From 01eb74c5c7bf628829088eef2dd097d463086568 Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Fri, 27 Sep 2024 17:55:50 -0300 Subject: [PATCH] tests: add test for bug-7199 More of a change in behavior than a bug, but important to be documented Related to Bug https://redmine.openinfosecfoundation.org/issues/7199 --- tests/bug-7199/README.md | 15 ++++++++++ tests/bug-7199/TLPW-curl-http-suricata.pcap | Bin 0 -> 1219 bytes tests/bug-7199/suricata.yaml | 20 ++++++++++++++ tests/bug-7199/test.rules | 3 ++ tests/bug-7199/test.yaml | 29 ++++++++++++++++++++ 5 files changed, 67 insertions(+) create mode 100644 tests/bug-7199/README.md create mode 100644 tests/bug-7199/TLPW-curl-http-suricata.pcap create mode 100644 tests/bug-7199/suricata.yaml create mode 100644 tests/bug-7199/test.rules create mode 100644 tests/bug-7199/test.yaml diff --git a/tests/bug-7199/README.md b/tests/bug-7199/README.md new file mode 100644 index 000000000..b8ac42937 --- /dev/null +++ b/tests/bug-7199/README.md @@ -0,0 +1,15 @@ +# Test + +Showcase change of behavior from Suricata-7.0.5 to Suricata-7.0.6. +Before, a non-stream rule that matched traffic associated with an app-layer +transaction would result in app-layer metadata being logged with the alert, if +metadata was enabled. Starting with 7.0.6, this will only be achieved if the +rule is an app-layer/stream one. + +### Pcap + +Packet capture resulting of a curl to suricata.io. + +### Ticket + +https://redmine.openinfosecfoundation.org/issues/7199 diff --git a/tests/bug-7199/TLPW-curl-http-suricata.pcap b/tests/bug-7199/TLPW-curl-http-suricata.pcap new file mode 100644 index 0000000000000000000000000000000000000000..144e4fcaa6042e9ad4a2187f64700b7e7ec32d51 GIT binary patch literal 1219 zcmaKrPfXKL9LHbBVC>B%;)#QYXVeSObt?r%{lk!dV?t6wHO7l}<*_wv?d%F}{tE|< zA>nAEMxz)LW1@I4B#;=v1ig5b1TN@7NbqJ%;4ow2dtDeX7Mi}K{k`_n@Avonc4_hb z3m0&Mox=?na`Wu_=J3(y9uOthbWMJl`58@Jz3sglJ5dd~05}b=he5dN{DV)gf%o_l zXjlycIdJ(;l9Hxe`QK|l0C2f0XWXu8c;9^UmDZVx3J)b;oc0#U1!jR?AOjEv*Q!qX zD3#KIyc+gQM7jt)HFe}4Xn*ODCn;I0Kif>{+vHb-e2#pHu6>$Cm~}KiDbbuF^zQM) z%+}g6(a2D}Z)HlRT0g(@f=Nm%N4x`b4pA;ktYx;=j}?gnl-SdyARa{&MdpM4APXaA z#+FcK)Y3K8R{grk!V4K}aqV$zkPU6rO7bCplRv=1c1^=+Qmfa%u9gjk7kNPO7@Gv(tx-xSf!YAUZVzYqoA05*ooc&8bO! z470G$B>i@(3ENI*B%a?j1HLd9E`rq|Dla68K_L`~1+>N{Ev5y7V#{zSrna_*)TZV} zwS|S3IN36@Ij%$15}4~XhD`}|DiRqm3#oT*zk6qZe@VL!i0cg}T#rk_HS3w^)yM!h zcg1yu3~_-D@Y}+H#G4NBQCVV5dE&=4wy3c*5d;28s~`Xp}nrBu~y#}{SSC any any (msg: "Reject by AntreaNetworkPolicy:default/ingress-allow-http-request-to-api-v2"; flow: to_server, established; sid: 1;) +pass http any any -> any any (msg: "Allow http by AntreaNetworkPolicy:default/ingress-allow-http-request-to-api-v2"; http.uri; content:"/api/v2/"; startswith; http.method; content:"GET"; http.host; content:"foo.bar.com"; startswith; endswith; sid: 2;) +alert http any any -> any any (msg: "Alert by AntreaNetworkPolicy:default/ingress-allow-http-request-to-api-v2"; http.uri; content:!"/api/v2/"; sid: 3;) diff --git a/tests/bug-7199/test.yaml b/tests/bug-7199/test.yaml new file mode 100644 index 000000000..c7b739717 --- /dev/null +++ b/tests/bug-7199/test.yaml @@ -0,0 +1,29 @@ +args: +- -k none +- --set stream.midstream=true +- --simulate-ips + +checks: + - filter: + count: 4 + match: + event_type: alert + alert.signature_id: 1 + - filter: + min-version: 8 + count: 1 + match: + event_type: alert + alert.signature_id: 1 + has-key: http + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + has-key: http