From 0c0d2f554c0d685d4ae60ccf0ccc1551c9f47f3f Mon Sep 17 00:00:00 2001
From: Modupe Falodun <falodunmodupeola@gmail.com>
Date: Fri, 4 Mar 2022 11:41:30 +0100
Subject: [PATCH] detect-pcre: add assorted tests

Bring previously Suricata unit tests as suricata-verify tests.

Conversions mapping:
- detect-pcre-01: DetectPcreModifPTest04
- detect-pcre-02: DetectPcreModifPTest05
- detect-pcre-03: DetectPcreTestSig01-03
- detect-pcre-04: DetectPcreTestSig09-16
- detect-pcre-05: DetectPcreFlowvarCapture01- 03

Task #6147
---
 tests/detect-pcre/detect-pcre-01/README.md    |  12 ++++
 tests/detect-pcre/detect-pcre-01/input.pcap   | Bin 0 -> 372 bytes
 tests/detect-pcre/detect-pcre-01/test.rules   |   2 +
 tests/detect-pcre/detect-pcre-01/test.yaml    |  22 ++++++
 tests/detect-pcre/detect-pcre-01/writepcap.py |  11 +++
 tests/detect-pcre/detect-pcre-02/README.md    |  14 ++++
 tests/detect-pcre/detect-pcre-02/input.pcap   | Bin 0 -> 1132 bytes
 tests/detect-pcre/detect-pcre-02/test.rules   |   2 +
 tests/detect-pcre/detect-pcre-02/test.yaml    |  23 +++++++
 tests/detect-pcre/detect-pcre-02/writepcap.t  |  13 ++++
 tests/detect-pcre/detect-pcre-03/README.md    |  13 ++++
 tests/detect-pcre/detect-pcre-03/input.pcap   | Bin 0 -> 192 bytes
 tests/detect-pcre/detect-pcre-03/test.rules   |   3 +
 tests/detect-pcre/detect-pcre-03/test.yaml    |  27 ++++++++
 tests/detect-pcre/detect-pcre-03/writepcap.py |  10 +++
 tests/detect-pcre/detect-pcre-04/README.md    |  15 +++++
 tests/detect-pcre/detect-pcre-04/input.pcap   | Bin 0 -> 337 bytes
 tests/detect-pcre/detect-pcre-04/test.rules   |  10 +++
 tests/detect-pcre/detect-pcre-04/test.yaml    |  63 ++++++++++++++++++
 tests/detect-pcre/detect-pcre-04/writepcap.py |  14 ++++
 tests/detect-pcre/detect-pcre-05/README.md    |  12 ++++
 tests/detect-pcre/detect-pcre-05/input.pcap   | Bin 0 -> 685 bytes
 tests/detect-pcre/detect-pcre-05/test.rules   |   6 ++
 tests/detect-pcre/detect-pcre-05/test.yaml    |  37 ++++++++++
 tests/detect-pcre/detect-pcre-05/writepcap.py |  11 +++
 25 files changed, 320 insertions(+)
 create mode 100644 tests/detect-pcre/detect-pcre-01/README.md
 create mode 100644 tests/detect-pcre/detect-pcre-01/input.pcap
 create mode 100644 tests/detect-pcre/detect-pcre-01/test.rules
 create mode 100644 tests/detect-pcre/detect-pcre-01/test.yaml
 create mode 100644 tests/detect-pcre/detect-pcre-01/writepcap.py
 create mode 100644 tests/detect-pcre/detect-pcre-02/README.md
 create mode 100644 tests/detect-pcre/detect-pcre-02/input.pcap
 create mode 100644 tests/detect-pcre/detect-pcre-02/test.rules
 create mode 100644 tests/detect-pcre/detect-pcre-02/test.yaml
 create mode 100644 tests/detect-pcre/detect-pcre-02/writepcap.t
 create mode 100644 tests/detect-pcre/detect-pcre-03/README.md
 create mode 100644 tests/detect-pcre/detect-pcre-03/input.pcap
 create mode 100644 tests/detect-pcre/detect-pcre-03/test.rules
 create mode 100644 tests/detect-pcre/detect-pcre-03/test.yaml
 create mode 100644 tests/detect-pcre/detect-pcre-03/writepcap.py
 create mode 100644 tests/detect-pcre/detect-pcre-04/README.md
 create mode 100644 tests/detect-pcre/detect-pcre-04/input.pcap
 create mode 100644 tests/detect-pcre/detect-pcre-04/test.rules
 create mode 100644 tests/detect-pcre/detect-pcre-04/test.yaml
 create mode 100644 tests/detect-pcre/detect-pcre-04/writepcap.py
 create mode 100644 tests/detect-pcre/detect-pcre-05/README.md
 create mode 100644 tests/detect-pcre/detect-pcre-05/input.pcap
 create mode 100644 tests/detect-pcre/detect-pcre-05/test.rules
 create mode 100644 tests/detect-pcre/detect-pcre-05/test.yaml
 create mode 100644 tests/detect-pcre/detect-pcre-05/writepcap.py

