From 2ac1472caade12265b8461d22dfc2a11bf478b28 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Fri, 9 Feb 2024 17:30:29 +0100
Subject: [PATCH] Adds test for http.request_header and http.response_header
 keywords

Ticket: 6736
---
 tests/http-request-header/README.md  |  12 ++++++++++++
 tests/http-request-header/input.pcap | Bin 0 -> 1397 bytes
 tests/http-request-header/test.rules |   4 ++++
 tests/http-request-header/test.yaml  |  27 +++++++++++++++++++++++++++
 4 files changed, 43 insertions(+)
 create mode 100644 tests/http-request-header/README.md
 create mode 100644 tests/http-request-header/input.pcap
 create mode 100644 tests/http-request-header/test.rules
 create mode 100644 tests/http-request-header/test.yaml

diff --git a/tests/http-request-header/README.md b/tests/http-request-header/README.md
new file mode 100644
index 000000000..8e3320eba
--- /dev/null
+++ b/tests/http-request-header/README.md
@@ -0,0 +1,12 @@
+# Test Description
+
+Test `http.request_header` and `http.response_header` keyword
+
+## PCAP
+
+From https://redmine.openinfosecfoundation.org/issues/6736
+
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6736
diff --git a/tests/http-request-header/input.pcap b/tests/http-request-header/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c84b2df7002156fe463a8b3f2d3cfa87a414bbab
GIT binary patch
literal 1397
zc-noG%TF6e9LHx30kX<UBq!R_9HNK>@U9;**w_x(yzygeF99k9TGnHG<Mpobj<K->
zBJC~WjzW?{)kbb}qltP!l~8l!R#jEno~o9%5;-LK14?JsSOv>sHLIEV?dUVV@9(ic
zz5ezK8)yfO=kyc+hRki(PEzp@3qoW~UvTaAXXw~=xKj%Zc7bsK+{~XNV7p`VDZ8{{
zW0%5@4zB|7fP3(c9^SS=u#W+-wO@I~w6%3HOuLN|e>q32v+CSB5r7de(((B=rBNyn
z53kzszbAzHe*1>ED+kVqghr@sl;{n!z)$S{RzCJJ$Ci(^CLiAu>RYj!0e}45&`nuC
z64nnyJbjy4%q!+E${P8&C98)4`!4~Q9G4)Usp=|!&lDtlKafL(bOsx<T4;LB%%f7&
zG)szmHnzxD`dlGJ)N^h<mv=bJk^9xyYKremdB+kn3k!3xj5xNonjcdlSW2YUbgh(J
z_l)*M21BugQ*iU~d=zK0k_#p7rl*stI5V$ChJ@L8G$)1^mB6j(WaZPqC!xs)T6$_C
zQC^T;a7vOy-eGre?5Luk0`@_SDwxmWyw)!l3Yx0OST%IMLM?rjW@}y>UJD3zZ~q<s
zj<p(UfCeJ6o+-&0<by~bm`nB}onxmAliW})m+jSRI$uuPu~FdIu%YWnp+Fy0G{Zz3
zJ7=Qez-R{P<apGms+uPAckKe~omcggQ8r;rf*!jt4CmwX9``UTuKQeGyKoy$A|+?=
zPQf9N;eZor5v7d^Pd{=j$I^@*lZ<*uGCi&8t#|h^t+$g8P4)KnfYUa`?#|k8U)Jm5
z*&Yjy2;ry|<@?<|i?Y;`($iV%6#;039y$d9#%DP;iHhr}=!4TSgp+FC$_=a=F9s=G
z4-zq95}|<z(la>ggF~MGZPG>ooy#T1j>(u9CW>l5bPmE9Str*zUC`<9Ib1%604JkT
zBS7A-S+GN7?X;4%wfn@9ws%q5=|fA}N1e5s&q?FaJA)kS&muX6ia|eCv4(<DRy83R
z*3Qq@jeh>@5IMeTq&CPrg*43|TmEeCw=@K)Z>4W8ZSB9U)_#7m9kos3-y5+Toc_LY
rzO{odE@k~=vA$}_x=vWj=UK}yE-R|DpV&@Q%-#^*7A>k@zXRYudZ&`u

literal 0
Hc-jL100001

diff --git a/tests/http-request-header/test.rules b/tests/http-request-header/test.rules
new file mode 100644
index 000000000..8c6d0ae66
--- /dev/null
+++ b/tests/http-request-header/test.rules
@@ -0,0 +1,4 @@
+alert http any any -> any any (msg:"request_header"; flow:established,to_server; http.request_header; content:"Connection|3a 20|"; classtype:bad-unknown; sid:1; rev:1;)
+alert http any any -> any any (msg:"response_header"; flow:established,to_client; http.response_header; content:"Connection|3a 20|"; classtype:bad-unknown; sid:2; rev:1;)
+alert http any any -> any any (msg:"request_header"; flow:established,to_server; http.request_header; content:"User-Agent|3a 20|"; classtype:bad-unknown; sid:3; rev:1;)
+alert http any any -> any any (msg:"response_header"; flow:established,to_client; http.response_header; content:"Date|3a 20|"; classtype:bad-unknown; sid:4; rev:1;)
diff --git a/tests/http-request-header/test.yaml b/tests/http-request-header/test.yaml
new file mode 100644
index 000000000..940e13ea7
--- /dev/null
+++ b/tests/http-request-header/test.yaml
@@ -0,0 +1,27 @@
+requires:
+  min-version: 7
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
-- 
2.47.2