From 1e12a025717f6c2ae33ab19849fabe8a19efd88f Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Mon, 18 Jan 2021 10:48:14 +0100
Subject: [PATCH] tests: add issue 3267 test

---
 tests/issue-3267-tcphdr/tcphdr_http.pcap | Bin 0 -> 1295 bytes
 tests/issue-3267-tcphdr/test.rules       |   4 ++
 tests/issue-3267-tcphdr/test.yaml        |  51 +++++++++++++++++++++++
 3 files changed, 55 insertions(+)
 create mode 100644 tests/issue-3267-tcphdr/tcphdr_http.pcap
 create mode 100644 tests/issue-3267-tcphdr/test.rules
 create mode 100644 tests/issue-3267-tcphdr/test.yaml

diff --git a/tests/issue-3267-tcphdr/tcphdr_http.pcap b/tests/issue-3267-tcphdr/tcphdr_http.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..0d7f70fbe6adfb2933bcf6b87284a81ad241a27f
GIT binary patch
literal 1295
zc-n=O&rj1}7{{NDfwN=@n4lOhZ%Bv(>Dsa}LNPj&WvFZ{G8_jvyml|6QrgjVxNsuj
z=7q$o2T>9=@ka3HQ4anCUKB4HV<Lo*7(ICNc{j$AvCOt_+q^$MeZJr4efn{G^RXK|
zP(3{0!uy%aFJ{htcfl2W=M6e$;MUf9_|d1cYhH-DA!KhwV5J2>0I;xqXq|@S>gOjp
zK6&LmfsWe%Zcp=;tEtKBa(UdGIQpYXEVIg7Bm#s0A`ofmUgI=Qg=FjWrHCmbb#djC
z-F7m4NJJV^PjDhbVi;-R<1qsG?U!|9TtuppZ1XmEB+E+gBV`?B^Hxi7J+NOjpmchh
zPrn0*MN>o~W2sb9QUZ!k7|}GAb5!E6q9e^Y3q~KIxtyVE)X^<dD)O!iMc%D1&@7Yg
z7VSRLEA>`ZisRJG7H~u*^Oktyrcap4Gg}<VG83tBYgso8Dh&i=;!o>l#=4g$i4;-f
zfILjn6X|ehn51kygR`YU-e)hViV~1}h@sCj5@XuDb@ZvIsaYA_%&H{2tmpbjhRqt(
zVLsv7tQg0US)FCXN!`>im`UpNk$#z6FBtexhKLeY@sbBgES@T@NLVHl<J8gSRFamu
z1~S25kc9@teoDh#K4CPGQVAL~X5~=`4;W8nXvildZJJ%6DlsilquLyP|Egu0Oyh>B
zL^G^BcKHOJFY9MD>&NzypFZXLX#01~K2lacZ|o%7VE^s6a@M<dU2uSegL;&&^jV3b
z)}?g9zPJfc$u|kgA(F5hQnAY?Ofq|k*{CL~n?*h+#B()ur(imT9<%`sK6DdJoY0&j
zHwR=DVI?=mY2G=?z<<53<5o09F{{UNP&SdvZ(!o{lKfva@^?$}+tEaS*~E*x4GZvf
tz0%p(LDC);pr=xRvAu?rHw`H5Rm$H#jT9aJULMvc+C$Qp(zZAc@DEvoRr&w`

literal 0
Hc-jL100001

diff --git a/tests/issue-3267-tcphdr/test.rules b/tests/issue-3267-tcphdr/test.rules
new file mode 100644
index 000000000..51bb0e4a3
--- /dev/null
+++ b/tests/issue-3267-tcphdr/test.rules
@@ -0,0 +1,4 @@
+alert tcp-pkt any any -> any 80 (msg:"tcp.hdr test1 SYN pkt 1"; tcp.hdr; content:"|00 50|"; offset:2; depth:2; tcp.hdr; content:"|80 c2 20 00|"; sid:1; rev:1;)
+alert tcp-pkt any any -> any 80 (msg:"tcp.hdr test2 SYN pkt 2"; tcp.hdr; content:"|00 00 00 00|"; offset:8; depth:4; sid:2; rev:1;)
+alert tcp-pkt any any -> any 80 (msg:"tcp.hdr test3 GET pkt 1"; content:"GET"; tcp.hdr; content:"|00 50|"; offset:2; depth:2; tcp.hdr; content:"|50 18|"; distance:8; within:2; sid:3; rev:1;)
+alert tcp-pkt any any -> any 80 (msg:"tcp.hdr test4 GET pkt 2"; content:"GET"; tcp.hdr; content:"|00 50|"; offset:2; depth:2; sid:4; rev:1;)
diff --git a/tests/issue-3267-tcphdr/test.yaml b/tests/issue-3267-tcphdr/test.yaml
new file mode 100644
index 000000000..430c86e57
--- /dev/null
+++ b/tests/issue-3267-tcphdr/test.yaml
@@ -0,0 +1,51 @@
+requires:
+  min-version: 5.0.0
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 1
+      dest_ip: 10.0.0.199
+      dest_port: 80
+      event_type: alert
+      pcap_cnt: 1
+      proto: TCP
+      src_ip: 10.0.0.111
+      src_port: 2904
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 2
+      dest_ip: 10.0.0.199
+      dest_port: 80
+      event_type: alert
+      pcap_cnt: 1
+      proto: TCP
+      src_ip: 10.0.0.111
+      src_port: 2904
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 3
+      dest_ip: 10.0.0.199
+      dest_port: 80
+      event_type: alert
+      pcap_cnt: 4
+      proto: TCP
+      src_ip: 10.0.0.111
+      src_port: 2904
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 4
+      dest_ip: 10.0.0.199
+      dest_port: 80
+      event_type: alert
+      pcap_cnt: 4
+      proto: TCP
+      src_ip: 10.0.0.111
+      src_port: 2904
-- 
2.47.2