diff --git a/tests/detect-pcre/detect-pcre-01/README.md b/tests/detect-pcre/detect-pcre-01/README.md
new file mode 100644
index 000000000..63b23bb62
--- /dev/null
+++ b/tests/detect-pcre/detect-pcre-01/README.md
@@ -0,0 +1,12 @@
+# Test
+
+Test the pcre modifier P (match with L7 to http body data).
+
+## Ticket
+
+Redmine ticket https://redmine.openinfosecfoundation.org/issues/6147
+
+## Pcap
+
+Crafted using Scapy based on buffers from the original unit tests.
+
diff --git a/tests/detect-pcre/detect-pcre-01/input.pcap b/tests/detect-pcre/detect-pcre-01/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..14dda2e909c154281aa3ec750f9377a1a0a6f6ae
GIT binary patch
literal 372
zc-mc#&q~8U5XPsqtz}_PUc`f}XPbWqK@$tDHCUly4(Y+;l1`IgvWdx-)ZTm)uO58^
z@fEy!)yJrtLQx!;S@xUX%zPj3ug^_r!8X=wfQEYazCZb)Lt&ymb*?u7jpk0P{RGhI
zf(s41MhBhvrQO->)~y2q-gc9>&*19~;L7!x!N$Jt8J2EQGR{hAv#P3eOtA=K5z44Q
zE=ygYq-0uRp$$V63cATwaguN~XHqf@0?d^taVd>Rrb&<Ic@hU)#+fjdwQ{`tucnFf
z&^Pt7O+DQ%(OeN^Gj-W!;VRC1Gn^+}A|-yoMLAanet{rbh<lt-GRlNht~CEK$3HF{
nMew3T*<Z-HrcO{|oltUqba^}S?>v{)5c8%Nlj{*BX5Ie*GJb3k

