From 9fa1ab5a8dbd41333a9c6d7ad8e80d4cbc88b855 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 7 Nov 2023 17:22:14 +0100
Subject: [PATCH] tests: adds a test for http2 with userinfo in uri

Ticket: #6426
---
 tests/http2-userinfo-authority/README.md      |   7 +++++++
 .../http2_userinfo_in_authority_1.pcap        | Bin 0 -> 1077 bytes
 tests/http2-userinfo-authority/test.rules     |   2 ++
 tests/http2-userinfo-authority/test.yaml      |  18 ++++++++++++++++++
 4 files changed, 27 insertions(+)
 create mode 100644 tests/http2-userinfo-authority/README.md
 create mode 100644 tests/http2-userinfo-authority/http2_userinfo_in_authority_1.pcap
 create mode 100644 tests/http2-userinfo-authority/test.rules
 create mode 100644 tests/http2-userinfo-authority/test.yaml

diff --git a/tests/http2-userinfo-authority/README.md b/tests/http2-userinfo-authority/README.md
new file mode 100644
index 000000000..2e8b70f25
--- /dev/null
+++ b/tests/http2-userinfo-authority/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test http2 event for mismatch between authority and host
+
+# PCAP
+
+The pcap comes from https://redmine.openinfosecfoundation.org/issues/6425
diff --git a/tests/http2-userinfo-authority/http2_userinfo_in_authority_1.pcap b/tests/http2-userinfo-authority/http2_userinfo_in_authority_1.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..60800f837360fb9a843bc27fbfdaf8cf3efd4347
GIT binary patch
literal 1077
zc-p&ic+)~A1{MYw`2U}Qfe}czDB7f^z2;^x1G3E+Pyq*nD+7Z@aT5cB1KY!!TqoqR
z*Ej?)uC!wafT;*z`p@w29>kPt{H8R6O}POw0b~+G0MHx=U<?ofnsOFmN-KU-TEM1U
zM{^4!*c1VvDd!-jYzLYW2NaCMW=cSDE7+8EXl{X+BJrQ$`c#lwA!uMR191v4<UrD_
zz;FWw9190nrXI*_1=_~?fPtZc0fI4X%PMXI+cp`Cn>9hUiKzpf6y&L(rQi_~5}<FS
zXTZzF%N6VkB7tgH7$Js9K%K(`CRyr14q*hxBiK<OcWkI&WUvQH+GBHvVR1Xy9jDQJ
ztqH`=Aa^|QhnNhu4`f`>YDR`eAiEKpamB?QVB<Q_yyXnUMj+!pZ3d}zVq^vRwW-B%
z>Q>fG3ok`a?dAATt@8g8m#3iD^G*3}69QYN9o_IYxZSg6Y3F5M`Ktaqj@MuMRDXY+
z;FV!B?LvH7>y+m)?aM(9Iu*pkPz^M$8k>W1i#x#%>P7RP5fJx*9OUQ(QftEq3P(o!
zhw?pT?W*kCJTqil6Q><c+&4vdRhCkS0L!T+)?>4G++LM*aeq9_Q8CPhrlt<9Dyt*x
z;~8~9PWhU{#Bd8}&@F6EIaAyPc8V^VQ_5jZxts=4I~$VXY%)r6bL@DzY%)?4Q|xR?
zGD~t&?Mw^|6r2)M6oOI<OH+$WZ1f?*Hu_*iK*dS<DU~2PIW?~&waCsU!w^#sP|QXj
essLm@P#Kh$oReRgl9rQLl!~lCA7-dN)JXuwXZ~;i

literal 0
Hc-jL100001

diff --git a/tests/http2-userinfo-authority/test.rules b/tests/http2-userinfo-authority/test.rules
new file mode 100644
index 000000000..0037515fc
--- /dev/null
+++ b/tests/http2-userinfo-authority/test.rules
@@ -0,0 +1,2 @@
+alert http2 any any -> any any (msg:"SURICATA HTTP2 authority host mismatch"; flow:established,to_server; http.request_header; content:":authority: "; startswith; content: "@"; pcre: /:authority: ([^:]*:[^@]*)@/,flow:http2_userinfo; sid:1; rev:1;)
+alert http2 any any -> any any (msg:"SURICATA HTTP2 authority host mismatch"; flow:established,to_server; app-layer-event:http2.userinfo_in_uri; sid:2; rev:1;)
diff --git a/tests/http2-userinfo-authority/test.yaml b/tests/http2-userinfo-authority/test.yaml
new file mode 100644
index 000000000..fb9849550
--- /dev/null
+++ b/tests/http2-userinfo-authority/test.yaml
@@ -0,0 +1,18 @@
+requires:
+  min-version: 6.0.0
+
+# disables checksum verification
+args:
+  - -k none --set app-layer.protocols.http2.enabled=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
-- 
2.47.2