From 4fd24adf3cbf100a55f421d91befd2f9061f4074 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Wed, 24 Mar 2021 21:43:27 +0100
Subject: [PATCH] tests: add issue 3703 test

---
 tests/issue-3703/bug3703.rules |   1 +
 tests/issue-3703/input.pcap    | Bin 0 -> 12125 bytes
 tests/issue-3703/suricata.yaml | 101 +++++++++++++++++++++++++++++++++
 tests/issue-3703/test.yaml     |  18 ++++++
 4 files changed, 120 insertions(+)
 create mode 100644 tests/issue-3703/bug3703.rules
 create mode 100644 tests/issue-3703/input.pcap
 create mode 100644 tests/issue-3703/suricata.yaml
 create mode 100644 tests/issue-3703/test.yaml

diff --git a/tests/issue-3703/bug3703.rules b/tests/issue-3703/bug3703.rules
new file mode 100644
index 000000000..f123faf2b
--- /dev/null
+++ b/tests/issue-3703/bug3703.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg: "FILEMAGIC PDF document"; filemagic:"PDF document"; filestore:both,file; noalert; sid:1100008; rev:1;)
diff --git a/tests/issue-3703/input.pcap b/tests/issue-3703/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..36365a0fac2bead6a86a4977df7922078fef1295
GIT binary patch
literal 12125
zc-oDcby!sG+P8;Bx}_Neq+y1Ep}VBJq+@6pI+O+_l@t)9LmEj*QE8;5r3C5jh7a8P
z*?YTvKHojZERGfTI@fhy_sq%s@f&Ha%t8bp1OEL&1|Z!29qo)Y99>5T$lvbYZE<^8
zG8Y&9z>$I{Z_xqL0Duq~nHWF}HB;qd0RZ84LyQIiRO2w@tM3?@h%R^mQvd)WGD<Zv
zB02_QqQ&Ojc?2XRv^(;~e~|yd{0ILZWB}lfTyK3xy`uwEqd}?|CjGbcnoI&`VAj#U
z$uxDikURQcWP}ZLfW$3T;_qtaCL{k@v-W@0Tyskw2*3j@iCx{+i13ek@5pyV$SpDI
zmKODQL_ac$pG3^RC6WS`uFroZ%1UbjIk};{P#%5`Cksp9BTY?JPA~@;8{-k&)lC2h
z=I7!7L-{yB99-BK;^yWsCpUI!M{~G^jiZ$S(8dDh=w{>Qjg5hgaaWtnf6Vr`K5|3M
z?rM9E^Iv@&xUKKzcD9RRHUFsXuO8kJXE)IS>nMPq+kX>LrXl8c!~od;k7yC`FCzCH
z@vqqdxj-PGiUKx<2F%3+<{|)ew6byZy1T;70Rl2<nYlZ<xie#9NSV691b|9#M>Ze?
z1k`{z-QEc12ZHzoz)%4Y4^UP~6B|Pk?&x;g26jzvr`y4%PEPhV=B92oa7WJDhW`7q
zBFxds%~}A+&(Cw)N<~vwH+H4lHd@-iEdK5hd;(yQ05|ksk8p&U-!TP%b}*O|yQ#g6
z2MilSTGRA)6&~<d@Pp0x_@L}uP#EaJzt&0J)X@s&DgZR|c7wUzEfIsNlngtVg9n3Q
zaHM?#0|EpA;byiNLP8jv|ELbg%Ln}D3xiX}#@-F)0_2pjzwLq)>~_sz7$PDVu5K<c
zQwI#MDTZ!VoB%N_6tR}KUIfU`pjY<n_t4#_KH+csBTJA9+SPdPJd(dJD{Qhw#1_U7
z)~?FiFD^Xo(zFgpjl(eK!d>4J^&hRZ<;(!%U0}c*E&d6<-McG_@3-Q>KrlBC=&vI#
zATN{){MXU#RQ@#wJ}8Lmf1SgN8Wc@JdkS9VM>%feVvo&o6dD>OT|NfjQ$!81XA!7J
