From 6faba986191246c9d4f9536ffa1e067dc896b2af Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 18 Apr 2024 14:57:46 +0200
Subject: [PATCH] tests: add rule to check for http.response_body

Ticket: 6948
---
 tests/rules/http_request_body/test.rules |  1 +
 tests/rules/http_request_body/test.yaml  | 23 +++++++++++++++++++++++
 2 files changed, 24 insertions(+)
 create mode 100644 tests/rules/http_request_body/test.rules
 create mode 100644 tests/rules/http_request_body/test.yaml

diff --git a/tests/rules/http_request_body/test.rules b/tests/rules/http_request_body/test.rules
new file mode 100644
index 000000000..16e963bb5
--- /dev/null
+++ b/tests/rules/http_request_body/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (http.response_body; content:"one"; sid:1;)
diff --git a/tests/rules/http_request_body/test.yaml b/tests/rules/http_request_body/test.yaml
new file mode 100644
index 000000000..95fbc00fa
--- /dev/null
+++ b/tests/rules/http_request_body/test.yaml
@@ -0,0 +1,23 @@
+requires:
+    min-version: 8
+    pcap: false
+
+args:
+    - --engine-analysis
+
+checks:
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 1
+      mpm.buffer: "file_data"
+      mpm.pattern: "one"
+      # checks that all engines are toclient
+      engines[0].name: "file_data"
+      engines[0].direction: "toclient"
+      engines[0].app_proto: "http2"
+      engines[1].name: "file_data"
+      engines[1].direction: "toclient"
+      engines[1].app_proto: "http"
+      engines.__len: 2
-- 
2.47.2