From 1f3104751163e758aab0a4c943721c90a22aecd1 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Wed, 17 Jun 2026 18:04:45 +0200
Subject: [PATCH] rules: adds test for pcre \X engine analysis

Ticket: 8634
---
 tests/rules/pcre-unicode-cluster/README.md  |  5 +++++
 tests/rules/pcre-unicode-cluster/test.rules |  1 +
 tests/rules/pcre-unicode-cluster/test.yaml  | 16 ++++++++++++++++
 3 files changed, 22 insertions(+)
 create mode 100644 tests/rules/pcre-unicode-cluster/README.md
 create mode 100644 tests/rules/pcre-unicode-cluster/test.rules
 create mode 100644 tests/rules/pcre-unicode-cluster/test.yaml

diff --git a/tests/rules/pcre-unicode-cluster/README.md b/tests/rules/pcre-unicode-cluster/README.md
new file mode 100644
index 000000000..dfff477a7
--- /dev/null
+++ b/tests/rules/pcre-unicode-cluster/README.md
@@ -0,0 +1,5 @@
+# Test Description
+
+Test pcre with `\X` (Unicode extended grapheme cluster) rule analysis
+
+https://redmine.openinfosecfoundation.org/issues/8634
diff --git a/tests/rules/pcre-unicode-cluster/test.rules b/tests/rules/pcre-unicode-cluster/test.rules
new file mode 100644
index 000000000..66f533c7f
--- /dev/null
+++ b/tests/rules/pcre-unicode-cluster/test.rules
@@ -0,0 +1 @@
+alert ip any any -> any any (pcre:"/dummy_alt|\X++h/"; sid:8;)
\ No newline at end of file
diff --git a/tests/rules/pcre-unicode-cluster/test.yaml b/tests/rules/pcre-unicode-cluster/test.yaml
new file mode 100644
index 000000000..d258eb53f
--- /dev/null
+++ b/tests/rules/pcre-unicode-cluster/test.yaml
@@ -0,0 +1,16 @@
+requires:
+    min-version: 9
+    pcap: false
+
+skip:
+    - feature: FUZZ
+
+args:
+    - --engine-analysis
+
+checks:
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      notes[0]: "pcre with \\X (Unicode extended grapheme cluster) may be slow"
-- 
2.47.3