zJea{&k7Hq`oteqYePB3u=smmg;^yYfj-a4bWBJ_Z$x-8W1$cvew`a1|fwsqqH12*I
zS^|K{dM!8r091{^MJM`bWey2>U`XrVdTQT+7s5z{6Mu?}go2D5C1o06Lf@l|iGx(|
zv>s6`2oMv7{74fK9T^=ExNyT2LPrmXFo72ci$&sQ;)IF|?M)KRZ~LJa<PZ|PS~ivi
zyrsGipy%M|Iq0MUuAqvGZG8j<kdUq+J4?c<ks1-P<~>x=hj&^eoaFgwW48$|FGWN|
zd`x&%MEE|dr9`65BS{M&9MY!ah48jf?>3qSKqs*Gb*y|&?E#XE1uMpN2-65_NHSso
zrjNw7Xo23@LQN*ec*uZPlqQ+^_XeFqKVEZ<U498b+dY{9i1}ptf4<tf62v1q?j*Cf
zLi2P*YrV__$p#>e5F-w%js1{3f8Y%;Nxp(hzAI*=T*5s@l{EZR%M>j7Dj1>1<p}^(
z^r_|BLA9jVOl-POy6X5G`~D41a084XxfyY~4;xYP$-+&U3VuYuL{`~M^i6qp!^e4%
zcL6OZXiUAc-#rPBjkYgkKn0=qrIhyIghU}X@Lv2NWOSrJF*Rp#KpPTZuf}!ZhH7?j
zfNEd%-Z^%T06K<KXd@D(s*+exCJx>Ru3rG-1O=klgC?Lj!cE~R{2mQ5;)LW@3_w4O
zj_CQ#&MFh>!fsL&xd`GqCI~IN4h<3D?|;p&m%R$Z4Xr=F`gS?sbLP%Ny!3;J`f7Af
zRKVN2juRN5gN{B=jE9OS)*|;XLIC;7lhhD&xWjebs)M}@KnuIkVqZ_W)~Yy}L!Q5U
z%3lY#p;DlDX~vHH@eCfP4|o>nQNTHP0~x)kySxEkdM4aZbl<!O!Z>xtMQ!^<&u^m1
zH&NY>F1`VzA9K>%B2>>8@C00y7vB3(o;MmaA=x~AtyBCQIfq0XXL<E}fJZ|3Rn`Z*
zr-n?!{cD`Hm(M7!X1R2ju(B~vLazO^0Zj!%m(e&ik3BdF-nJ4-cZ;&1+qzy0<`MMb
zINm&MM-Gt&m>?r=hDMWf$rGR=2dFk$<L+HangK*<uwF{l15~$A5Gd!-FXsq}NsxC1
z#neiqv-}YdnE>0*PI-YC^PyR`XJ~i?XuGX9k}|M`lMt_*^l*PXTB4xr9r#&GQO$t_
zP!;pe{AYhQzr|1UTl{K%OV7W|AOG-I^IwFj6lh;F+;~#~@r=W$t~ZIMmAO9GKg>S5
zY^F@Z-B})7bgos3e{ax)P!$$!l!WVK<f@e?YAExjr+Iq=Xr!yNAQYQs-f(Zip{Uh+
z>`lqI3$d3&T7hW8WRNIC;ta;;uTxf=iV&SXuIj<M+d((T*Nakh@2W~bzcw^!0%^ve
z(lvvFcy4NY_$;uXP^r0;1s^+TV;DTkm!li`F8f|B<+ms~TM~PEP9zTAwOG!fw(d1P
zo3UN0_$Lc=mzm9cpMnAySrIuoA70)6f{h~d&05zcT@_-I9)lBAiPp7~TcDwYMs%Oe
z=k=aL9E(X$!@z-MU{W$%7Fdc=M1y3vT5?RCe1$yK<%b<MpLros8*5-VEav#aWGJh^
zw&EqNq&8-Q7^#N{e-~$MI{AA+zLu;ELYm@cB*kf7*C}iVd)&IB1KrJyo6k>4j`Gi%
z%Cr2Ng}ZVe<?BD69YSj>{b51f4C0LK*hMWS;tw0LL{y_=Tz-Av$L{e0<z)hf*SX|%
z97%N|F0u%I>$((8rYK%N&gC9gLH6~di?2P%-POgog|Jh@y0GK4trcEb*)wkCAbIGT
z+8cfw`7KVD#0CCCdOP3|;rF~tSyti%p9ls&#S}Ta&k)fkx|ks&ngYCUSue8L)6e;h
z!&dgFNOeeS=+Rf!!0^rXU7YQa(4(GES&#6HshyIv#8=(=YCgdf#*|v8LP<MM>us6H
zV-FVM{j9Z9-zpbH7+}eKpFFo<Oy6qtmGp*NzJKoZfUvbQX(QO-*|>;Mo^6CZB}&!f
z8S=T@bd>(b{Y)fo!%eua@_d|!@mN$3)K=aQz5u0p?J?+|j|nYHZbbWHcZfRLEUjT-
z4Y<;rmuI>wM`M>k{HYABu$@ZZF%hiWB0s|D%r|RzSP4-n5B(r$<kw3^;k$u1Q)lsm
zPKQ_4I1RdoQrR>v=%jK@+b=5)tUnw~X92c^(D}+$&EucVXu9Mdr1(GIWYF+gT$ERd
zOkvn3EbOZ6Byq4@E%_3`HSprY;tPAj$fkbs1Fi0%;G=}0=E(fX0PPB;<{pc5>h^IW
zv7934fRF6HT{AEwl7EbL_>j4521gEyW2#|<9?cuB<kN%e%Vj8@N4bn{6mCm^6Zh&H
