFD}f;ICu
dZjL=DD`MOiX1Le#^ZomtH4m&9U%cfH0RR*9Sd;(&

literal 0
Hc-jL100001

diff --git a/tests/bug-4623/test.rules b/tests/bug-4623/test.rules
new file mode 100644
index 000000000..f77b24816
--- /dev/null
+++ b/tests/bug-4623/test.rules
@@ -0,0 +1,8 @@
+#1. (success) the following signature matches up to the second last byte in the buffer in [random_tcp.pcap]. A negative post_offset is used and the following pcre matches up to the end of the buffer.
+drop tcp any any -> any any ( msg:"Test"; rev:1; content:"|3a 01 e8 ed 0f|"; byte_jump:0,0,relative,post_offset -7; pcre:"/^\x7c\xe0\x3a\x01\xe8\xed\x0f\x54/R"; sid:1; )
+
+#2. (success) we write a signature to match and move the pointer to the last byte, and we see that content does successfully match the last byte.
+drop tcp any any -> any any ( msg:"Test"; rev:1; content:"|01 e8 ed 0f 54|"; sid:2; )
+
+#3 (success) the following signature matches up to the last byte in the buffer as in 2. The same negative post_offset is used and we try to match values immediately after where the pointer should be. This signature does not match.
+drop tcp any any -> any any ( msg:"Test"; rev:1; content:"|01 e8 ed 0f 54|"; byte_jump:0,0,relative,post_offset -7; pcre:"/^\xe0\x3a\x01\xe8\xed\x0f\x54/R"; sid:3; )
diff --git a/tests/bug-4623/test.yaml b/tests/bug-4623/test.yaml
new file mode 100644
index 000000000..070b6e857
--- /dev/null
+++ b/tests/bug-4623/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 7.0.3
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+
+
-- 
2.47.2