From 9b22f1ea1a559e85ae1ac991c2482787b97f1cac Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Sat, 23 Jan 2021 15:26:33 -0500
Subject: [PATCH] bug-4199: Add test for forum-reported issue

---
 tests/bug-4199-2/input.pcap | Bin 0 -> 1015 bytes
 tests/bug-4199-2/test.rules |   2 ++
 tests/bug-4199-2/test.yaml  |  18 ++++++++++++++++++
 3 files changed, 20 insertions(+)
 create mode 100644 tests/bug-4199-2/input.pcap
 create mode 100644 tests/bug-4199-2/test.rules
 create mode 100644 tests/bug-4199-2/test.yaml

diff --git a/tests/bug-4199-2/input.pcap b/tests/bug-4199-2/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b72b4a70fd3c8cda6c974fd7d6155e60fb34cd9d
GIT binary patch
literal 1015
zc-ozk&ubGw6vt;bYr9Ta=*?0~9Z*UG&HhS4%$i7BYg=ktgWaNtMK+ruS(@yI?4+#V
zp->OrJ@jh)3q%T4@T8su52E0y6chvn4+ZJP);g25#x&}|W#40GnEkwY-|u_-{857k
z0%$z~;AlSa<o(U9ejd!zZx&!+{3))}41g$tivWzWceD!t_$I~EIKICFay_T7N7&(q
z&khdOJ^;WA$2Pb~q>JN3*w24cntVQ_-#*EM8M>Yc>69DRXwowweY1y=Sp|^W-`V)`
zGD0f|_pf}v`(P=g3%m$F4UShBomT2*<a?A%dClm!cj7Pi7ARd<?G@qLI{*&v%gBuQ
znG&}tY`c@lgV+Bg_KENgX(#3`FPKO{)25kIG+C42wC588X{xMinw(6^X$fBNTo>EK
z@mvEfV_c0{WoHF9_X&1MY!<skQZi5~DM1O6fXrJJob|23P=y3@*!Qg>&SreO=2Xdf
ztBh-8SP6VziDs0an?rfxE;vOu%MzNZW1r+bZ<)0l9cUA<-I~Pu4c6|d%_G(bwB^QX
zFSqyVTG%da)nzR+;zyYWI-M&PM~FOkW_^hf2VeY=*vIW{J^n?kG2)?eD6Z;g(yO}#
z2~Jo98|W%7j37OZCa{fkRacQ3H}sUDrP0)!DZvF?TfsF0ja4nXgcV&*$a)$LFXrnm
zsYfL^>)BSQx#Rl8Dwmrp#c>NbkgKI?r~ax0FEM+@m^}s}P6c~)l1+}FiWOuvRc*Jj
zb+&~vZ&lf!I3P-iRLbX&U9xIECfP-EGIo~P%M{#||6`~dRK>4!sJnj~>Nr#J2hsQv
AH~;_u

literal 0
Hc-jL100001

diff --git a/tests/bug-4199-2/test.rules b/tests/bug-4199-2/test.rules
new file mode 100644
index 000000000..cf09b905f
--- /dev/null
+++ b/tests/bug-4199-2/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any (msg:"detect XSS #1)"; flow:established,to_server; http.request_body; url_decode; content:"("; nocase; fast_pattern; sid:1;)
+alert http any any -> any any (msg:"]detect XSS #2)"; flow:established,to_server; http.request_body; pcre:"/\b(fromcharcode|alert|eval)\s*/Pi"; sid:2;)
diff --git a/tests/bug-4199-2/test.yaml b/tests/bug-4199-2/test.yaml
new file mode 100644
index 000000000..9e7738465
--- /dev/null
+++ b/tests/bug-4199-2/test.yaml
@@ -0,0 +1,18 @@
+requires:
+  min-version: 7
+
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
-- 
2.47.2