From 3beefd391d769b6a45eae11f0d2d42ca04a55ffb Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 15 Oct 2024 14:41:16 +0200 Subject: [PATCH] prefilter/multibuf: test with multiple packets Ticket: 7326 --- tests/prefilter-multibuf-multipkts/README.md | 12 ++++++++++++ tests/prefilter-multibuf-multipkts/input.pcap | Bin 0 -> 1685 bytes tests/prefilter-multibuf-multipkts/test.rules | 2 ++ tests/prefilter-multibuf-multipkts/test.yaml | 17 +++++++++++++++++ 4 files changed, 31 insertions(+) create mode 100644 tests/prefilter-multibuf-multipkts/README.md create mode 100644 tests/prefilter-multibuf-multipkts/input.pcap create mode 100644 tests/prefilter-multibuf-multipkts/test.rules create mode 100644 tests/prefilter-multibuf-multipkts/test.yaml diff --git a/tests/prefilter-multibuf-multipkts/README.md b/tests/prefilter-multibuf-multipkts/README.md new file mode 100644 index 000000000..bfc4b75fe --- /dev/null +++ b/tests/prefilter-multibuf-multipkts/README.md @@ -0,0 +1,12 @@ +Test +==== + +Test that multibuffer is prefiltered the right way, even if occurences of buffers +are spanned over multiple packets, and the first try does not match. + +https://redmine.openinfosecfoundation.org/issues/7326 + +PCAP +==== + +Pcap crafted with some http server and some python client that delays or not the writing of the headers diff --git a/tests/prefilter-multibuf-multipkts/input.pcap b/tests/prefilter-multibuf-multipkts/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..e8a2a07797be972bca271dbcb0db55fd6d3e1e97 GIT binary patch literal 1685 zc-ocI&rj1}7{Kv&gRG=sL_F=b*LX4Lx^|mx7Ne^hjAR30%)ntWA@g;Rl#aAT85cd7 zY=43`PhN?Me*jU#iJJ#65;=;AM-MK5&r{ZQ(~h*;-lXaJe)@g;B{ zo7IW>hfR*;VH-yf#tb1@{AELgyd)%mW4{$u4tDiFIAFj`e^y*6F=h+R| z+3iCQoe2+4x9te6e#dS?rwmRT=C>W^^`$)#aCQfK3NsZNf3eOqI#;PI#w9@t^K%Wu zl&O?R3nF|aIU|a&_p!nBm{MmN{8!u7)p%OCoe{(^uheR63wBP$r^0-g$1>H|3XOSK z;fdP{55QT0`74gIe5n%wr!eSr*Co<~DAGqoewpddnT~5P%*Ljb``z=6HRj<|r^9aS z2{>?eYjmC5klfQ=Zu*~Gw)T|il1!g%=!R+K{qmKU9PhuHcHS*;KJ9R%2=j}MQ*h5q zj`#AW?YzY@TDgX1!Xpqfn_En#CfhN2q(e<#iP6Et>@o7_TnDEL^Q(@tIwUdLODy## zW{+26)}@oF!D>1)c{{npw7R(t4|a;TngxH&Ik)B*IMo(MW?}xU<2)SFoa;5;v70OR z(J~mL&BiuW*G#5gL-kF|SKSiS{c!5?hbW^HYWs91-5sUv^_5O8fweIBO5-Z?hv=w& Sok@4+o%eMufK_(8K7RpxwSOT1 literal 0 Hc-jL100001 diff --git a/tests/prefilter-multibuf-multipkts/test.rules b/tests/prefilter-multibuf-multipkts/test.rules new file mode 100644 index 000000000..b90332301 --- /dev/null +++ b/tests/prefilter-multibuf-multipkts/test.rules @@ -0,0 +1,2 @@ +alert http any any -> any any ( sid: 2; http.stat_code; content: "200"; fast_pattern; http.response_header; content: "first";) +alert http any any -> any any ( sid: 3; http.stat_code; content: "200"; http.response_header; content: "first"; fast_pattern;) diff --git a/tests/prefilter-multibuf-multipkts/test.yaml b/tests/prefilter-multibuf-multipkts/test.yaml new file mode 100644 index 000000000..78bc76ffa --- /dev/null +++ b/tests/prefilter-multibuf-multipkts/test.yaml @@ -0,0 +1,17 @@ +requires: + min-version: 8 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 -- 2.47.2