From 24e49fa5c9c10fb5bed3f921c5766e68a4a83bbf Mon Sep 17 00:00:00 2001 From: Ilya Bakhtin Date: Sat, 1 Aug 2020 19:26:41 +0200 Subject: [PATCH] stream/tcp: Test verifies the behavior when direction of TCP flow is changed by the probing parser pcap file contains 2 http transactions. The request is missing for the first one. The second transaction is fully complete. So eve.json must contain one and only anomaly event. Also common flow details are verified. It must be http, to port 80 with specified number of bytes_toclient and bytes_toserver --- tests/tcp-stream-after-swap/README.md | 13 ++++++++++ .../http-start-from-response.pcap | Bin 0 -> 1797 bytes tests/tcp-stream-after-swap/test.yaml | 24 ++++++++++++++++++ 3 files changed, 37 insertions(+) create mode 100644 tests/tcp-stream-after-swap/README.md create mode 100644 tests/tcp-stream-after-swap/http-start-from-response.pcap create mode 100644 tests/tcp-stream-after-swap/test.yaml diff --git a/tests/tcp-stream-after-swap/README.md b/tests/tcp-stream-after-swap/README.md new file mode 100644 index 000000000..40f0e6120 --- /dev/null +++ b/tests/tcp-stream-after-swap/README.md @@ -0,0 +1,13 @@ +# Description + +Test verifies the behavior when direction of TCP flow is changed by the probing parser. +Probing parser may change the direction of flow processing packet that contains payload. +This payload must be added to the proper direction stream. + +Also common flow details are verified. +It must be http, to port 80 with specified number of bytes_toclient and bytes_toserver + +# PCAP + +pcap file contains 2 http transactions. The request is missing for the first one. +The second transaction is fully complete. So eve.json must contain one and only anomaly event. diff --git a/tests/tcp-stream-after-swap/http-start-from-response.pcap b/tests/tcp-stream-after-swap/http-start-from-response.pcap new file mode 100644 index 0000000000000000000000000000000000000000..21ecfe7151b7347f45d1740c43e60d0fa1df4ab1 GIT binary patch literal 1797 zc-pm<&u<$=6vx-7l(5059FRCwuf8-1-kn|l_Qo+z6DKKl5)*IKqDr8({cJB;?{2+g zH>rrkfeSw+q$-C><;MXI5eGzt)E;P6api=d|3HcaDLtSn2h>BDSvO7`MY$j>&1%*& z?=$n}`+YmV{`CD<&j=@k{oe^8z@EQc%UmjcA`0hNpSL05EZz`{KfiNRS{)Mdf)HE3 zkrQ$!-?;Yespo%W?FXT>QORxIxw(@~e)Qfc;o-_{K?nqf#7Eg(Mf>Kj7ddg^Q&ISk z;dwhu47|JkIVYA1M-pEV9<~C5#5r9r5min7GT&^yRhi0-eTDq1|IMN_>M^19K`AXJg!NkvUWqV-5Js-!|eak5%Pmr6^9 z-9S%+${IxmpK@%9HkFEKH)vA>RSk*-L|2-$%r47^nk{rXbRr&xma#gaDvBRtW0jhY zt-=1>eU`rF@WP+e13Btj|cPpcoYA(6Stuow|5N16 zO}IY3G9Pb`aAmf>0oAWtb{;uFh;;2U0h>X4SD}_JBR9 z*t(8KS&qqwtS02Ntfta~*{twvj9xa&9=4^)21`hTdFQHWSq6#A3XEJ-)p6)4HV#G8 z?ySOUD)DwAHp*mmExdr0f=Nj{nv|mn7%9x@^TjY&<_f|rR#%)+m}<727Lr6#R+#*0 zwv{xLjk?h`pGNJerGeQp8c42S#SQnmhHE#TcE`eFWNiHMgd(#;UBWuHxwV>obH*>(jlFh^!EjUkGKz z4CiGtO*Crkg__jD?7&H7NbgTEL;OjZic?$TaccI!9QGz=+^pV2XyfG$dK7E0yi^=4 zk}HM>HVdlrAaHD;P16IWKs@3i`O?2gJ{z>` ty<3d>fDs?}FOt_@=yED2o__1tJ-+Ji@!3Ore88x;dDbr%`g_zl^