literal 0
Hc-jL100001

diff --git a/tests/detect-pcre/detect-pcre-01/test.rules b/tests/detect-pcre/detect-pcre-01/test.rules
new file mode 100644
index 000000000..706c49ed6
--- /dev/null
+++ b/tests/detect-pcre/detect-pcre-01/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any (msg:"Pcre modifier P"; pcre:"/DOCTYPE/P"; sid:1;)
+alert http any any -> any any (msg:"Pcre modifier P - no match"; pcre:"/blah/P"; sid:2;)
diff --git a/tests/detect-pcre/detect-pcre-01/test.yaml b/tests/detect-pcre/detect-pcre-01/test.yaml
new file mode 100644
index 000000000..83cf4a245
--- /dev/null
+++ b/tests/detect-pcre/detect-pcre-01/test.yaml
@@ -0,0 +1,22 @@
+args:
+- --set stream.midstream=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 2
diff --git a/tests/detect-pcre/detect-pcre-01/writepcap.py b/tests/detect-pcre/detect-pcre-01/writepcap.py
new file mode 100644
index 000000000..360185a51
--- /dev/null
+++ b/tests/detect-pcre/detect-pcre-01/writepcap.py
@@ -0,0 +1,11 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+load_layer("http")
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IPv6(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=63, flags='P''A')/HTTP()/HTTPRequest(Method='GET', Path=' / ', Http_Version='HTTP/1.1', Host='www.emergingthreats.net', User_Agent='Mozilla/1.0', Content_Type='text/html; charset=utf-8\r\n\r\n15\r\n<!DOCTYPE html PUBLIC')
+
+wrpcap('input.pcap', pkts)
diff --git a/tests/detect-pcre/detect-pcre-02/README.md b/tests/detect-pcre/detect-pcre-02/README.md
new file mode 100644
index 000000000..527b139ba
--- /dev/null
+++ b/tests/detect-pcre/detect-pcre-02/README.md
@@ -0,0 +1,14 @@
+# Test
+
+Test the pcre modifier P (match with L7 to http body data) over fragmented
+chunks (DOCTYPE fragmented).
+
+## Ticket
+
+Redmine ticket https://redmine.openinfosecfoundation.org/issues/6147
+
+## Pcap
+
+Crafted based on the original unittest being converted to SV test, using
+the [htptopcap.py](https://github.com/OISF/suricata-verify/blob/master/tests/engine-state/htptopcap.py)
+libhtp script to convert the writepcap.t script into a pcap.
diff --git a/tests/detect-pcre/detect-pcre-02/input.pcap b/tests/detect-pcre/detect-pcre-02/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..8e2182ed5ad11ff269578138bce07a76a769ca62
GIT binary patch
literal 1132
zc-n>2J#5oJ6bJCL6P3zBkzqnG^w?S?e>F5plh76#w+Tu_L~I1zLVHatQl~f<5@2X&
zrj8X7QdtpQU}HlJ3<U;+h}ha7t9&dG;$usCcPLabhFChwIz9jV_j~rc7f&AYAP5eR
zAh=1+M;|>vYr7$kA=eqU9|(e>Ud=Gj0Z6#}Ghk-u%G)&nIJ!2)k&SkCDn%={_-?bK
z0>B5m%^*K4Sf|9tbe{_Zj!^sl02=^mC!Y1}k&R8UZMH5GKfQIlyW_R#>e)|;og`Ay
z-#+VpV!1zfa;J%(Ul)1M86}(Cp-au?UI?7w09${X+)4K{HO+6n<_R8jL;dEwZa@X5
z3?rv#vL>V|RUCu$dR;~<$SGQO5tkfPz*X5sSTL)|k<J&9O=_~0J65?|P$py*j$YNY
zI5guhW7)L^v?9?+9HOeE=i|`171QKNS(UZ$7@S9oH!8}ws!pm=HLOiQ^Low3H6<!*
zM6qn_pjB&W49-~&TCOydFuPBft=O16R5EU_q8P-eft3<oDaYYrso+!*K3BubQuI$*
z2GQ6tIIamo;&k%TtUx=rzxV%XNISH1p<kX!=iAw7WnJVte$%+y3V{V8Eclxj-7jpy
z&-<q_t@NhRnd&!LTH{(yhxGkm&b*LG|4x6eH6Z;fmj0(tdi`JNBOeEtubKJ7*F5I`
oeZCxEx?fpG-g`Qt6W8#V+dXr4P|i0j=XXy|gSc~^|A?B~2g?QvWdHyG

literal 0
Hc-jL100001

diff --git a/tests/detect-pcre/detect-pcre-02/test.rules b/tests/detect-pcre/detect-pcre-02/test.rules
new file mode 100644
index 000000000..d5d3d53be
--- /dev/null
+++ b/tests/detect-pcre/detect-pcre-02/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any (msg:"Pcre modifier P"; pcre:"/DOC/P"; sid:1;)
+alert http any any -> any any (msg:"Pcre modifier P"; pcre:"/DOCTYPE/P"; sid:2;)
diff --git a/tests/detect-pcre/detect-pcre-02/test.yaml b/tests/detect-pcre/detect-pcre-02/test.yaml
new file mode 100644
index 000000000..1a489d87c
--- /dev/null
+++ b/tests/detect-pcre/detect-pcre-02/test.yaml
@@ -0,0 +1,23 @@
+args:
+- --set stream.midstream=true
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
diff --git a/tests/detect-pcre/detect-pcre-02/writepcap.t b/tests/detect-pcre/detect-pcre-02/writepcap.t
new file mode 100644
index 000000000..4ff83c760
--- /dev/null
+++ b/tests/detect-pcre/detect-pcre-02/writepcap.t
@@ -0,0 +1,13 @@
+>>>
+GET / HTTP/1.1
+Host: www.emergingthreats.net
+User-Agent: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.13) Gecko/2009080315 Ubuntu/8.10 (intrepid) Firefox/3.0.13
+Content-Type: text/html; charset=utf-8
+Content-Length: 21
+
+<!DOC
+
+>>>
+<!DOCTYPE html PUBLIC
+
+<<<
diff --git a/tests/detect-pcre/detect-pcre-03/README.md b/tests/detect-pcre/detect-pcre-03/README.md
new file mode 100644
index 000000000..a226becf7
--- /dev/null
+++ b/tests/detect-pcre/detect-pcre-03/README.md
@@ -0,0 +1,13 @@
+# Tests
+
+Tests pcre modifiers, originally from Suricata unit tests, converted to SV.
+
+Signature 3 - Real negation test ! outside of "" this sig should not match.
+
+## Ticket
+
+Redmine ticket https://redmine.openinfosecfoundation.org/issues/6147
+
+## Pcap
+
+Crafted with scapy, based on buffers from the unit test.
diff --git a/tests/detect-pcre/detect-pcre-03/input.pcap b/tests/detect-pcre/detect-pcre-03/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..d64c67a94c30ee71b2eaccaf5345b0c28f5add6f
GIT binary patch
literal 192
zc-p&ic+)~A1{MYw`2U}Qfe}cje7Kv~5zD|Zg8_p7g8>606Eh2IBLf2)2ZJjELmNn`
z16x)cD;qlpNJ@%}ApmAlfP?}=)OQ93ch?XF{rtRCeFcw@kN|x{JwskDkNn~iD+QpS
fUTQ^RZb43}UVc$JFBb@cm6w#~V=4y<Vk!p!B#|z3