zem&Z{l$MWfl_3wtx}^1bmpb=xKR|60Io9?v)U<;xjn1JlUZW`9t-BL^$#8|6@RrI~
zH{qFa`^6>5tDjug{XXh=Joyy$6G<_UE#aj&OE5k%+r2iW=6Kt)We?qPCvg0SkrlV<
z1gZ*yJ$9n^AFi)1xL=EqQ@l1GN-&g1+z7O1I~dP++3w?>7a|sq)fpYzx>98ADs{pj
zt)5CAj7M&i2@lfQi6R<&m$}2Vp&3ield~xP)^8+A<NYU(D0`AG)S+1<eSP{80ur;m
z%Qj<Hwte+GxOT;5%pdG0+XoSo$a?&23yrN|uMxhWEi@xZB^DYh>Amqp1mWpX`|ju>
z+fZkie&_*FLcY%H4`yD^c8>N-<_(wQ1N_Q%rHmL3=tSs(=Y&>*t+8JgC?inK*X^as
z<MSA5YmXPhla^jIb!)ONJB&0E#(esad_eu!fc!<EjRyj>Q>RwzdZ2#<&05{NY5vpW
zB}BuKYXu{@!pVV$Qgw4RPWNYbw(E?cPZ+Pg3%vC5SydK^^Qi70jeoDwilpmgvp{K7
z>^}eUz06n#WZ!C-5#6m{S~7V&MS}6d=1kI6;H^e$CCWp@4~l|j)V(Rk=C3x~c4y|X
zW5E9Q<(KA@>&8hJy&rQuswnGjP&TgHyYy6;^mW=-hD0zjM)R}~6ufL!xH5;&Wn}u+
zSYyYPUp9RU<buAE5?)2vR*VpKlq=8Zn*3T@&j1MCzgj@IRZ4#MNrmQ^V0LEjMC&!n
z^-BA~Tp`Vg3%!FA&UAH=p`eZNm=cQpYRsMa0b74GKkTRZ&3`q&J<VU{AGY|_{D{;|
zD5kbgz9}`RnTT&-ew%ozSAG1U(Y+g*tSF<Ux}sCZK2eEaHD~5*Jk|8AeXU2%NO{?l
zZ>`tqsw=;kK8Eg-HCrbPSl->jpe64ORMaktVNQDQllYxQk8HQ*MZkgSK@>BIBAH+~
z3NPvw`{NMZfNLzF@Z9DvF%hn<Q$NsKwYQ;Cba-XbCQ4AA>y8kMvqX`-Mc)?e(lo)?
z!OBhB;%F-qi-&||B{<f+p`u7iXJ}uGafAG#a5cua!m6wDWi=ZzrrA==8(z)vT;O)H
zgqkeIHY6G)RJau==tyk$k$&k+?fQ!5K;g<Ttq)pF3mxA5LHV4Wm})&<9jZ>^W3Tpd
z;}hFeLF%XX2Wkhi)&)Cf%@VeD2ecZCEA*Peoh^rz#oH9?vuR$TR>t#^=iYJC@D=M;
zd|Ku1q!-;r38DlK%p9oeQ3n^&#Si=Q2})p81yaa1T1oDoW^=B&WrB&ucB)XjTZEXA
zz%EIShi$Ri?RLWJ74En%;;?kts6JvA4-)21gQ1CUx^1X@M6TyWZ1Qk2l$S9Q-fAh9
z*hheU${{Sn;Ejs*MPfaYrB@2rORlYy--_RdXGFCcHMlegXxCcxPQKJ?W9Q=CPEgKQ
z^sCWrt_NVQ1s2TWA|v&*jSEF#l1HLq0OZoOIWFqck2$}Z;9e4bb9QFguRUPMU*&;Z
z*{~VMQNDVBo{j0E(Ar!>EZS~e7#2}gWFrBej9;>(T+=o!d*HV^FtWGs%6;8m-e%rm
zdmU$aqbVUiXZz%(JdPf@YaeW`OqBQAo3h1ZDhbGIib*Uh_!pGtHULK(rrABoz04|e
zBd^-m)l?X#X2OQoE=4HudO@qFem<goRlccXB(XsL@`zz93D0^{5!WoCU@`>#44vpr
zKv&!)k^?$>4Po<wSl<J2UIiA2`L4|CA9QM-kv=rW<my#C#6HE+rg=S|o~2n}sGqZK
zJj*9~bzU`^1J8OB<q}ecZIOcpOho~6elRbWMcb%iOX?hslNF-9_I1y(Kiy3%TCz9p
zHJaBScuTL*%$@rX2%GyJ9G=Ge1<<MgzOC+wv3X1UIe**`7Ri^;>rW%_i0Nkk+PMLf
zFnLAcv^9=p$*#y2le_?)6lP7P0FK6(yyHsTfr$1&8H4H!r8es(*#YXLUb_pC*iG_$
zpYCua5Mi+|rC}IHedS{lfBjkKn&@;*ai8Yi8FKccJkZL~6J9-JJ?4BX{j568X8B8B
z6o%ACi|~47R+@{338uri&;-o+2Aak(8M)7rx(b9Ml~EWNwdrdSDv>+F;Ri(i&-+cQ
zj6Qk!<ASYRXtS=0Ov=YyFLPJ4kmA{DCHYJnh=aS$=o<rKaBaeiML&^jgamZc>b)2+
z`;jC}<@~L&Nr@!wGh5}gc)YSBO#O@WwFE`Wux_($(~567+o6%?AhT-{hZr`qf7_O>
