From 592cc6e4bf1be681180f74f9612f42b9621ab01f Mon Sep 17 00:00:00 2001
From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Thu, 14 Dec 2023 18:46:25 +0530
Subject: [PATCH] add tests for bug 5220

---
 tests/bug-5220/bug-5220-1/README.md  |  9 +++++++++
 tests/bug-5220/bug-5220-1/test.rules |  1 +
 tests/bug-5220/bug-5220-1/test.yaml  | 13 +++++++++++++
 tests/bug-5220/bug-5220-2/README.md  | 10 ++++++++++
 tests/bug-5220/bug-5220-2/test.rules |  1 +
 tests/bug-5220/bug-5220-2/test.yaml  | 13 +++++++++++++
 tests/bug-5220/bug-5220-3/README.md  | 10 ++++++++++
 tests/bug-5220/bug-5220-3/test.rules |  1 +
 tests/bug-5220/bug-5220-3/test.yaml  | 13 +++++++++++++
 tests/bug-5220/bug-5220-4/README.md  | 10 ++++++++++
 tests/bug-5220/bug-5220-4/test.rules |  1 +
 tests/bug-5220/bug-5220-4/test.yaml  | 13 +++++++++++++
 tests/bug-5220/bug-5220-5/README.md  |  8 ++++++++
 tests/bug-5220/bug-5220-5/test.rules |  1 +
 tests/bug-5220/bug-5220-5/test.yaml  |  8 ++++++++
 tests/bug-5220/bug-5220-6/README.md  |  8 ++++++++
 tests/bug-5220/bug-5220-6/test.rules |  1 +
 tests/bug-5220/bug-5220-6/test.yaml  | 15 +++++++++++++++
 tests/bug-5220/bug-5220-7/README.md  |  9 +++++++++
 tests/bug-5220/bug-5220-7/test.rules |  1 +
 tests/bug-5220/bug-5220-7/test.yaml  |  8 ++++++++
 21 files changed, 154 insertions(+)
 create mode 100644 tests/bug-5220/bug-5220-1/README.md
 create mode 100644 tests/bug-5220/bug-5220-1/test.rules
 create mode 100644 tests/bug-5220/bug-5220-1/test.yaml
 create mode 100644 tests/bug-5220/bug-5220-2/README.md
 create mode 100644 tests/bug-5220/bug-5220-2/test.rules
 create mode 100644 tests/bug-5220/bug-5220-2/test.yaml
 create mode 100644 tests/bug-5220/bug-5220-3/README.md
 create mode 100644 tests/bug-5220/bug-5220-3/test.rules
 create mode 100644 tests/bug-5220/bug-5220-3/test.yaml
 create mode 100644 tests/bug-5220/bug-5220-4/README.md
 create mode 100644 tests/bug-5220/bug-5220-4/test.rules
 create mode 100644 tests/bug-5220/bug-5220-4/test.yaml
 create mode 100644 tests/bug-5220/bug-5220-5/README.md
 create mode 100644 tests/bug-5220/bug-5220-5/test.rules
 create mode 100644 tests/bug-5220/bug-5220-5/test.yaml
 create mode 100644 tests/bug-5220/bug-5220-6/README.md
 create mode 100644 tests/bug-5220/bug-5220-6/test.rules
 create mode 100644 tests/bug-5220/bug-5220-6/test.yaml
 create mode 100644 tests/bug-5220/bug-5220-7/README.md
 create mode 100644 tests/bug-5220/bug-5220-7/test.rules
 create mode 100644 tests/bug-5220/bug-5220-7/test.yaml

diff --git a/tests/bug-5220/bug-5220-1/README.md b/tests/bug-5220/bug-5220-1/README.md
new file mode 100644
index 000000000..a4d746e33
--- /dev/null
+++ b/tests/bug-5220/bug-5220-1/README.md
@@ -0,0 +1,9 @@
+# Test Description
+This test demonstrates that fast_pattern along with base64_data
+should fail with Suricata instead of silently passing through.
+
+## PCAP
+None
+
+## Related issues
+https://redmine.openinfosecfoundation.org/issues/5220
diff --git a/tests/bug-5220/bug-5220-1/test.rules b/tests/bug-5220/bug-5220-1/test.rules
new file mode 100644
index 000000000..4b72db7c8
--- /dev/null
+++ b/tests/bug-5220/bug-5220-1/test.rules
@@ -0,0 +1 @@
+alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"POST"; http.request_body; base64_decode:bytes 28; base64_data; content:"something"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;)
diff --git a/tests/bug-5220/bug-5220-1/test.yaml b/tests/bug-5220/bug-5220-1/test.yaml
new file mode 100644
index 000000000..16203e2c3
--- /dev/null
+++ b/tests/bug-5220/bug-5220-1/test.yaml
@@ -0,0 +1,13 @@
+requires:
+  pcap: false
+  min-version: 8
+
+args:
+  - --engine-analysis
+
+exit-code: 1
+
+checks:
+    - shell:
+        args: grep "fast_pattern cannot be used with base64_data" suricata.log | wc -l | xargs
+        expect: 1
diff --git a/tests/bug-5220/bug-5220-2/README.md b/tests/bug-5220/bug-5220-2/README.md
new file mode 100644
index 000000000..895b3fb15
--- /dev/null
+++ b/tests/bug-5220/bug-5220-2/README.md
@@ -0,0 +1,10 @@
+# Test Description
+This test demonstrates an invalid combination of base64_data with fast_pattern even
+in case when there are multiple base64_data in a rule. The rule processing shall
+stop the moment the first fast_pattern with base64_data is encountered.