literal 0
Hc-jL100001

diff --git a/tests/detect-pcre/detect-pcre-03/test.rules b/tests/detect-pcre/detect-pcre-03/test.rules
new file mode 100644
index 000000000..c6d5c63dc
--- /dev/null
+++ b/tests/detect-pcre/detect-pcre-03/test.rules
@@ -0,0 +1,3 @@
+alert tcp any any -> any any (msg:"HTTP TEST"; pcre:"/^gEt/i"; pcre:"/\/two\//U"; pcre:"/GET \/two\//"; pcre:"/\s+HTTP/R"; sid:1;)
+alert tcp any any -> any any (msg:"HTTP TEST"; pcre:"/two/O"; sid:2;)
+alert tcp any any -> any any (msg:"HTTP TEST. Negated pcre - no match"; content:"GET"; pcre:!"/two/"; sid:3;)
diff --git a/tests/detect-pcre/detect-pcre-03/test.yaml b/tests/detect-pcre/detect-pcre-03/test.yaml
new file mode 100644
index 000000000..a8e90b096
--- /dev/null
+++ b/tests/detect-pcre/detect-pcre-03/test.yaml
@@ -0,0 +1,27 @@
+args:
+- --set stream.midstream=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 3
diff --git a/tests/detect-pcre/detect-pcre-03/writepcap.py b/tests/detect-pcre/detect-pcre-03/writepcap.py
new file mode 100644
index 000000000..8d5b5c018
--- /dev/null
+++ b/tests/detect-pcre/detect-pcre-03/writepcap.py
@@ -0,0 +1,10 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=80, flags='P''A')/"GET /one/ HTTP/1.1\r\nHost: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n"
+
+wrpcap('input.pcap', pkts)
diff --git a/tests/detect-pcre/detect-pcre-04/README.md b/tests/detect-pcre/detect-pcre-04/README.md
new file mode 100644
index 000000000..da20f21f6
--- /dev/null
+++ b/tests/detect-pcre/detect-pcre-04/README.md
@@ -0,0 +1,15 @@
+# Test
+
+Check that Suricata properly matches on signatures with method or cookie
+modifiers passed to pcre, including cases with negated pcre and relative
+modifiers.
+
+This test is based on Suricata unit tests adapted to SV.
+
+## Ticket
+
+Redmine ticket https://redmine.openinfosecfoundation.org/issues/6147
+
+## Pcap
+
+Crafted with Scapy based on buffers present in the original unit tests.
diff --git a/tests/detect-pcre/detect-pcre-04/input.pcap b/tests/detect-pcre/detect-pcre-04/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..31abc5d37316d3a26795d6bc83cfb43cc7d648a2
GIT binary patch
literal 337
zc-p&ic+)~A1{MYw`2U}Qfe}bwzN?t@*@=^(2gvRLi-Q0IBNH<VYa;^#Tie|Pkn$il
z2L>d)tZeKY$b67;DJ}+km`H$x0>j%$K-xbzL_tAcLBS&=BtYL#&w!W9IX^!;Gu28V
zr8GCUQo+#3*o2oWv^cd$*D*acuf$5hH@_+~Cnu4Yi<b-JwhO_W481@TdvUuhm?*c!
YBD;-`nSsIG6`#}c{r&TSz#pgM00Z1k=l}o!