z4U+O!=|Q#q=Yt%q2`sysR353tVkerlx5`_u=`e=Np7tp>bRYK#0mVy4A%`I-U@M5_
zfE%a(cU<Ni3g)G4s<{s87j_}<l?VzuTt-F|azuyXsUE1O8j4pgIZWr}zJGn+HQb}Z
zzoFlQJP3xT{nZDun4FB}=>yul{A3z|{#sXgDO9i3$h^pIS(RYkCBJK7+}_Hc$~)9p
zt-KE}Gs~bw$lqcq&a!a?;euMR9-gE3$|_tCx1YC19KMcI=cl~h>`_qPG}!ctHQ^HT
zFp(z&>-$4b&-t^Iro}INDiiTA#qE*AP6n&1bVk`-ZWsN@0I3#cL<36{l>B4>i=cr>
zd<-MaF%H@L08LO3vHr;;S(Tah$0bcUByY7O32io0)VDKsVxa`}armfEl((bdTL$|_
z?s-05KR_dkJ35<G{nfUHbUVhAH*BoyNdZwOQmh=%j+4c)_%*Av{MC6OOK{4a`S1PN
z{FXn>Z}zMCojd<B|9bbY=I{35y-YZ>8hI&F)ysEUx00RO<7HXthno0F^g$I!ot4Aj
z`@Y6pPyAl8I#<){!25#OLp|l`1RNa3)Co-N!F?H`?tJ4%#28vHdh^jQUz)oZGV+&y
z=95;om+5%Gbfe&PeEMX=M{6_)*3?URL7Bjn&;VyF@#QdD=U@jG%|7sVHQ4En_Qt#V
z6nmf(&iRab04cZHdnskYq%y+F(>xhDUZl7#51s$wK!LYKp2J#LsoHancjcu<`~qno
zhp#s)s;~FEjTOVW#~YhARaoKVrlr|MPrvA+9sCF#;<Mn?X9-(hlZYrkO*^2|X|Qrl
z4o<W;qS|DsOdSk8PIOdUdkw8HE9SWGK!^<--DiEgC-H>w%(8FQzpMWvQx6_<+gQu7
z38pDk-HGU$K{?%0b%httPOG}vY?p~1r`lsZ*?z$|#!)mYb-(bWs47z*(MsbI+8g_|
zN65oRS-ydVEEV|1=c6w-tb|Y6n5HVHW1P!s3vkKqAEAhzEz&z<S@WTnrYO@xV@^hj
z(_k&}7m1_KS)CEJ&KW{en3s=)Kt_p&O)lUc)&f2BiM<K(yP3g#_Fm6u4S9&gy7LVI
z-^HhRPpQMd8d961m~v5o>8^n&!LkmA-VK@kCNhs`o(Fye2AaHn5;11r-)5)NPqTPb
zQWw=1Bhswo$Lr}}imm1rPw~hNsIzj}OThP-C(mq2?yJ|U7@aq2gDcx*Tm8oE6F+1E
z)RxPcEz3_n<QRffGK;?}Cp(ZtTMb#i+nOL|(&E_$8|4WnW>BeC<zn)DL`_4WrjF)~
z=MyFcjYkf<vG6R;_>kKN)EyyVB2~NfY05v8r6+6OX&=&`WhKkwlFW$;PawuodTc<w
zl-n+<qLT2iYZVK=s-fxbm#EOREf<*SwcZ#L)Y3jqE6mHKrS%H3xu5USU!xEwoVT7e
zay;F5B1(JD04Il{=h_B}EsV`ozhUcPU5Q$>$*k_FTPlZk0-ObLgDc-*ExkP?+2|O}
z3!3Si$KbaVZ5eY9r&)~df@~!p_(Z=`PoKiEn^A7oUGhXHFi@8JcJ+9osy|yjPC~t+
z?|bGFe+1-{g{_$zp_}jHxk2kOEgCCnJOOauvd~0p$@v;cM)nBjJ$#oT{-`~av^&j;
zM^aRhV0?t4*_C=EM2|zL%_^;(nIUCG)hX^Cq4KK;Q050y>&ct*4_Be~E-3D(vw}|E
zhD@B^MFwGpZX>)pb@!g6k*o}O*&{!e9BTDWUBge-3pi+cVUo%EoL4eW2@;xOcdXPU
z&vRfo<KEw0=O}w)^s(5$KCkF~XmsfGCqZpwQ;2e-07o*E3>(d6V|yhjgxJi;53?jJ
zgE_LZym^-@Xj4dl=HB}Y6v!OgV`WQ&;k5T#!k~phv73<I<*6X~g6rPvT*6770X-Y+
zp?en{nf8}!W9G=I>J8I&R(X*+(hFzn(Hu9sy<Oa+j3oAZG8eND2kWR4*~{_L0-X;%
zoo5x#Y$?ik{P27f4Q(14AADVxDNA=#?iS=Ab?yKdW@x`Me1z^wiqqn3GqUncNw9uz
z8GXxnk#32UTX#p*o-En@sL?W;L@B?Qfm`skdO_)`$AvchC`-OwVd60Z_DYi<iKdry
z$dBkWV4Yz&g|6UdWBey-*hK-t??0#~;J9@9RWGToGi|r^IO$ElaAba3;BE>r=NZe*
zc4lEVc%HWNwd$J-ToU`cGm{S6D)7W@G75QJi+ZY}Zs_b_arOHwX(3tADMj!?ccGNe
z^c!KimwpJ#4}f|&auRi4^iw`c_ScMIarEujc|4{d;mu&$Z)oM2$R`<plpPLS;~HT?
