From f27b795d18a0b6a01bfacc003564fd735617fc68 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Fri, 20 Sep 2024 16:04:57 +0200
Subject: [PATCH] tests: add test for bug 7264

---
 .../README.md                                 |   4 +++
 .../input.pcap                                | Bin 0 -> 8141 bytes
 .../test.rules                                |   2 ++
 .../test.yaml                                 |  25 ++++++++++++++++++
 4 files changed, 31 insertions(+)
 create mode 100644 tests/bug-7264-tcp-3whs-ack-data-tls-01/README.md
 create mode 100644 tests/bug-7264-tcp-3whs-ack-data-tls-01/input.pcap
 create mode 100644 tests/bug-7264-tcp-3whs-ack-data-tls-01/test.rules
 create mode 100644 tests/bug-7264-tcp-3whs-ack-data-tls-01/test.yaml

diff --git a/tests/bug-7264-tcp-3whs-ack-data-tls-01/README.md b/tests/bug-7264-tcp-3whs-ack-data-tls-01/README.md
new file mode 100644
index 000000000..e8e1512f6
--- /dev/null
+++ b/tests/bug-7264-tcp-3whs-ack-data-tls-01/README.md
@@ -0,0 +1,4 @@
+Pcap
+====
+
+Pcap from bug-2646-01, with 3whs ACK removed so 3whs is now closed by ACK with TLS data.
diff --git a/tests/bug-7264-tcp-3whs-ack-data-tls-01/input.pcap b/tests/bug-7264-tcp-3whs-ack-data-tls-01/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..072c568ecfcf4ef47603cf641a9736fff7097961
GIT binary patch
literal 8141
zc-rMzc|28X+kV!b%=27fn<c|C58)Uy6sICnBAI9QHZ;>V6zZguq%xNwQzepQ8!{w?
z3<)7kCrOk#NqN`W#fi$>_xt|%{`i*P!y2#ae(vYGhqZLoU(Un;9Qb#`0SNicHk7-S
zQ4Rylk$rTWjT|EGHUf}*lzSgNFa|(dLR=5%5mM->dEoOYck!6oQmATeli)5CBLhQX
zXLA7ngTt5MF!YRL`uZH`c?gT8Ly?Vq|3&_a`4t~QCIW2$^neE87Bh;9qC-`+rH9jf
z@)7ji8JwGj3vQvvIB^u&P<?$fijE*NpvWFU7+`_{w6WA?jHZMnYI8Ef5}S7;=mnAd
z;Hgd~Vh%*JR}@9&#X=aw9ndTmYx1I8>CFLwkoApvwvjmB>L95oQF}t!yGihr^?9e9
z0RVfcvQ(J5hN^HU|4tsr2I(LRq}?f?mQahR;#6rWBbA$)O-%>Bzz1jo4Qes9kSa!%
zqB2mqs9DrB;E7CI87NW7)Nm?^8U`9bJ-7*~!69%EG2RHA181q3)N|Af>RF(Jcu5r~
z04lf+qJch`LyWXVd?^H00U$tf377Zu4)F@z5lVI^xdsM=xCeyDy9W9LCV;~NWKN98
z4?PeBd_Vy312N=DUS#kgg9Q+Q5CI}!2v|IX$KbIz2#3L8u@Dx6#bO`~27?7WU<~~K
z*-%+s&BFj>iD}~p!K#RO>H$qcR?!l{7OZU&j)-IjvQp>1$_kNG8!9anv8M<F9FVv}
z$5KSx1`#h5G3~^!5JB8xL|!Zw7$cI`$6^VI>-_JL>Wlq_%${gZ@QU|K*Nvq$boUIk
z+~LaCn^6N)1w<mKV7^XoUJ_zo1%Mzi2QUF<AHeJh=n7#9T^>v!Bxcaoo}FGR+Fl`i
z>iNl){~WygsKo<jAu!0qn#O)$fgmP4fP)m7U<Lwq3y#2r*<z*019PDVj9kn{-k#ou
z?xYZ+S%9me0L+J;X5wNG4-c1jLoT@@mr#K!D!_8+B`lZZ!V^}e`btDoZ%;3xKA9X!
