From c0f84a0c454d38258f363f62f0f02b3e2c60c47c Mon Sep 17 00:00:00 2001
From: Lukas Sismis <lsismis@oisf.net>
Date: Tue, 6 Feb 2024 11:54:03 +0100
Subject: [PATCH] tcp: add a SYN packet test to verify correct flow output

Ticket: #6733
---
 .../bug-6733-syn-packet-flow-output/README.md |  11 +++++++++
 .../input.pcap                                | Bin 0 -> 106 bytes
 .../test.rules                                |   1 +
 .../bug-6733-syn-packet-flow-output/test.yaml |  23 ++++++++++++++++++
 4 files changed, 35 insertions(+)
 create mode 100644 tests/bug-6733-syn-packet-flow-output/README.md
 create mode 100644 tests/bug-6733-syn-packet-flow-output/input.pcap
 create mode 100644 tests/bug-6733-syn-packet-flow-output/test.rules
 create mode 100644 tests/bug-6733-syn-packet-flow-output/test.yaml

diff --git a/tests/bug-6733-syn-packet-flow-output/README.md b/tests/bug-6733-syn-packet-flow-output/README.md
new file mode 100644
index 000000000..3fe763442
--- /dev/null
+++ b/tests/bug-6733-syn-packet-flow-output/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Created when a bug was found - pseudopackets were assigned with ACK flag 
+and that falsely turned SYN flows to SYN/ACK flows. 
+This only happened when content-matching rules were in the ruleset.
+
+https://redmine.openinfosecfoundation.org/issues/6733
+
+# PCAP
+
+The PCAP files comes from a private capture, free to share.
diff --git a/tests/bug-6733-syn-packet-flow-output/input.pcap b/tests/bug-6733-syn-packet-flow-output/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..544fb7dbcc8226834cd3841dcfccbf8c80636ba5
GIT binary patch
literal 106
zc-p&ic+)~A1{MYw`2U}Qfe}bAky(-&md(fD1Z0D7%cjH!g3m7{Z?W6$%)#Kwz+f`b
x#et!UjeYIp?Y^F~m%Y}W>cSv7H6+IuWJ&|muMed_7848W7Di@f4n{^6CIAbE96100

literal 0
Hc-jL100001

diff --git a/tests/bug-6733-syn-packet-flow-output/test.rules b/tests/bug-6733-syn-packet-flow-output/test.rules
new file mode 100644
index 000000000..80eeb3611
--- /dev/null
+++ b/tests/bug-6733-syn-packet-flow-output/test.rules
@@ -0,0 +1 @@
+alert tcp $HOME_NET any -> any any (msg: "example"; flow:established,to_server; content:"GET|20|"; sid:11111; rev:1;)
diff --git a/tests/bug-6733-syn-packet-flow-output/test.yaml b/tests/bug-6733-syn-packet-flow-output/test.yaml
new file mode 100644
index 000000000..bdf46c759
--- /dev/null
+++ b/tests/bug-6733-syn-packet-flow-output/test.yaml
@@ -0,0 +1,23 @@
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      dest_ip: "155.166.235.43"
+      dest_port: 25
+      flow.age: 0
+      flow.alerted: false
+      flow.bytes_toclient: 0
+      flow.bytes_toserver: 66
+      flow.pkts_toclient: 0
+      flow.pkts_toserver: 1
+      flow.reason: shutdown
+      flow.state: new
+      proto: TCP
+      src_ip: "147.183.77.73"
+      src_port: 38212
+      tcp.state: syn_sent
+      tcp.syn: true
+      tcp.tcp_flags: "02"
+      tcp.tcp_flags_tc: '00'
+      tcp.tcp_flags_ts: '02'
-- 
2.47.2