zNUd}{<vV8ZAH2tF+`9WB>tOZXz(M2Nj@K^Z>xyh8dYVOJmO3;<t8Eh<DXZmmGM3!a
zvGZTeNKRH4mCgvmvs$;xzF*#%ANSAZxB6**(_hW+3IEId-(!C@|F+xUO2$zcZB-1k
zf!d9t+*J>2>f_U;r;0=xm;;{cv%VE6gjs^~1BVpNl?XITF(k*c(a>`8h=;Xg7u=Z%
zugAYjetTJiW|>RZyEhkfJ%TK&8jH$*(lWOl-`o>9i?xok$1o+peHQR6zTw`}<+FWu
zypAj2y!fl)-gttW#pLm;T=4LVZ)O*Y+f6Aso6X)j$)V)XVL)nwSuIX#!gO%^fNy#p
zSKq9${s&z>gO+*a?Bs@_4P*APTK6y??zwXt<_CoRLHBv}EkefEMW1Y*&N$;W?Qwl7
zR_1@otyL7?dpHcQsHpZqUW{ub&Kci3RDRT<`LU8tyg>J8#>8>zaKKZ0i;g-4&r9iC
zKj&)E<a1R}ZZ5vsns6ECS!ZF<yAZ{w<pm6WwL~~Vgxb0KC1Mvv>2|vD{q)plSvnjG
zw)rh_l>73-vf%OU=kPM>*gldJmM!8uypw%jW0)hwn#FhR3|>6nL8w)S?lXm!VE0ua
z|BOIidu>PAv|Y8yv4a66_PSix+-Mc`YFDV9bdw#HHFn=4BcV5M%SL=$8M!sx-m%9&
zhxR%*c#e7FXDh<sCE5J#2iB>>@!1ATQ2+LbmWsBVvIC<z<^~OWUbVCKcES#q8}xR9
zT(+!vvXDc=$73(YqDrbENeSWceb2QwT-O@crav^!YjyQ}sK`FIm``1{)X2^pdVnJ3
z#yNVw)u?`!3K4CcBI>=jT)A5?eMPojhdz&TCk+k*xh1cVsz_t?M1C`WRm!6di_CWV
z7{zuw%*!%d)#}wJPmD+HBz`EDUs(QNmwldYQeK+7)7p`w7}TkVibRmtUrT>+VE^LL
zkrbuh+BIcbW3U@)$ey|`+Kcj~i-()qHf1%fCC5*`sE$WrDw>`$njLJt!H3D2Q9B%)
z;c!{YRZG{@8Z}O-jD~+Qrc-p_dQNar3F!&d{5Iu@%!iu475UM&(4~yzEpa^a=DTPK
z9HpKJY~{TJA4tt}QUh&N-JGVVSWreL1$EGhN;SnRCK;kZf2}n9Wc;=@bMf^n!H3Gx
z$oidZyQ00o6F9t2`<cT+VM1`}SD$Z-pTRG<kj(iM<JX_2OBZwzkSXCu7U1iG@?`8e
z-^d#)9Fpl9n;y!kkVLo^BLp*bZm{bjS~5A|qP$qXY`I)Lm{L{t{79MH7cDeo$g#bm
zF7L%5b9gva0K6IwE#B{nWjkkm))~?k(R|PvlwX7rv7*dJEsTt^R+_$h(WF!<cS@ej
zlD)UVMjZHrZU9s(&&i9R;&=WORYnB6XJhzH2?Q9)5rgi|l;&o~z8*s;6qO;s1;kr@
zq8QHyGqRfl#ru?|J65PFbnA-W#1A{dUkV(a2QlGYu<pl0tPd4ZrlAYal<Z1}>itAZ
zv6;qT*<fZosvRrCAG>yoc_ATgm+!}Ip5VJLV=Ac2Y~>Rio}~BpeVGszfaw=@d>ePv
zi{Zs1i59?xmrF;p_F1gGS(h(&p9Wu!HPo5H^v#A}L<$e+wf13z9ev^uo%^00_EO0x
zy86MmrHrOq%Gv!##8MR+w6l+TCX1N|CwE10F+Z=kqh>~)>if7~$#FXorj^l3eGw+j
z|D*tEwpKTJS4aWTW!5SBj6W+qS>q(9CCCNMbYlWRvWr-!l(pLH;I*d1o%%VKM`RG^
zw9$60PKj3EE1D%r)ot5ww&mRqC%shIiW7XyiEa!*m-pKWg{P`dYa|1?WhJQ&=blQZ
z>~@+Pl+6oNaj;_1IeX>4O@=ZrI6JpBSrar>JQc}J(gyVh=M}2>EaCQ@;7XZAiq69}
z4%VNgKbU<b+~RkrO;__yl<)9fUBPGiRuaWV{6_bMGSm_Z#kn)0{_aT1@O43)fsyXz
z$Z6Qg5?FuvC1L!>MS6mYuXVcVItR=7<^JQ6Iir|8DW6V%Fzejd-I@RXpUrRm)BGmC
zn&0>SU*^AI{?+`hMBfH9yOwlx%yR~8=(8AJm-S+bY<piX>k445N)%12_pQs;P|N$`
z0GH4%qX|rQHfpdpO+T^Ohkes<C%rN)>5(*4%GGCT{t~e~?5jLlw`0r~(z(ASqWYkO
zB8G(BE2Rb+_|A`@w1UK&ttZHJ-C&rX5BnWXC{G81I(%uXJ9i&J_&E9fdC6t^j#_sC
zQMXsF2VL5!uvONxGklL_7qPP?G|bjVBHegubJQs)RX>8IO6#fdvrF*0!JhMuTXAUz
z3R~-F4W~cWp_i{dC@E{S1Lxi|n|XhL%Qr(}SZnGFBg<`>w{j#iq_<he0c>B-TV(qU
z*>pBmXX~QI;zxA!ip)-BNo-51gAyq8(n|1{<5!}w4~z^Tbjxv#LAqnQPA3}`XaW;&
zkWO5@mr7o9?y;?s1dhr0RfOg`d`{lUcJ&e(2DcATicCIP0~1{9D)4$|P3@d)4kk~I
z#O*ijlSDqdS&xvDa43DeWnH!Ul;Oas@usY(Ujp>93>S6MYWD!eRve4#bPaGMV%~sX
zn7@{Yp^+*ecAmpgUR?1-7&=pp3@s}{AbT9h$RNTIB)Owtpc@#WFHL1^4PTRdNVkps
zrtFFG=S6CTqngF<uln~m<aX3+1T9N>n3}wPln&QQYS;=dEsHiRFiIxL6XcXykL@z-
zL8fyho&d(epz8%A%?F>wcfG{sgBG7U?H1t#HXcif(t7r(PEec~p==MYD=MvPP-rZ(
z#tY;jboU<FY(|Wv?3KOe@0T7qNgt9WXbKzq@yZAtq>|u@c%MVG>EZs!cyYfi$(Wjg
zyu-5oQ50O9JTeV})=o}=@F7b{iYtAs8bub|!VXz&2kRkEF~s%7CbaRIPSJc{eiRpz
zl=!H3%(^@QKuEtG;)^Nm`H*z3uKgUPtq`ufW2H^B*zm-{UuWHSxSK`URKWhNUEVA!
