Adds test for negated content and absent buffer

Ticket: 2224
OISF · Nov 30, 2023 · 7892803 · 7892803
1 parent 4de2a8c
commit 7892803
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 0 deletions.
diff --git a/tests/detect-negated-content-absent-buffer/README.md b/tests/detect-negated-content-absent-buffer/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test rules with negated content on buffers that are absent
+
+## PCAP
+
+From the issue https://redmine.openinfosecfoundation.org/issues/2224
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/2224
diff --git a/tests/detect-negated-content-absent-buffer/no_referer.pcap b/tests/detect-negated-content-absent-buffer/no_referer.pcap
diff --git a/tests/detect-negated-content-absent-buffer/test.rules b/tests/detect-negated-content-absent-buffer/test.rules
@@ -0,0 +1,6 @@
+# Test to ensure it works without a negated content
+# This signature should alert with _any_  pcap
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TP test for URI"; flow:established,to_server; http.uri; bsize:1; content:"/"; sid:1;)
+
+# Test to prove FN when Referer is not included
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"FN test for Referer"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; content:!"example"; sid:6;)
diff --git a/tests/detect-negated-content-absent-buffer/test.yaml b/tests/detect-negated-content-absent-buffer/test.yaml
@@ -0,0 +1,17 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 6