zatUyCCtA6a!rVzjLw#6?k3~@(R#sAmX`2HdixLd0Dk>`~(GFps#TIeF9OwZ(7o(wz
zpSMRKDZtxBkr(DhPttL*Sh)lc*P#^NWY@s&%s254F%8`zi&`(Q$OrR$wUHGy|7)P3
z#={gy^m~Uucz~rqYydgWh@n6bXuLlezxG~^@l<P&XRmR3rgywWz{kP$?{&wpY98mC
zzC6ow$a=COev~Iske)MF+9{05MkJIX?lK;^#W88P7P|CUs8(zI)oNRt@>4GPdF?S4
zmY+7?X0iTb@(<bYq~~nT12>BE?!+aAH@1<b)u3ayA)8X&L*wrU;}}vz8yv;T*OpIL
zU~V}W1}Q#z^m>m|l`lnU)*|-=vEP+GecyQB3uc`utkt^#Y4s_efy$Y?F^`x>#vc>Y
zvNx(5%{`rQ*kOLIsrh|3cqJwh!SF60n;I|w!u|S$V$r(iWJA#d`@1c<t92?S6~$G9
zal(F{!I@aI4IPtCbEhqW6s4tKKgVDZ)n!v~1~3Ju3kxGo6coep!@QB)o4n={OE7ey
z+IRZg-F9SgUb82yg$2<YSaG~KZkV$Af&Yf#uB=9OQ+(vXyc-37bHaPj%N)26m_%8!
z5EN#a?~fS2+h<z1;vGm~_;;62=I0rc!t>M9Fe^&V20?Q;92SGm_-d;J4pkEU8UlpJ
z(_x{7Jq#R*UKYj$z<#hwhEfI`EAJH&5~QV|;7amSUK9ZeWG@#bIWHGEGEL%go~rW5
zJwHCB@;gs$Kr>Bo@xQt2hcd1rAw?_WEQ?E`aKz#CfI1}8d=kB|P!g5UY=a`Qlwbgf
z9?-_p+(qvu;*I96)IE!HS3uo-?uvP~ICr70A>xc-Ls*@_uszlkiv8>dL9h%gJ?}sa
z#JdWeIT@My(u|>CxX}uxClEXjFe3>HJ`gqk5Cq}E;ZRt7{uqX0`M<d@(3Kpt2n4oR
zxC;}jKksB0^fGxd+k93+lM<Sf7E;pJjAW>f_&o$>M(4zZssjU~;Xh4aMBs5y&n^s7
zOexS)WQ;&VAPnSGG9;Gq+i@SP;>x<?8N{fqnu7bda_HJ<cpGao%K$s#Du>T{K1h*3
zva|_oj3F93-AZM$d7ay!BFXsRohf~zR#wmFbnJ!gqlb=d6IW`*h=9W*Z5HI@rnrOY
zm$%)u?mC)J$?@1$Z5uQt%U>g{IUoi?fekkyRiU@;)&1#_YNN}#P3yucZ=B|Eq)wbj
z+0ql&KKPB-oyNNkHo_3i^;(t8y=LB1PAd-Igtf%wuXn5an*TE@(e~NuSsq<EhG=xW
zZN-NkR@c?^C6DdiT~KOd?3YxsbT$v@s4e?qbHN0e?(6l{6`^;xUmr2>7QQ%==8?^|
z-?^0ZAPO|>iQAp`x%C^Z@W0b#$?Z^k1QnYHjOL%)Z5BX2Q`@pytM--GP<bJ1AJ!=a
zneM5}R_Ck+Q*2jMX*2zWH8O25F5eH8XjVI(xF=DbtdooIR`m_t5RMPNnsh?!RKf8*
zCK|RU882>ru_7_qP3<qCj+k$}91FZ6prE+FU}E#`4R_y2-%2yZS%#|Jh}gd_;|hJs
z$-AmzCi^f%jsDK6X_IG~_PwL^A8#f_Zwj3`xu-7e&Bck?Mv*S1txJj{7A*m%_xC8=
zU3r0Ln&-;IBwQ<O&3-)Rup#wE^?4Rx_1K^`Ch%!)zW(X;>o^<+KfjRjK2@%LfmH_X
zSGKwtRa!tFhuiO=`qc4?taL=~rKeK6{0~URz0BCMDTuvw%+TJqU~}2J&z*B|yz#~l