zWrBi1lZUPKu13WTDPL_pE24%nXMp;IGW-pLRlaY}@nyH}tIy#5UClNX3ExeFac{TI
z+Gn(cwr5Y6uYYI~y*ZDQSIPWH*SQ?=^*XW|?V+)tC7*C#Zb6GR8}Qww(-rY3ply!Z
z_~>zx;P$~4s`eM`Iahz`V{?}rt)NB}VH!7ZtF2JnsYeYFka*X!`B4p+RKeYfpCR<V
zkCQgy2#PCBf4<@7GEfszwh+SST8Rf|v)K*^k+e`_5%VAHTJN<hG`#L_h-vk>_ms!m
z?9umf_rP~EXsrAt+s!muPdoX}^oe2d^4qAXorUHTW}(xltEl!8;5229fM@sEa(MeZ
z0mAn?-&4a$@)qHn5ds}v-r*m{(`2He&iCB!k3E0bb<;I-PJNhF*cjsf6f#oxNaGS^
zkNe9=B&*3BU$J;f<W^0}mhTr<f$29m@oLG><ei%@gpm+VbW-kVBE*rdb=`Zat*Bhi
zr!SAoZYg|@R8)_4rdFM_5GtD`hswT%z7d4p61vwxux7K)>->(G5vPDdku8UX?btzo
zhlO`m1c}WxLHxCf)}X<p^%OekM|o|fM@-vpm=1KKX++>zcCyrsRNoujba3j(+lP#h
z%Qk7xZ}1Hs=@*aH3oOb{uafe=X7^+-@CuU1EEtyzHK43bH#YV!*j~J4)sOh(8CY+`
zg)q{R&-@%pJvHN`#%jn@kSomYT7ehZWBx$xCO>yGKSS0?PCfCkk5n*bt(?o7gmUO>
zQ(QiamAx6g{|vqEvW^mY#ll{7-1&4cP2fSM`aac}L!m-y-`*)m(9bygpd-$C%YmcJ
z*YC4cSrSCiAZ^%SV=mB&y;F3%>$Fl1*&V~r)OV3z^iAkPe_A2=iRB_38JDq2Pc2^a
zSQEWu+u^r~+?0d*<0@nXKZ<k*lm!DFr7*^(9@xIf?wKuR@W{j#?P6W5SN78JJ*?Rq
z^3a(O(;BHWiY>S^Kh>YjZ}Zdq#=n|BsO2y7R|o%Ue)k;|GRAH1aL1rCPNgs(2}I^f
zImaTXZzlV0g-P#+HJ*mkckdQP5vFu%?xzZ|WmO63VMyDy5qZ5wXq5_2WZ;0_Q@UIW
z7kuVPm*zGp^G=egjpR&Se>1je4^p8c=cz-&hGMRST<_68B${k2N7g-mKsXh6bi_q0
zj8ZN_m*d&RpBU{M&ylut<tjhJe9=d2Ial63MY=#A(i_ly)x2N3TVe0V)*=&1Avq;^
z7WCFv$@)!xn-yAm$40Pqy?5vQT5|E{JjPr$8sB(3;sk2FxkdWdT24`~YyAYkjD0ty
z2Kt=lEPD=!J0Y&oY^>Y0&r-qtfu~i@1Pwgrh!G{eEzfF*?5&1}80Fww_0bXpS|d!>
zctqYDSA2|kI8lba3qzVKUr^R6*7d02!7Nhy6Fg#>YnXn{BP>_63QiPEYS=7LDmK6S
z;nY0}Al)*e{Wo==AKnyB+RL7z!e|K_!bdP+j92sH3B2-h7J{od%QXYd2}as3V)rr4
zzEMin#;CB?d}W4kku*xwAHH3-YQ)A#;Ex*hDCk)12@xy&KBQLK|9#nlPKu5*J8Yx>
zBi#+!Ie*d2@7W(P_&>rwsxEK~cXOBvkjcryQWK`j4(8wnae(=lF*qe}Z*qg*Ub#K}
z*P#vE@h-ImWReoN3sQmjxp=|65GXevD~O8`1Y*1$rv$h7zlLbKm^wMZEP$LcruMF|
z+affjbvb0*?d{D>9Ubp#(X_U41>U~@Q4<?b8|LDA`)DA91I!KP;pc+#uyb)h|El$8