+
+## PCAP
+None
+
+## Related issues
+https://redmine.openinfosecfoundation.org/issues/5220
diff --git a/tests/bug-5220/bug-5220-2/test.rules b/tests/bug-5220/bug-5220-2/test.rules
new file mode 100644
index 000000000..593996299
--- /dev/null
+++ b/tests/bug-5220/bug-5220-2/test.rules
@@ -0,0 +1 @@
+alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"POST"; http.request_body; base64_decode:bytes 28; base64_data; content:"something"; content:"blah"; fast_pattern; base64_decode: bytes 10; base64_data; content: "test"; classtype:bad-unknown; sid:123; rev:1;)
diff --git a/tests/bug-5220/bug-5220-2/test.yaml b/tests/bug-5220/bug-5220-2/test.yaml
new file mode 100644
index 000000000..16203e2c3
--- /dev/null
+++ b/tests/bug-5220/bug-5220-2/test.yaml
@@ -0,0 +1,13 @@
+requires:
+  pcap: false
+  min-version: 8
+
+args:
+  - --engine-analysis
+
+exit-code: 1
+
+checks:
+    - shell:
+        args: grep "fast_pattern cannot be used with base64_data" suricata.log | wc -l | xargs
+        expect: 1
diff --git a/tests/bug-5220/bug-5220-3/README.md b/tests/bug-5220/bug-5220-3/README.md
new file mode 100644
index 000000000..b4e9de173
--- /dev/null
+++ b/tests/bug-5220/bug-5220-3/README.md
@@ -0,0 +1,10 @@
+# Test Description
+This test demonstrates that fast_pattern along with base64_data
+should fail with Suricata instead of silently passing through even
+if it is followed by several valid base64_data buffers.
+
+## PCAP
+None
+
+## Related issues
+https://redmine.openinfosecfoundation.org/issues/5220
diff --git a/tests/bug-5220/bug-5220-3/test.rules b/tests/bug-5220/bug-5220-3/test.rules
new file mode 100644
index 000000000..51911c157
--- /dev/null
+++ b/tests/bug-5220/bug-5220-3/test.rules
@@ -0,0 +1 @@
+alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"POST"; http.request_body; base64_decode:bytes 28; base64_data; content:"something"; fast_pattern; base64_decode: bytes 10; base64_data; content:"first"; base64_decode: bytes 10; base64_data; content: "second"; classtype:bad-unknown; sid:123; rev:1;)
diff --git a/tests/bug-5220/bug-5220-3/test.yaml b/tests/bug-5220/bug-5220-3/test.yaml
new file mode 100644
index 000000000..16203e2c3
--- /dev/null
+++ b/tests/bug-5220/bug-5220-3/test.yaml
@@ -0,0 +1,13 @@
+requires:
+  pcap: false
+  min-version: 8
+
+args:
+  - --engine-analysis
+
+exit-code: 1
+
+checks:
+    - shell:
+        args: grep "fast_pattern cannot be used with base64_data" suricata.log | wc -l | xargs
+        expect: 1
diff --git a/tests/bug-5220/bug-5220-4/README.md b/tests/bug-5220/bug-5220-4/README.md
new file mode 100644
index 000000000..9e236b6eb
--- /dev/null
+++ b/tests/bug-5220/bug-5220-4/README.md
@@ -0,0 +1,10 @@
+# Test Description
+This test demonstrates a invalid use of fast_pattern along with base64_data
+where base64_data is succeeded by a payload keyword and the content right
+after that is fast_pattern.
