From ecf849ff6a7badd51c0276a5314756769213a52e Mon Sep 17 00:00:00 2001
From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Mon, 21 Mar 2022 19:03:02 +0530
Subject: [PATCH] tests: add test for bug 5197

---
 tests/bug-5197/README.md  |  12 ++++++++++
 tests/bug-5197/input.pcap | Bin 0 -> 281 bytes
 tests/bug-5197/test.rules |   7 ++++++
 tests/bug-5197/test.yaml  |  49 ++++++++++++++++++++++++++++++++++++++
 4 files changed, 68 insertions(+)
 create mode 100644 tests/bug-5197/README.md
 create mode 100644 tests/bug-5197/input.pcap
 create mode 100644 tests/bug-5197/test.rules
 create mode 100644 tests/bug-5197/test.yaml

diff --git a/tests/bug-5197/README.md b/tests/bug-5197/README.md
new file mode 100644
index 000000000..082e66ec6
--- /dev/null
+++ b/tests/bug-5197/README.md
@@ -0,0 +1,12 @@
+Description
+===========
+This test is to demonstrate Redmine bug 5197.
+`fast_pattern` assignment of specific content results in false negatives.
+For the PCAP used in this test, sid:1 and sid:2 are the exact same rules except for an explicit
+`fast_pattern` keyword in sid:2. But, only sid:1 fires.
+Another issue that can be seen is that changing the position of `fast_pattern` can also result
+in some false negatives. sid:3 and sid:6 are such examples. Only sid:6 fires in this case.
+
+PCAP
+====
+PCAP comes from the Redmine ticket https://redmine.openinfosecfoundation.org/issues/5197
diff --git a/tests/bug-5197/input.pcap b/tests/bug-5197/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..2ef665c1295760befdd77b867d3e8a543833514f
GIT binary patch
literal 281
zc-p&ic+)~A1{MYcU}0bcl5>QOlcKLPFvK!IaNeYY8KPG|T}`~uIhljOm4U%Oz}|tu
zLGbQXu6hPeMj*J8%V5f2&2!Dg6R4jNVivEVk+F%XnYo3fL1I!eb4qF&dq!qfc1~^{
zdwxM-QE^Er1A_nqBgnE1OIR3MfLcHpVhzMfpk*2iWif{w7%T*DGJ`AvS;$}tv@S`|
q(#5l}0caT`36>q;0g((KH%dz(v^Y9BySTc!dw6<z`}q3#D*ymy2t%|0

literal 0
Hc-jL100001

diff --git a/tests/bug-5197/test.rules b/tests/bug-5197/test.rules
new file mode 100644
index 000000000..9ffb84e39
--- /dev/null
+++ b/tests/bug-5197/test.rules
@@ -0,0 +1,7 @@
+alert dns any any -> $HOME_NET any (content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; content:"1"; distance:1; within:1; content:"|00 00 10 00 01|"; distance:0; content:"|00 10 00 01 00 00 00 01|"; distance:2; within:8; content:"1"; distance:3; within:1; content:"456789"; distance:2; within:6; sid:1;)
+alert dns any any -> $HOME_NET any (content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; content:"1"; distance:1; within:1; content:"|00 00 10 00 01|"; distance:0; content:"|00 10 00 01 00 00 00 01|"; distance:2; within:8; content:"1"; distance:3; within:1; content:"456789"; distance:2; within:6; fast_pattern; sid:2;)
+alert dns any any -> $HOME_NET any (content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; content:"1"; distance:1; within:1; content:"|00 00 10 00 01|"; distance:0; content:"|00 10 00 01 00 00 00 01|"; distance:2; within:8; content:"1"; distance:3; within:1; fast_pattern; content:"456789"; distance:2; within:6; sid:3;)
+alert dns any any -> $HOME_NET any (content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; content:"1"; distance:1; within:1; content:"|00 00 10 00 01|"; distance:0; content:"|00 10 00 01 00 00 00 01|"; distance:2; within:8; fast_pattern; content:"1"; distance:3; within:1; content:"456789"; distance:2; within:6; sid:4;)
+alert dns any any -> $HOME_NET any (content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; content:"1"; distance:1; within:1; content:"|00 00 10 00 01|"; distance:0; fast_pattern; content:"|00 10 00 01 00 00 00 01|"; distance:2; within:8; content:"1"; distance:3; within:1; content:"456789"; distance:2; within:6; sid:5;)
+alert dns any any -> $HOME_NET any (content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; content:"1"; distance:1; within:1; fast_pattern; content:"|00 00 10 00 01|"; distance:0;  content:"|00 10 00 01 00 00 00 01|"; distance:2; within:8; content:"1"; distance:3; within:1; content:"456789"; distance:2; within:6; sid:6;)
+alert dns any any -> $HOME_NET any (content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; fast_pattern; content:"1"; distance:1; within:1; content:"|00 00 10 00 01|"; distance:0;  content:"|00 10 00 01 00 00 00 01|"; distance:2; within:8; content:"1"; distance:3; within:1; content:"456789"; distance:2; within:6; sid:7;)
diff --git a/tests/bug-5197/test.yaml b/tests/bug-5197/test.yaml
new file mode 100644
index 000000000..f194e770d
--- /dev/null
+++ b/tests/bug-5197/test.yaml
@@ -0,0 +1,49 @@
+args:
+- -k none
+- --set mpm-algo=ac
+- --set spm-algo=bm
+
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: dns
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 4
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 5
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 6
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 7
+- filter:
+    count: 1
+    match:
+      event_type: flow
-- 
2.47.2