zg+N6c57=G0i<eUhW@cmR$PBb|GIg_dg_#09{&_o;gNp;gd>2vrXDfLAqZ4-lGa#pm
znXQJK0|uuukoPX%<l^cE<o<W~3Bm{cp95UJ>PmKqV7%rPo!*K(YpCNfrqtl8yu8O!
zdF)}KZdBs|+dU5>u1?ZQf~F*J`FqEo9vI~#QKLVS2ovifCBSn=C&=BU4f&V^6hhCA
zac_(oXgNXm$;Pk{DwU7S<C!P?n6Ss3vaY&fjb17j<(xN~De&oYj#LctmNJn9o3x;E
zVw9>aIU~;a^ajr<nW@BkOrb~{6czySX>Qp**<)S2BM_2EXZ*9gR6S&B+MAn1-c-R$
z+LWfTr~0E-A9!nAQ)F8GM1AEuHNLC)6=NXnPlK$vt8>vxmBoy_jS$tu>YCvDG7=JL
zg;SzA98jVTk;RwoqmMrm8<$M2HyM-YBL`*ZO*elfUCc-#Tf+>RD41IFnYZ(m`tVTD
zyHMc=v2d^~Tm8`6&I9e&4@*wRnu?{&_<SZGy2%AmGX=k>Z+SLLCXq3BX^?McJ_7~X
zbjCIyi?^MI8cn{)(m#{jEc;wn#fOKj_F?^1pmZk>$Bv+ew1*~&V6*|}Jla7{xz68w
z@VS0lZe4YlB?hOQqXo<hs1E{yA%+;78a7X0w|f|zIzW9ekP8UDJ*N(by8*$V+xyk;
zhFijcKfgtH2U0+NA!(2#4;0EJ$u9wt<mH!wN<g{AxuD`wU>*oWN>U0e0{p*+82;;1
z#sm7_V}j-;CZ_{!AA8W-u%fUovBd7ouXt<zZ~)-v_FGQ$Da7{9{Lfl`HGi1ZPxF%k
z7F~9JHGj%8wKKjjOBAz*GS7K{PzYWXm}Se<M02JG0I*3xF8ICAu5P9-ZeA|8o#lt}
zKrk2>q*Y{o23RS#{}|V${28v*{I78B&0X;5_FvM4z`?)5wOe<^-4WUUOr-ir)cBof
zPZNNLK)}QOJCWzlMCzYJ_1}rkowr0LPLJP-f`2B`{3NRVPV|J|5=EKc|4tPDGZFZc
zsQNq6_x>$Wo9^^?qU@iEw0|4^zPbCsa7(nO7Wkd0_-EpSpG4)~iD6c^#9-2=zZ2E}
mOr-lsRQelY*-zr%to8oxABproiHd(qB)TPX{)@PMNBn;j1A8t2

literal 0
Hc-jL100001

diff --git a/tests/issue-3703/suricata.yaml b/tests/issue-3703/suricata.yaml
new file mode 100644
index 000000000..84ccc3664
--- /dev/null
+++ b/tests/issue-3703/suricata.yaml
@@ -0,0 +1,101 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - files
+  - file-store:
+      version: 2
+      enabled: yes
+      #force-filestore: yes
+      stream-depth: 100000
+
+app-layer:
+  protocols:
+    http:
+      enabled: yes
+      libhtp:
+         default-config:
+           personality: IDS
+
+           # Can be specified in kb, mb, gb.  Just a number indicates
+           # it's in bytes.