literal 0
Hc-jL100001

diff --git a/tests/detect-pcre/detect-pcre-04/test.rules b/tests/detect-pcre/detect-pcre-04/test.rules
new file mode 100644
index 000000000..b3c6b9657
--- /dev/null
+++ b/tests/detect-pcre/detect-pcre-04/test.rules
@@ -0,0 +1,10 @@
+alert http any any -> any any (msg:"HTTP cookie"; pcre:"/dummy/C"; sid:1;)
+alert http any any -> any any (msg:"HTTP cookie"; pcre:!"/dummy/C"; sid:2;)
+alert http any any -> any any (msg:"HTTP method"; pcre:"/POST/M"; sid:3;)
+alert http any any -> any any (msg:"HTTP method"; pcre:!"/POST/M"; sid:4;)
+alert http any any -> any any (msg:"pcre relative HTTP cookie"; content:"dummy"; http_cookie; pcre:"/1234/RC"; sid:5;)
+alert http any any -> any any (msg:"pcre relative HTTP method"; content:"PO"; http_method; pcre:"/ST/RM"; sid:6;)
+alert http any any -> any any (msg:"HTTP header"; pcre:"/User[-_]Agent[:]?\sMozilla/H"; sid:7;)
+alert http any any -> any any (msg:"HTTP header"; pcre:"/User-Agent[:]?\s+Mozilla/H"; sid:8;)
+alert http any any -> any any (msg:"HTTP header"; pcre:!"/User[-_]Agent[:]?\sIEXPLORER/H"; sid:9;)
+alert http any any -> any any (msg:"HTTP header - no match"; pcre:!"/User[-_]Agent[:]?\sMozil/H"; sid:10;)
diff --git a/tests/detect-pcre/detect-pcre-04/test.yaml b/tests/detect-pcre/detect-pcre-04/test.yaml
new file mode 100644
index 000000000..b6a876dda
--- /dev/null
+++ b/tests/detect-pcre/detect-pcre-04/test.yaml
@@ -0,0 +1,63 @@
+args:
+- --set stream.midstream=true
+
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 4
+      http.http_method: "GET"
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 5
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 6
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 7
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 8
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 9
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 10
diff --git a/tests/detect-pcre/detect-pcre-04/writepcap.py b/tests/detect-pcre/detect-pcre-04/writepcap.py
new file mode 100644
index 000000000..a468628be
--- /dev/null
+++ b/tests/detect-pcre/detect-pcre-04/writepcap.py
@@ -0,0 +1,14 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+load_layer("http")
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IPv6(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=63, flags='P''A')/HTTP()/HTTPRequest(Method='POST', Path=' / ', Http_Version='HTTP/1.0', User_Agent='Mozilla', Cookie='dummy 1234')
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IPv6(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=93, flags='P''A')/HTTP()/HTTPRequest(Method='GET', Path=' / ', Http_Version='HTTP/1.0', User_Agent='Mozilla', Cookie='dummoOOooooO')
+
+wrpcap('input.pcap', pkts)
diff --git a/tests/detect-pcre/detect-pcre-05/README.md b/tests/detect-pcre/detect-pcre-05/README.md
new file mode 100644
index 000000000..3a33078d0
--- /dev/null
+++ b/tests/detect-pcre/detect-pcre-05/README.md
@@ -0,0 +1,12 @@
+# Test
+
+Test flowvar capture on http buffer, based on a Suricata unit test and adapted
+to SV.
+
+## Ticket
+
+Redmine ticket https://redmine.openinfosecfoundation.org/issues/6147
+
+## Pcap
+
+Crafted with Scapy with buffers based on the ones from the unit tests.
diff --git a/tests/detect-pcre/detect-pcre-05/input.pcap b/tests/detect-pcre/detect-pcre-05/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..0e2f0e07c7c1ec1ed27efaedcfaab47944a2e30d
GIT binary patch
literal 685
zc-oCo&2G~`5Z;tFP)oieE=(m36zsK4l-9995JG4xf)Xi?1UFn~;;eAi#$Gq3H!gV(
zUVsA<PrxI<6>;N=I3Z49?I=}*gkYrI`Ppy2o!#&A$M<iy$TnHqa!E){`s+9LPJeyd
zCEsOIu4QGUwsmQH=M5qC#g`WnRr^qXKsI`J>X)x<<|X`^Lhi3CgR4Nk_6a%adH@E%
zvF8m8i(0DE4gySs0|E<SOvNnH{3MB3;0qRWqbMu4i$ANg$bEIsq^)YV*Ccvp>Zch>
zvXfz7x9w(2x3pYLbi2YGYPVMY0^j99JZ3y}AUtP@HpWTh3%oe)`8>@15FNlw$4tX)
zb)SY@&sT9%##PWzl}^kBa-n;#6WP*E{9uZA_a5~--t$2h%7?&U^ssl*QI+F3lT*&;
zbBZ%eLpg$&rs#`|auljE$}rX2p(JzQX?)J2$TynQgqzPS%Y~5(J;w6_*nxfEma}z-
zE~ICUMO)OQR%0KIFnAdocTBTo+GfLQ!ss;TA~$SmNfyRMiU}L<!(*1>Brc3b)u$?|
uQp*47=Pp@D(H7)y@{`_w$=}|T|HnH**0O^f4f;=1Wr*n+rvLaYRrwA7w7RSS

