From 9d9a50a24084ce0091653c61e2ad97fdca369166 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 12 Dec 2023 09:30:18 +0100
Subject: [PATCH] test: adds test for strip_pseudo_headers transform

Ticket: 6546
---
 .../transform-strip-pseudo-headers/README.md  |  9 +++++++
 .../transform-strip-pseudo-headers/test.rules |  3 +++
 .../transform-strip-pseudo-headers/test.yaml  | 27 +++++++++++++++++++
 3 files changed, 39 insertions(+)
 create mode 100644 tests/transform-strip-pseudo-headers/README.md
 create mode 100644 tests/transform-strip-pseudo-headers/test.rules
 create mode 100644 tests/transform-strip-pseudo-headers/test.yaml

diff --git a/tests/transform-strip-pseudo-headers/README.md b/tests/transform-strip-pseudo-headers/README.md
new file mode 100644
index 000000000..78a9ce394
--- /dev/null
+++ b/tests/transform-strip-pseudo-headers/README.md
@@ -0,0 +1,9 @@
+# Description
+
+Test strip_pseudo_headers transform.
+https://redmine.openinfosecfoundation.org/issues/6546
+
+# PCAP
+
+The pcap comes from test http2-range.
+This pcap has both HTTP1 and HTTP2.
diff --git a/tests/transform-strip-pseudo-headers/test.rules b/tests/transform-strip-pseudo-headers/test.rules
new file mode 100644
index 000000000..6d612977f
--- /dev/null
+++ b/tests/transform-strip-pseudo-headers/test.rules
@@ -0,0 +1,3 @@
+alert http any any -> any any (http.header_names; strip_pseudo_headers; content: "|0d 0a|accept-ranges"; startswith; nocase; sid:1; )
+alert http any any -> any any (http.header_names; content: "|0d 0a|accept-ranges"; startswith; nocase; sid:2; )
+alert http1 any any -> any any (http.header_names; content: "|0d 0a|accept-ranges"; startswith; nocase; sid:3; )
diff --git a/tests/transform-strip-pseudo-headers/test.yaml b/tests/transform-strip-pseudo-headers/test.yaml
new file mode 100644
index 000000000..27ec098b5
--- /dev/null
+++ b/tests/transform-strip-pseudo-headers/test.yaml
@@ -0,0 +1,27 @@
+requires:
+  min-version: 8.0.0
+
+pcap: ../http2-range/http2-range.pcap
+
+# disables checksum verification
+args:
+  - -k none --set app-layer.protocols.http2.enabled=true
+
+checks:
+  # transform allows to get 3 more alerts, the ones from HTTP2
+  - filter:
+      count: 5
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  # without transform, we only get the 2 alerts from HTTP1
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 3
-- 
2.47.2