+           request-body-limit: 100kb
+           response-body-limit: 100kb
+
+           # inspection limits
+           request-body-minimal-inspect-size: 32kb
+           request-body-inspect-window: 4kb
+           response-body-minimal-inspect-size: 40kb
+           response-body-inspect-window: 16kb
+
+           # response body decompression (0 disables)
+           response-body-decompress-layer-limit: 2
+
+           # auto will use http-body-inline mode in IPS mode, yes or no set it statically
+           http-body-inline: auto
+
+           # Decompress SWF files.
+           # Two types: 'deflate', 'lzma', 'both' will decompress deflate and lzma
+           # compress-depth:
+           # Specifies the maximum amount of data to decompress,
+           # set 0 for unlimited.
+           # decompress-depth:
+           # Specifies the maximum amount of decompressed data to obtain,
+           # set 0 for unlimited.
+           swf-decompression:
+             enabled: yes
+             type: both
+             compress-depth: 100kb
+             decompress-depth: 100kb
+
+           # Use a random value for inspection sizes around the specified value.
+           # This lowers the risk of some evasion techniques but could lead
+           # to detection change between runs. It is set to 'yes' by default.
+           #randomize-inspection-sizes: yes
+           # If "randomize-inspection-sizes" is active, the value of various
+           # inspection size will be chosen from the [1 - range%, 1 + range%]
+           # range
+           # Default value of "randomize-inspection-range" is 10.
+           #randomize-inspection-range: 10
+
+           # decoding
+           double-decode-path: no
+           double-decode-query: no
+
+           # Can enable LZMA decompression
+           #lzma-enabled: false
+           # Memory limit usage for LZMA decompression dictionary
+           # Data is decompressed until dictionary reaches this size
+           #lzma-memlimit: 1mb
+           # Maximum decompressed size with a compression ratio
+           # above 2048 (only LZMA can reach this ratio, deflate cannot)
+           #compression-bomb-limit: 1mb
+           # Maximum time spent decompressing a single transaction in usec
+           #decompression-time-limit: 100000
+
+         server-config:
+
+           #- apache:
+           #    address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
+           #    personality: Apache_2
+           #    # Can be specified in kb, mb, gb.  Just a number indicates
+           #    # it's in bytes.
+           #    request-body-limit: 4096
+           #    response-body-limit: 4096
+           #    double-decode-path: no
+           #    double-decode-query: no
+
+           #- iis7:
+           #    address:
+           #      - 192.168.0.0/24
+           #      - 192.168.10.0/24
+           #    personality: IIS_7_0
+           #    # Can be specified in kb, mb, gb.  Just a number indicates
+           #    # it's in bytes.
+           #    request-body-limit: 4096
+           #    response-body-limit: 4096
+           #    double-decode-path: no
+           #    double-decode-query: no
diff --git a/tests/issue-3703/test.yaml b/tests/issue-3703/test.yaml
new file mode 100644
index 000000000..f4b7731e3
--- /dev/null
+++ b/tests/issue-3703/test.yaml
@@ -0,0 +1,18 @@
+requires:
+  min-version: 7
+  features:
+    - HAVE_NSS
+    - MAGIC
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.gaps: false
+        fileinfo.state: "CLOSED"
+        fileinfo.sha256: "02f43016d07812f881dc1ccee724f95682016ff00c7ee6b2c856d4d693ce3fa5"
+        fileinfo.stored: true
+        fileinfo.file_id: 1
+        fileinfo.size: 9952
+        fileinfo.tx_id: 0
-- 
2.47.2