From 1f872352630c4806469b1e4b0d404e0a16787f9b Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Thu, 7 Nov 2019 10:27:34 +0100
Subject: [PATCH] tests: add bug 3277 nfsv2+filestore test

---
 tests/issue-3277-nfsv2-filestore/README.md  |   1 +
 tests/issue-3277-nfsv2-filestore/nfsv2.pcap | Bin 0 -> 25664 bytes
 tests/issue-3277-nfsv2-filestore/test.rules |   1 +
 tests/issue-3277-nfsv2-filestore/test.yaml  |  14 ++++++++++++++
 4 files changed, 16 insertions(+)
 create mode 100644 tests/issue-3277-nfsv2-filestore/README.md
 create mode 100644 tests/issue-3277-nfsv2-filestore/nfsv2.pcap
 create mode 100644 tests/issue-3277-nfsv2-filestore/test.rules
 create mode 100644 tests/issue-3277-nfsv2-filestore/test.yaml

diff --git a/tests/issue-3277-nfsv2-filestore/README.md b/tests/issue-3277-nfsv2-filestore/README.md
new file mode 100644
index 000000000..df09c947b
--- /dev/null
+++ b/tests/issue-3277-nfsv2-filestore/README.md
@@ -0,0 +1 @@
+Pcap from https://redmine.openinfosecfoundation.org/issues/3277
diff --git a/tests/issue-3277-nfsv2-filestore/nfsv2.pcap b/tests/issue-3277-nfsv2-filestore/nfsv2.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..8575554eec714b72e449e25214108171376d1b84
GIT binary patch
literal 25664
zc-qyS2~<_b8OJY=MOFcEi!mu}TvCrB64GE}JitjprJ6QL(^{7X&3gt@4GJ;PR8tb3
zm=g(@#8l%37Q{73aJP!MfV(212GO`L55X8sQ)6Q3-0#kVJM(6SCqD1JymN*@g_-~S
z-uHd;&GNj9OLkUECdo~b+6PGz`cCqSMzvd1+>|=Wt6Mty{tYN)pWPmI6n#DWP^q`{
zoFt7h?~tVE;G>Z<AL?vEWt@MFlqCIT;`ykU&bgBELhWYeq1qi6^5vGfME)xO+Z6Mp
zroUEtj+uqN9RUUURQiXWhh|60Juk14dzE{al2G4KpWnbeyGf3(4g;PT7#8tlSVTnF
zfbfX0$gqe=qNhbr=rPVR@05G0YP65hl<Uz|n%b=sHAee5>?IPlT#0I*R7-O5#FW<(
zEviwY;;B+;!fb+7YCHB%Oqyuv|N8jk3FBW&>~Be%l$89IqBf@({rfm5G?(Go(ZFT1
zor_0TQ?B%E!+Zf3NeT*@js#qheC0os$i#oC{$A;IeVM=xc7Yv4G}%F|YzH-YQ86pd
zIB5s@b`FkqaJo`p2XQdoZ7Mscm7+`+aL=sq29tIW6*hqE=_M%i7@swl!x)D&jq#MX
zn-o5H7&S)wI2>N89%7-;V~NZjB1w(Gb=CH<c)R(Zl0wTn^2P!!wtGkR*+M9^=DFqy
zxy6w0?3&#hk!EXJ#9toqo6XSd8ryZoniSO^LZLZK&3+X)yxq*fy-`Z6UWiq*Z5Wiq
zG^psyKbL^sGs@0OMj!>Tl4p1*)JTb{Zi(k^;CYMU`E#V~GX~FKjd}8XWDM{uAb3Vq
zHDJ{oo}s9CNKznjTCdTClGjV=(35xP-=lvhf<p7jGw%gHHiA!9m+q*ie=_)ZXu(JR
z-7$7=QPe*Vh2|8MJqb81Cph(pdj+d!aWXl<WFIiON-=pDwK}H_Fi8d`ODQIQ!0KCK