literal 0
Hc-jL100001

diff --git a/tests/detect-pcre/detect-pcre-05/test.rules b/tests/detect-pcre/detect-pcre-05/test.rules
new file mode 100644
index 000000000..0f2cc5938
--- /dev/null
+++ b/tests/detect-pcre/detect-pcre-05/test.rules
@@ -0,0 +1,6 @@
+alert http any any -> any any (content:"User-Agent: "; http_header; pcre:"/(?P<flow_ua>.*)\r\n/HR"; priority:1; sid:1;)
+alert http any any -> any any (content:"User-Agent: "; http_header; pcre:"/(?P<flow_ua>.*)\r\n/HR"; sid:2;)
+alert http any any -> any any (content:"Server: "; http_header; pcre:"/(?P<flow_ua>.*)\r\n/HR"; priority:3; sid:3;)
+# Shouldn't match
+alert http any any -> any any (msg:"pcre flowvar http header, user-agent, no match"; content:"User-Agent: "; http_header; pcre:"/(?P<flow_ua>.*)\r\n/HR"; content:"xyz"; http_header; priority:1; sid:4;)
+alert http any any -> any any (msg:"pcre flowvar http header, server, no match"; content:"Server: "; http_header; pcre:"/(?P<flow_ua>.*)\r\n/HR"; content:"xyz"; http_header; priority:3; sid:5;)
diff --git a/tests/detect-pcre/detect-pcre-05/test.yaml b/tests/detect-pcre/detect-pcre-05/test.yaml
new file mode 100644
index 000000000..7dbfe2ee6
--- /dev/null
+++ b/tests/detect-pcre/detect-pcre-05/test.yaml
@@ -0,0 +1,37 @@
+args:
+- --set stream.midstream=true
+
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 4
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 5
diff --git a/tests/detect-pcre/detect-pcre-05/writepcap.py b/tests/detect-pcre/detect-pcre-05/writepcap.py
new file mode 100644
index 000000000..f4104e7cd
--- /dev/null
+++ b/tests/detect-pcre/detect-pcre-05/writepcap.py
@@ -0,0 +1,11 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+load_layer("http")
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IPv6(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=63, flags='P''A')/HTTP()/HTTPRequest(Method='GET', Path=' / ', Http_Version='HTTP/1.1', Host='www.emergingthreats.net', User_Agent='Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.13) Gecko/2009080315 Ubuntu/8.10 (intrepid) Firefox/3.0.13', Accept='text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8', Accept_Language='es-es,es;q=0.8,en-us;q=0.5,en;q=0.3', Accept_Encoding='gzip,deflate', Accept_Charset='ISO-8859-1,utf-8;q=0.7,*;q=0.7', Content_Type='Apache<!DOCTYPE html PUBLIC')
+
+wrpcap('input.pcap', pkts)
-- 
2.47.2