+
+## PCAP
+None
+
+## Related issues
+https://redmine.openinfosecfoundation.org/issues/5220
diff --git a/tests/bug-5220/bug-5220-4/test.rules b/tests/bug-5220/bug-5220-4/test.rules
new file mode 100644
index 000000000..7fa27594d
--- /dev/null
+++ b/tests/bug-5220/bug-5220-4/test.rules
@@ -0,0 +1 @@
+alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"POST"; http.request_body; base64_decode:bytes 28; base64_data; bsize:=21; content:"something"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;)
diff --git a/tests/bug-5220/bug-5220-4/test.yaml b/tests/bug-5220/bug-5220-4/test.yaml
new file mode 100644
index 000000000..16203e2c3
--- /dev/null
+++ b/tests/bug-5220/bug-5220-4/test.yaml
@@ -0,0 +1,13 @@
+requires:
+  pcap: false
+  min-version: 8
+
+args:
+  - --engine-analysis
+
+exit-code: 1
+
+checks:
+    - shell:
+        args: grep "fast_pattern cannot be used with base64_data" suricata.log | wc -l | xargs
+        expect: 1
diff --git a/tests/bug-5220/bug-5220-5/README.md b/tests/bug-5220/bug-5220-5/README.md
new file mode 100644
index 000000000..860cba440
--- /dev/null
+++ b/tests/bug-5220/bug-5220-5/README.md
@@ -0,0 +1,8 @@
+# Test Description
+This test demonstrates a valid use of fast_pattern before base64_data.
+
+## PCAP
+None
+
+## Related issues
+https://redmine.openinfosecfoundation.org/issues/5220
diff --git a/tests/bug-5220/bug-5220-5/test.rules b/tests/bug-5220/bug-5220-5/test.rules
new file mode 100644
index 000000000..371edde80
--- /dev/null
+++ b/tests/bug-5220/bug-5220-5/test.rules
@@ -0,0 +1 @@
+alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"POST"; fast_pattern; http.request_body; base64_decode:bytes 28; base64_data; bsize:=21; content:"something"; classtype:bad-unknown; sid:123; rev:1;)
diff --git a/tests/bug-5220/bug-5220-5/test.yaml b/tests/bug-5220/bug-5220-5/test.yaml
new file mode 100644
index 000000000..ad9d4388e
--- /dev/null
+++ b/tests/bug-5220/bug-5220-5/test.yaml
@@ -0,0 +1,8 @@
+requires:
+  pcap: false
+  min-version: 7
+
+args:
+  - --engine-analysis
+
+exit-code: 0
diff --git a/tests/bug-5220/bug-5220-6/README.md b/tests/bug-5220/bug-5220-6/README.md
new file mode 100644
index 000000000..0ef000c46
--- /dev/null
+++ b/tests/bug-5220/bug-5220-6/README.md
@@ -0,0 +1,8 @@
+# Test Description
+This test demonstrates base64_data w/o fast_pattern.
+
+## PCAP
+None
+
+## Related issues
+https://redmine.openinfosecfoundation.org/issues/5220
diff --git a/tests/bug-5220/bug-5220-6/test.rules b/tests/bug-5220/bug-5220-6/test.rules
new file mode 100644
index 000000000..2894ec580
--- /dev/null
+++ b/tests/bug-5220/bug-5220-6/test.rules
@@ -0,0 +1 @@
+alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"POST"; http.request_body; base64_decode:bytes 28; base64_data; bsize:=21; content:"something"; classtype:bad-unknown; sid:123; rev:1;)
diff --git a/tests/bug-5220/bug-5220-6/test.yaml b/tests/bug-5220/bug-5220-6/test.yaml
new file mode 100644
index 000000000..7a3745c45
--- /dev/null
+++ b/tests/bug-5220/bug-5220-6/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  pcap: false
+  min-version: 7
+
+args:
+  - --engine-analysis
+
+exit-code: 0
+
+checks:
+  - filter:
+      filename: patterns.json
+      count: 1
+      match:
+        buffers[0].patterns[0].pattern: "POST"
diff --git a/tests/bug-5220/bug-5220-7/README.md b/tests/bug-5220/bug-5220-7/README.md
new file mode 100644
index 000000000..cbd96b527
--- /dev/null
+++ b/tests/bug-5220/bug-5220-7/README.md
@@ -0,0 +1,9 @@
+# Test Description
+This test demonstrates a valid use of fast_pattern along with base64_data
+with the use of pkt_data to reset the detection pointer.
+
+## PCAP
+None
+
+## Related issues
+https://redmine.openinfosecfoundation.org/issues/5220
diff --git a/tests/bug-5220/bug-5220-7/test.rules b/tests/bug-5220/bug-5220-7/test.rules
new file mode 100644
index 000000000..0605be490
--- /dev/null
+++ b/tests/bug-5220/bug-5220-7/test.rules
@@ -0,0 +1 @@
+alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"POST"; http.request_body; base64_decode:bytes 28; base64_data; content:"something"; content: "first"; pkt_data; content: "newcontent"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;)
diff --git a/tests/bug-5220/bug-5220-7/test.yaml b/tests/bug-5220/bug-5220-7/test.yaml
new file mode 100644
index 000000000..ad9d4388e
--- /dev/null
+++ b/tests/bug-5220/bug-5220-7/test.yaml
@@ -0,0 +1,8 @@
+requires:
+  pcap: false
+  min-version: 7
+
+args:
+  - --engine-analysis
+
+exit-code: 0
-- 
2.47.2