From 61a9767dedb10a3d7ca2950e880680311e1b3240 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 15 Oct 2024 14:41:16 +0200 Subject: [PATCH] datasets: test with multi-buffer and occurences in different packets Ticket: 5576 --- tests/datasets-delayed-multi-postmatch/README.md | 14 ++++++++++++++ .../expected/http_match.csv | 2 ++ .../datasets-delayed-multi-postmatch/input.pcap | Bin 0 -> 1845 bytes .../datasets-delayed-multi-postmatch/test.rules | 1 + tests/datasets-delayed-multi-postmatch/test.yaml | 15 +++++++++++++++ 5 files changed, 32 insertions(+) create mode 100644 tests/datasets-delayed-multi-postmatch/README.md create mode 100644 tests/datasets-delayed-multi-postmatch/expected/http_match.csv create mode 100644 tests/datasets-delayed-multi-postmatch/input.pcap create mode 100644 tests/datasets-delayed-multi-postmatch/test.rules create mode 100644 tests/datasets-delayed-multi-postmatch/test.yaml diff --git a/tests/datasets-delayed-multi-postmatch/README.md b/tests/datasets-delayed-multi-postmatch/README.md new file mode 100644 index 000000000..b794e7276 --- /dev/null +++ b/tests/datasets-delayed-multi-postmatch/README.md @@ -0,0 +1,14 @@ +Test +==== + +Test datasets only sets when there is a full signature match. +Test is with a signature using different keywords matching at different stages, +and pcap having different packets making the transaction progress step by step. +And test is using a multi-buffer to test that we only save the right occurences. + +https://redmine.openinfosecfoundation.org/issues/5576 + +PCAP +==== + +Pcap crafted with some http server and some python client that delays or not the writing of the headers diff --git a/tests/datasets-delayed-multi-postmatch/expected/http_match.csv b/tests/datasets-delayed-multi-postmatch/expected/http_match.csv new file mode 100644 index 000000000..9a2e45ed0 --- /dev/null +++ b/tests/datasets-delayed-multi-postmatch/expected/http_match.csv @@ -0,0 +1,2 @@ +WC1maXJzdDogc2VjcmV0 +SGVhZGVyMTogZmlyc3Q= diff --git a/tests/datasets-delayed-multi-postmatch/input.pcap b/tests/datasets-delayed-multi-postmatch/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..fcbd9a32917c3bdb70db8025c7046ddbc0ef4dc0 GIT binary patch literal 1845 zcmbW1&u`LT7{^~2fu$LX^TdrBFJ=m~fbz@CBFrrrn~Y)Hfsict%9b!#+D-=-J(;jS z!J8+qi-~{05(%f>y|~EHnRxUd+2-?<_l1IBQXY7crfoj`e4oB=!)Kp9*olJ-s&{<1 zFkk+>?;>fqfX&Me2g`&g_*a~SydlJfecJRU+YR*(-gjcZzP<_*Vs||HYMYsH+HA8z zEAj9*UUL8d*F>kOM>)i$Z`P&cpl)b^b&I(%PEOLNfMu~30qWsMODnC z>9u`B|GNeK-on+^VF6s4Ul=YZz5p(O2Np(;=%*&=U$z@eKQf|EcV19cj*Bn%R82Q@ ze@&$unln$E>)wO6_vOe%*1!{+7n?SuP=@wxZ`z@`zHWl+W^>3))v7uy8J}K1pm9;B zN4kKIaMrDEF`RJ7JFKj9V#RC@dAEUA09R~YOnG~PvbV3CF)J&bZJ#mPxTw*RN_Bxp z$k1w8--V447K{x3=`y6oW$;0ULeoW_fIK!Ymf`V)45@yG2RuW5sg+PV8l_^rb|_YM zbgJG$`g@>T`=}Wc-vrwqd`q?x>9bfdzl1#J@szxU@w}u39$R#qkbc8FO>{#?^s7wE XTQGlu2E30Jc any any ( sid: 1; http.stat_code; content: "200"; fast_pattern; http.response_header; content: "first"; dataset:set,http_match,type string,save http_match.csv; file.data; content: "later";) diff --git a/tests/datasets-delayed-multi-postmatch/test.yaml b/tests/datasets-delayed-multi-postmatch/test.yaml new file mode 100644 index 000000000..e8ffbcfd2 --- /dev/null +++ b/tests/datasets-delayed-multi-postmatch/test.yaml @@ -0,0 +1,15 @@ +requires: + min-version: 8 + +args: +- -k none --data-dir=${OUTPUT_DIR} + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- file-compare: + filename: http_match.csv + expected: expected/http_match.csv \ No newline at end of file