zS!)imSWQHU-{LFcbkz%qw5ZN$84T$gTIGUa3@%L)SCGpm?lz1y;;@T1KGW;?*kkNM
z<K*7lfx!}~IL!~Wsi&JGRCf1ilA~J5p*MI-Ei=vJ7&wnu>blOoITSp!aow8p8an+N
z^ru$4J!)+lI}~I;xMP4fOb+%L%~sGmuf}!<AJ#n_fYa0Q5pk}u%+B*`PZ6oC2Dqz8
z^1lRAu&2MZ6u6P+IRlPUZ~duj46beCNnhGh`2BBNiZ$@+ujN{F;fW>Pgs}~Ab6{Y|
zd^@462rDUl>mQJILgTx`|APkSzcm%*!wPlcgl2!7bMFMB8{zUkQAu~+VgtQ1cL&nb
z!{~JD;VlORD*rse>Tp7Mi%nS_My8}a<u#LDZ$tZ9QZskjMB*im{Nm2$Yld2VOibO~
zC#UsFngz!#&N|yx#BTIDJstnBvk5PpcdBI|=Mp7auCeI+*(L$Xg%~y`BRd)Oqn}kL
zndqgI9Hy%h(sHUdwM#u7Tx+15jhAkylD?B#xJHa+XXBn{PQexCy7Zq8RPgd<o)hD=
zc-niMzA!ZB?DaOj%R)w~?h#fJnjNbcQ(adI91rngRIjVsY}%^nkX1git#&YjcugcL
zNivYzTtvTV-2cp!slr?Abe7j~D+Q;~Z%qYchIqsn=3L0U^e_SWgMq-}S`Eeiw_2_8
zT?LVbC4aMmtp8f!jbH;<FGDv&J67wLwR(Qx7u64A8&ra{`r!xbe65LUunMe1z#+Tf
ze^d_tZJd7ESAE}jUDB=h#{N@d0(GTGuAs+ExVo*W|5@JRk3SiQeda&pI4kJ&()?&t
z&nAT<zDB%hg|5?`0e;b^6ABIlM{gZhu`I3Fb$s<5xk#Tke-TG^<$S@KaJ`(4y=@=7
z?;S4L_rATI&X@a&5{~>D(b><^DW4B-O;NOL+nKiFb4;sQ!IV_OY0|82LAO5B!)~?A
znpFWNW)V((rhBn{pA*b7QX~!Z#(K~WgspVho<^G1(=h+o(~urUvO~;5dlz~d<@ugQ
zVtK^XG(@H!5yPes#8oS-e?%NE!+=TTB?}!(yCi5-#24+7GG-QcNnum8E{PxMk{&GX
zl8$raxG~yVH%trmV4QplUpGXia*}3jl6vQA;1~j2!xUjTXNx~4J|0uQ=F^4Hyh1tN
ziG91IE|1lnW1@Rm5OW{OCQ9qu8%lQ`7%h1JYR}s6a=jgqczt7Nf{&p4h^l<X^S+Bb
z>EILZSx#W9CloX-)KZ4L3_`NZ0FuT6LE`klS?U*Z_2t=e#`X70=$-AR6L!1Rf7EZz
zF0I}!Ii!z-8*sCBI<an_<=e-}<{@wG%=Ov=?A?0>`yY9xF_ceOlRsEzTe`o98gz=O
ziJT}c={C(hbA**}(0DG@;A*tS4ejy~xWa(jW5CzvIyTJ0=s{F;a-*_<J<ROfaq`MG
z#fJt>f*N<dymI~J(^>`bZb2Q&;|VR#Y%1gu;-!fhvn0IC{%bsc_N*O!6nw&vYtK>p
zjj28y6Xw@yZXKMIrGHcuvY*-!w%yvgl1RK2^M|a1ZRL|XUrF<Aloh-Yc7_tW*m|Id
z$#?oOm+j%9e$GcFgQ`2J*~T?$`=aGK)rwSHwnSuS7`KqL_s7?@-&=V&HG5xx^{ZIA
zeaAWv1#_i=LKuAy$FY9<Xz=OkvXYXaNs94DN$t!;Bqhs#VnI?W^OD+7g8}IXTKdlr
zk4daS5l<EV6p<g2t+!l2R7Vj}V<nIdQ-mlG<ik_6ud_9G?;XB|LH66W!eNu5e;&x7
