From 5e6e6d3ef38ce8425c8314dc2a00aaad446aba24 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Mon, 6 Nov 2023 16:35:03 +0100
Subject: [PATCH] tests: Add a test for http2 authority mismatch event

Ticket: #6425
---
 tests/http2-authority-mismatch/README.md         |   7 +++++++
 .../authority_and_host_2.pcap                    | Bin 0 -> 1147 bytes
 tests/http2-authority-mismatch/test.rules        |   2 ++
 tests/http2-authority-mismatch/test.yaml         |  14 ++++++++++++++
 4 files changed, 23 insertions(+)
 create mode 100644 tests/http2-authority-mismatch/README.md
 create mode 100644 tests/http2-authority-mismatch/authority_and_host_2.pcap
 create mode 100644 tests/http2-authority-mismatch/test.rules
 create mode 100644 tests/http2-authority-mismatch/test.yaml

diff --git a/tests/http2-authority-mismatch/README.md b/tests/http2-authority-mismatch/README.md
new file mode 100644
index 000000000..2e8b70f25
--- /dev/null
+++ b/tests/http2-authority-mismatch/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test http2 event for mismatch between authority and host
+
+# PCAP
+
+The pcap comes from https://redmine.openinfosecfoundation.org/issues/6425
diff --git a/tests/http2-authority-mismatch/authority_and_host_2.pcap b/tests/http2-authority-mismatch/authority_and_host_2.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..43bbf55647186f0282b71b9ada5e693ee2bbc02d
GIT binary patch
literal 1147
zc-p&ic+)~A1{MYw`2U}Qfe}axe6db_QO3Yv#sI;{fP=x6fkC63hk?O??Vdl^3AyYw
z4grkklo$eFDgv1PGwk^VF@>WXuPMA>Q~W?CfJ|Zt0Ga~<i~&MGQ(i($;m2<ZAJ`OM
zG`BE<O%VW^@(N;#C(x8Q1_;J5C7_%iY>En+TOg)L{Abv-5u{cK8d%IgoB|9vkTfeW
z+<*bc!U2}4{|~WEyq$%?56Jh!W}8E~0N6HTEN<2W*;YOo=%gS|1uX@SkdOd<BRvCN
zE?%x+Ul0j0-E}exLjq870yfiw$_2ruE1;P!2{YX+2&|Ze5u!-~>M16OXg$a~jNsG&
z_8Q1OwMaGwd!VE}Hv0_Ag~0YXpoN_#5IckH+ntSMAILbT1~!HgAiD&cacSkkVB@&Z
zobL?8Mj+#M@PgEuGO~g~tf|GZLx1AsSk{>K<?Ry!Tc#b|@HV*Jvu0`MWncNK{yUD>
zU;0#kf1Ti!VKePQd|K<2=Rk!ZH%MP(XXpW%(1Xnlb>$);H{AV*<|QK_ZUnhOJP)MS
zmk|_njP?)Z{g_P*jLX_p*|&LS$hIa<JDj+0itwr|r4Rv@Q;lVhm3A;_cDwzLhdC^!
zi96AuRb_RAeSCj~ioz4-g%c)jdcm^Yu6{qrZ9GOC4A+1rU&H3M6Xl{{w=F|+TL;W-
zUavuFr$f@NO-4y>jvX(TO-5>Bik(eKW=T$}9nh@`Zuvz?nJFo$c{chGK^uLr5}?wg
z{FF)%ot&Cil3HYElVOOi11Msn50wU)4O9f>CFkUqrljR07NsI9(1#hR4|NUzS)KpE

literal 0
Hc-jL100001

diff --git a/tests/http2-authority-mismatch/test.rules b/tests/http2-authority-mismatch/test.rules
new file mode 100644
index 000000000..ab51e8772
--- /dev/null
+++ b/tests/http2-authority-mismatch/test.rules
@@ -0,0 +1,2 @@
+alert http2 any any -> any any (msg:"SURICATA HTTP2 authority host mismatch"; flow:established,to_server; app-layer-event:http2.authority_host_mismatch; classtype:protocol-command-decode; sid:2290013; rev:1;)
+
diff --git a/tests/http2-authority-mismatch/test.yaml b/tests/http2-authority-mismatch/test.yaml
new file mode 100644
index 000000000..491818ee7
--- /dev/null
+++ b/tests/http2-authority-mismatch/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 6.0.0
+
+# disables checksum verification
+args:
+  - -k none --set app-layer.protocols.http2.enabled=true
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2290013
-- 
2.47.2