datasets: test with multi-buffer and occurences in different packets

Ticket: 5576
OISF · Oct 15, 2024 · 61a9767 · 61a9767
1 parent 01fee9f
commit 61a9767
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 0 deletions.
diff --git a/tests/datasets-delayed-multi-postmatch/README.md b/tests/datasets-delayed-multi-postmatch/README.md
@@ -0,0 +1,14 @@
+Test
+====
+
+Test datasets only sets when there is a full signature match.
+Test is with a signature using different keywords matching at different stages,
+and pcap having different packets making the transaction progress step by step.
+And test is using a multi-buffer to test that we only save the right occurences.
+
+https://redmine.openinfosecfoundation.org/issues/5576
+
+PCAP
+====
+
+Pcap crafted with some http server and some python client that delays or not the writing of the headers
diff --git a/tests/datasets-delayed-multi-postmatch/expected/http_match.csv b/tests/datasets-delayed-multi-postmatch/expected/http_match.csv
@@ -0,0 +1,2 @@
+WC1maXJzdDogc2VjcmV0
+SGVhZGVyMTogZmlyc3Q=
diff --git a/tests/datasets-delayed-multi-postmatch/input.pcap b/tests/datasets-delayed-multi-postmatch/input.pcap
diff --git a/tests/datasets-delayed-multi-postmatch/test.rules b/tests/datasets-delayed-multi-postmatch/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any ( sid: 1; http.stat_code; content: "200"; fast_pattern; http.response_header; content: "first"; dataset:set,http_match,type string,save http_match.csv; file.data; content: "later";)
diff --git a/tests/datasets-delayed-multi-postmatch/test.yaml b/tests/datasets-delayed-multi-postmatch/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  min-version: 8
+
+args:
+- -k none --data-dir=${OUTPUT_DIR}
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- file-compare:
+    filename: http_match.csv
+    expected: expected/http_match.csv