z)P&D*6F>WKBX>d&dcSmwW>!k?k@C<Q*+j8TU)-Ck%KR^M)(2_xWzXpIKP3DSm&?<S
z&tmXE%~hDf03$^GMn8)HH4#5F0x~Zwj)0w+h{*$J1ep0QL_jBMGD?3NX@naASVaU>
z%e{=3PS<6xyT3}candl4&glL7y$0l@9615Y^A|169}1Jtw+cFUme2)Gywc)&%rjNA
z@xEQZT&I}$r&*UM0}Y;c+uy%_=%FP6wETVUr*zLG=Nx9uB3_n%@;*UWxN_TeOMG>n
zd-PwotxDCz4T@J?arWK$g|D_>ZU)oQs&?T)oQax+bNAMI`&Ep&8h`cMGz3L_s*Y)3
zu(ElvG1GcZp`q99$=RY@l^320&s;EV-LODBM!mM}_L_%pCdafJk9_CTQ>v_&_OP%2
zyK9FxOWr?QR}STWTv3zYS`(KnuCX=TY{YEj)4TT_2BoM^2mir<5X7J8SSkU?LqeAJ
zfwO0c1O^VL@5)9bp!3XgK?268U-^&#m;1J)Vet)`NBB~&R3+aPn!NO;{<+un+0w~W
zZ4;>fwacojjiGy+W{fvhzj^mazMcGbc)HY+vy`V=*ls(akhNNKJ)IDhHT<~Nu+)p<
zsx<|b2^6^t1nu_cd`V5=fjIS7o3`3jma%r&tkuC+^maE{e|gE)ad#}1^ZJ;2lkf+V
zve6M~&a82(z4y-I%;p9;&-3taIVAs~GFH!LW7v$+H9zxkGGkS>9xQj@*cs7c4)M6r
zl5SaNnNt@Bwy^4M%ihD$;!~<#DSDOrNXi}3+ZqZRw^|_fkMN`74(%W4+^a|;HLRNw
z`EM7u(JKZ_YI+d!)U8!A;Uo2SgW^dn?j3btppbdXbE{3eM6a4=zSYAAa>uY9E^_Hx
zOTshmZzXbR3y(dm|5#Lou7PnIcDb*C{<N=wxr=qZD|>B|2rKgbE6+Q)pzC3D9Z<x)
zjd&o71+=jg5i2ATfFh>f_$eYkkk3|MK>UazBCCpd`b|_XD~j@t9Pz`xW|Jl1-%K8R
z8~o&Lj@aCFb7}*z<Q2WD?ll>KvYUcgBKE1x`n45y&y)JQO8lhgZt(Ek8=1ARciiX)
z>!&(jvNLo)xz}MmYi&_(vuL|h)~aMVr;T$h^lO!_Y0m9b6iwMJ0S9dRIQ;V1NJQ$0
z_#xP;PI>I?yFJHOiLI36ZRWCbKG2QNJ{Bi`Qzo@$OW>Q#Qx8u<Ol=nr9NBQakmQ+x
zoj9%pGpFYpmSVz7CW`nZMC>=*)MYk&>7+uH9I%Y)nR~QTb}n0rCAmGPFr~6p(VmWa
za=<mm_gP9acj<kJL$W3ZKPAKWQ%)3r+P1Dg!|TSMx3_ClZReS>1&S1@$9wy4Hd<JY
zDQO=%+I9XY`Qh772KJb0{MzHJx7J;2ORVj(Ofhnku=m5eOl)dlKRj+>e}&An^0p#_
zONDjTS%)Xlg|nhlmqHx(N1T0%tI(cSNHi$DddPWA^|~|DNjgDO8YKZW?-Tl}o}?Ad
zwC`%(Sh6$g!<+lF5q}F7=DA8=4c5|m)?j5ma%}UR%c1=BE5795wqE_{%$Z0zyNQP_
z`&E&hgyecZnRnu!K7|?ATz`=qtz>Mr#p3y-zgbz4&J(%^mu2<~6IWi{cD3(#YZV=*
zq1KG3+p%ZKvejvJZjQO0Ey88)F10KA1mwAKvHwJO4h!X*j+<J0WJuT<$9Q{YOiB-S
zZZjM!SuMQL?B>>ehcmGsuMOF!M0GWeid4Fh@r)1kU+f~sui-zMOF1bRrzKp((ppt)
