diff --git a/tests/bug-7199/README.md b/tests/bug-7199/README.md new file mode 100644 index 000000000..b8ac42937 --- /dev/null +++ b/tests/bug-7199/README.md @@ -0,0 +1,15 @@ +# Test + +Showcase change of behavior from Suricata-7.0.5 to Suricata-7.0.6. +Before, a non-stream rule that matched traffic associated with an app-layer +transaction would result in app-layer metadata being logged with the alert, if +metadata was enabled. Starting with 7.0.6, this will only be achieved if the +rule is an app-layer/stream one. + +### Pcap + +Packet capture resulting of a curl to suricata.io. + +### Ticket + +https://redmine.openinfosecfoundation.org/issues/7199 diff --git a/tests/bug-7199/TLPW-curl-http-suricata.pcap b/tests/bug-7199/TLPW-curl-http-suricata.pcap new file mode 100644 index 000000000..144e4fcaa Binary files /dev/null and b/tests/bug-7199/TLPW-curl-http-suricata.pcap differ diff --git a/tests/bug-7199/suricata.yaml b/tests/bug-7199/suricata.yaml new file mode 100644 index 000000000..30c5d964e --- /dev/null +++ b/tests/bug-7199/suricata.yaml @@ -0,0 +1,20 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert: + enabled: true + tagged-packets: true + metadata: true + http-body: true + - http: + extended: true + tagged-packets: true + - tls: + extended: true + diff --git a/tests/bug-7199/test.rules b/tests/bug-7199/test.rules new file mode 100644 index 000000000..3df3608a6 --- /dev/null +++ b/tests/bug-7199/test.rules @@ -0,0 +1,3 @@ +reject ip any any -> any any (msg: "Reject by AntreaNetworkPolicy:default/ingress-allow-http-request-to-api-v2"; flow: to_server, established; sid: 1;) +pass http any any -> any any (msg: "Allow http by AntreaNetworkPolicy:default/ingress-allow-http-request-to-api-v2"; http.uri; content:"/api/v2/"; startswith; http.method; content:"GET"; http.host; content:"foo.bar.com"; startswith; endswith; sid: 2;) +alert http any any -> any any (msg: "Alert by AntreaNetworkPolicy:default/ingress-allow-http-request-to-api-v2"; http.uri; content:!"/api/v2/"; sid: 3;) diff --git a/tests/bug-7199/test.yaml b/tests/bug-7199/test.yaml new file mode 100644 index 000000000..c7b739717 --- /dev/null +++ b/tests/bug-7199/test.yaml @@ -0,0 +1,29 @@ +args: +- -k none +- --set stream.midstream=true +- --simulate-ips + +checks: + - filter: + count: 4 + match: + event_type: alert + alert.signature_id: 1 + - filter: + min-version: 8 + count: 1 + match: + event_type: alert + alert.signature_id: 1 + has-key: http + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + has-key: http