tests/firewall: add test testing <response body

diff --git a/tests/firewall/ruletype-firewall-96-lt-response-body-no-match/README.md b/tests/firewall/ruletype-firewall-96-lt-response-body-no-match/README.md
new file mode 100644 (file)
index 0000000..79d0175
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-96-lt-response-body-no-match/README.md
@@ -0,0 +1,6 @@
+This PCAP has the classic response body of:
+
+  uid=0(root) gid=0(root) groups=0(root)
+
+Our rules firewall.rules should only allow responses bodies that contain
+"suricata", validate that this is the case.

diff --git a/tests/firewall/ruletype-firewall-96-lt-response-body-no-match/firewall.rules b/tests/firewall/ruletype-firewall-96-lt-response-body-no-match/firewall.rules
new file mode 100644 (file)
index 0000000..cb4dbc4
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-96-lt-response-body-no-match/firewall.rules
@@ -0,0 +1,7 @@
+accept:hook tcp:all any any <> any any (sid:100;)
+
+# Allow the complete request side.
+accept:hook,alert http1:<request_complete any any -> any any (sid:999;)
+
+# Only allow responses with "suricata" in the response body.
+accept:flow,alert http1:<response_body any any -> any any (http.response_body; content:"suricata"; sid:998;)

diff --git a/tests/firewall/ruletype-firewall-96-lt-response-body-no-match/test.yaml b/tests/firewall/ruletype-firewall-96-lt-response-body-no-match/test.yaml
new file mode 100644 (file)
index 0000000..685a2cf
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-96-lt-response-body-no-match/test.yaml
@@ -0,0 +1,13 @@
+requires:
+  min-version: 9
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+  - stats:
+      ips.accepted: 5
+      ips.blocked: 5