zatI2|q|Ce@nCvE)tm+hwTAj;a;-e)KR28V&lp3j*GP-9_WRX@tp_whno(jwc63jm6
zvK^1ki8(m`3i=XAtCOVn3RJ(3YdXH=U$OIN*Pxsi-wwe0a-EECnVXUF&$XE^97nEF
z&6_XY1>S!m=Zg$qteQ7pXu<O!@NA&wi@r$NJYDBsG0$}1`3lK%UIkX|%K4YalNU=5
z0ndw6EbW4n%{N9Y6~=}4fNLZb7fP{uo#O(e-4#%1?i<aAf%|@fdqHx0q<jH`yGe_<
zz=+G0lFyX0PzT0Ft477M^BM4dyg=Id+(JAm7sU<pBz8SBU0~;x!23L9=bezUg~qUR
zP|vgTnZUIVY3Kb$V)Yu?d8@b|0q*BW?ww_eSfnF&)0l|_cV4dc5pd6<a<ySty&zW;
zGN}S4XDKF2P^-CZfJrtmnMpAjiq#94l*|$^ISNe9Q2yBgwVG!P{{;0s|I7g<y(s@2
zj@9ezpF-}{!2N5=7W0wv#m2BjP|vf)kAeFKlr6?%^)1=raVRvCJ?3M;WF5g|?b9Ww
z)qgRV_-VS9avi%*fZYs=-EZ+I-MBk$-ZgoG{QNj0pR}euhFZ<nH$Ml}yu4)&uoz6{
zEn^2^)h^D@OJ<QZDC7C(3E){v`KO#G7U&rl$CB2-i;MGs>%(MR{P8MQ@66u$X!NCz
z6LHZ`#odItj|T2uF^KczU6^;Q)b3@;3GQD3_md>|rHhdAB|36<A3NbqwR)a!&j;@B
zQoj8>RxgN)LMAo9q=sT5?;;nr0VWH8$ux?|b67o}iH}q)*mpY#Og57HZv8f)R+loE
z_&)$9jvjI^%#_jbnB@YqcNliGR5(ZYTodj2*D`WFYuclz)n&TQ5sGTw9I+KxbS3AA
z^6#-~*Uk~>T_I~w#`DWl!1Flem%Wg(<vRMM2ePpgm3p3yl>*n1l#Rt=^#Z>XGC2)Q
zj!{f{qE=V50Vdmk$q0%`3|8L~6JB2XH85F4=C!f=P^&8$OaioIV$Ug1)o5?Kk@0eZ
z-A-WlM}|GE6viyy4xxgWb%v3LS<||qR#)j7vlP|5n6(F31duW7+i<Mf#WCwz5K;RM
z3>Wz4S>Rbk`e(c+Quc+Od2LveHGq0vUJIwPwt6zJO&yNax9U!ai@Edc_#7jLv!-=L
z%8T^1V^GbrV>m^t^P%iG46D}Dj?V+nO45!~ZX;!@89akDvSV-=m3sRr1j%({Hk_u}
z4iH=mQo3XHg8h2v3B0A*N=p7Ls|^do-79}Lx;e5--Ic$Cy)M|LK(EJDKL=T<?11>^
z>Q%Etg1v7i-jfUPo*bsu%qBFdVneK%#jyoW<ZM^S*fQ*Wtp0x2%%)bXnVa)aG53qW
z{Sd|dQ>6S$L+mArxx<N^?J~*zOfRfnr#)QEU(Edya6d@px*sFuC5Bj+i@C!Ik?kU7
z@99{*k?s95a6dqCm!szzL##2x+~LH<cAn&(b{ngA#@_2;l|c56)GuzN?A?uF@Ab^N
zwrS2yh!*59SAhFb>Q2pEq<k%dyXONqJ9iklO7#m+Xx`D;aH>!@h~VA#Qg5u9JJ&YP
z8bzXe95!IGm$b!@yQuYbdd_)fQax|Y1}oFLr>QmDudsUldRJ+cw>MV@OqP**bI0Y~
z=k*LG?X_frss?+T-ZQQ?{W>gi&%~#wM#uAC$mDI+r2l5G$D?z`e;XM7>txQH-(XkB
zs|Eghjgg;O(*lw54f?J@ibQv~Agi?9B-bDb6<BpkYY=xQ)*ukE**uR;68L^S@T{PG
z{|-{N(HOoD>Unky*^8}`vg5T_z0P(l<lX?>%SrB!%9;8mZMZW>?v_Y$=fzyeUh1Bp
zVr~RhFNnF&Dlg_<2POq%%<Vo0wYpiGd&qnyPTfQHdrWlC;}+QJ4$@W=dg9SJVXK8N
z!aBHBYlOlV75+b^GiyaTFXn#3xNm5+%Ad3Nw>B}?apWr1yqNnP@IFVz+=G{}>ifJ;
z=oHUVC^XMv^9|rxLhxJ=E$?4$Ves_Uf~Sgrms}FZOqh`5i(`S9^KIaKn&kYCEqFBd
z!r9AljYV-rO6Xc(x8E}IT5IMfNZD46?$0+cbA2(-JHWG+<T-jPR(+rQmGqoN+ikq)
z4F4wZETiVEX-HYAA?7SaJum*=1+E*(_#6BKR`1IA+X_357u}1x#rS-V)%plhzD?iw
z8!x&S)d;+gQ*mJvR{enEg3yj(W(X-I?YPrTq^!&kd%S*=i}`k(V*;*gs6DS_tX|(e