z1Iu;2XA+_FzQ>@kUL=!8v-%5zIaP?is=4b-o9(^yeMwmlZ{3h0{4JVTmub3_O`ctx
z+WLn3vRl`_c%@7O!HCKYWeHf_-r&u?{KJk37Z3V%4d<)a*Q%d-YX0TO6^XKYXXOI^
zAZ}1AYtOfujrov%qJvZYm~YqNGs4N!tkxv{ioaW^X;TUh;tN>LKk(T-*_3yaj%@g}
zH>VO;#yO71(W;CMez`I$M=P^*i!-7K>*4ghM<O{OD^7uhj5v(O4~lr&77ttyG?$;n
zx0OgB`tPai*u~Mf_XsT-1%SMI+u~^CK~nsRZ_zkrGSc5`kZdY#*6it@^I3;OnF%Fi
zPQovjP=aWLIZFtO5JEOIp>VBSAe=>~fg*OkqhD?c!8F9^pG<)bor2o?dBhDWDB^ES
zA;FP(IYJVRFzT0tHx~%~euI!5ZLe43mLnw72r0iLG+!Vb{tZG7gz!x+W;wzT8sULo
z5vqF66I#^%1|cUxxH64(Il@p{nTh-rp>n}I;h&MeLCA{`y4fu&nlL?}MmQhwD?(Ui
zp3n;X2B9EASn!E)Il^!n;r?F{u3kM)=m7l&p)5k!)(e&++({$c_bbAc3xr<3LuiT+
aYQ0@{hP(8DIw5E8uL$QB2%~?;rT+miJatn5

literal 0
Hc-jL100001

diff --git a/tests/bug-7264-tcp-3whs-ack-data-tls-01/test.rules b/tests/bug-7264-tcp-3whs-ack-data-tls-01/test.rules
new file mode 100644
index 000000000..f07f2d996
--- /dev/null
+++ b/tests/bug-7264-tcp-3whs-ack-data-tls-01/test.rules
@@ -0,0 +1,2 @@
+pass tls any any -> any any (tls.sni; dotprefix; content:".githubusercontent.com"; nocase; endswith; alert; msg:"Allowed TLS traffic"; flow:established,to_server; sid:188; rev:1;)
+drop tls any any -> any any (msg:"Reject non allowed TLS traffic"; flow:to_server; sid:6001;)
diff --git a/tests/bug-7264-tcp-3whs-ack-data-tls-01/test.yaml b/tests/bug-7264-tcp-3whs-ack-data-tls-01/test.yaml
new file mode 100644
index 000000000..85aad2620
--- /dev/null
+++ b/tests/bug-7264-tcp-3whs-ack-data-tls-01/test.yaml
@@ -0,0 +1,25 @@
+requires:
+  min-version: 8
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: tls
+        tls.sni: raw.githubusercontent.com
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 188
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 6001
+
+
-- 
2.47.2