zFGV@ej{n2Rd97(~Ncnb+)@}|XSE=UMagICit|IMt_fV|5B|CNn&k`s!&jR!JjQc~g
zp1OdP?O^cq(&YY7)2CHK)wVnj3e7ev#}n9=5p2_@)#4Gjf-NYZ*~&lvR-z?zZ0NZ0
z6D+=JrTd`Jthbo|3#@Yq*2{X!r?xu{kh96Z6RhNH>T%iQ$=ou5eS5=uaFDd`3*+&~
z?j=qKw;ZP@7nAk2N<o~4%ray%wKs7cDcfa;y$MA<FHQ#n*FrK*-+Udb*LZJ&&htPy
zFHZje+_zJC^M^=zxxRTbsOH&m5b!Ri^5%6|^#jhEg?4<05vQ}>e*-D2(B_<<X-UoJ
z{9>-bz;zeNb^3U$UJxIkSNfcPgyT6sL^iz3LY>u%x&8=TH&E-5H<7a446eS~uSY;V
zXAdo>BkZAhQhR8<uzLPoGqLaf#K>)}nKMwUdkpNmofvsQVtFoB?Hb=j3fT4KvjQ8t
z%lJG`)({&~w$~7M%@p;#IjAdeT}aMBmrr5!_j}ju{>~-D-2VsM*HUx8eEzo27<0dn
zdpF=dpX5H`cUZkPbARjX9ailjYbfrr#q4Kr57eByf4~hvO#K;fzeB~;Utsn8n5wkO
ziK+5f9P&_Ws(eOvK-V)zMKv#`_5>EiWK8{LHCFA4dymb&jckgj{hyThHfC`Ho?lXT
zy;6~~gNC^4rKsomc5mRCP2KhK#p?CF>m}w6J4YeK6!*80@<VNa`{Tg<BZ|8ZR&QkP
zu!9t`n&O^>lpoe6Pj!krFQ)cm+*j`r_b65`h^f#jFQ$3`ll4?gl|K<xsc%dL)x4P6
zpRuM-eEF|fwQFN4QbN|F1fN;5z)o7o7u0=1c~|&|A?|T1>Uq8$4qT^`zTJH`R<FgL
zHgliQ3GQBu&qZY|os5)MwE^xCz&(TF{wY>(WbW;N`$~$tyr*(h$C#?(o)IdDsZTNP
z&-RGxhSdvVYKGu*W)^S8y#i~he6CfkZ%oY)e9kOqAh1|K##GNZtlGsfbyN^pgEF3t
z`2f%5q>UBIdH*p(+|gFl^L+c)!1eE>Z@U*__1fIg_DzUp-q99w_hsC@%_@{n>W{Yp
z?t_5)-ze@&uzDkK=fw{{MxJWToPv~}(DiP-qMCCzKIa+6UFN=*Jh1AP@5YO5(I1!;
zQg;PTqSn7M#9aZgEe-}YsiZA#?}OEA@qef|&hO5}-T>gfgo*(-kn$QG=XX^MSP?Fm
z-(!LM32J`th}8?`_alPOu2|YLa!qS$J!<u&zVkb%=FRVMjQx_t4WU@Ii|6-@P_hPP
zJR5@(+K_x|T`r$&)f!_z1l03vYzX7-dylvvte$@dJ78kE#C>*vB?z9caJlLK)jusi
zJ0R~;RQ!c(6_Y%vHP4U;m@RmQM9xUL=VdEZ&ki^(MIE?>d%m}4NGLsVo*`lB0Ap<0
r2QwAP&yX1AM~$&*9MXe+hJ>P)^BjVlSAokm)iWfDq|kXOJTCtSW$exF

literal 0
Hc-jL100001

diff --git a/tests/issue-3277-nfsv2-filestore/test.rules b/tests/issue-3277-nfsv2-filestore/test.rules
new file mode 100644
index 000000000..2d54ae4c5
--- /dev/null
+++ b/tests/issue-3277-nfsv2-filestore/test.rules
@@ -0,0 +1 @@
+alert nfs any any -> any any (msg:"FILE store in NFS"; filestore; sid:1; rev:1;)
diff --git a/tests/issue-3277-nfsv2-filestore/test.yaml b/tests/issue-3277-nfsv2-filestore/test.yaml
new file mode 100644
index 000000000..6c6b9650e
--- /dev/null
+++ b/tests/issue-3277-nfsv2-filestore/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - RUST
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        app_proto: nfs
+        alert.signature_id: 1
+
+
-- 
2.47.2