Merge branch 'master' into tests-3346-mysql-v2

tests/app-layer-template/test.rules

@@ -1,2 +1,2 @@
-alert template any any -> any any (msg:"TEST"; content:"Hello"; flow:established,to_server; sid:1; rev:1;)
-alert template any any -> any any (msg:"TEST"; content:"Bye"; flow:established,to_client; sid:2; rev:1;)
+alert template any any -> any any (msg:"TEST"; template.buffer; content:"Hello"; flow:established,to_server; sid:1; rev:1;)
+alert template any any -> any any (msg:"TEST"; template.buffer; content:"Bye"; flow:established,to_client; sid:2; rev:1;)

tests/app-layer-template/test.yaml

@@ -1,5 +1,4 @@
 # *** Add configuration here ***
-
 args:
 - -k none
 

tests/bug-7264-tcp-3whs-ack-data-tls-01/test.yaml

@@ -1,5 +1,5 @@
 requires:
-  min-version: 8
+  min-version: 7.0.7
 
 args:
   - --simulate-ips
@@ -21,5 +21,3 @@ checks:
       match:
         event_type: alert
         alert.signature_id: 6001
-
-

tests/bug-docs-5030-01/README.md

@@ -0,0 +1,18 @@
+# Test
+
+Showcase the usage of `distance`, `within` and `endswith`, as proposed
+in https://redmine.openinfosecfoundation.org/issues/5030.
+
+## Behavior
+
+There should be an alert. "The distance and within effectively limit how much
+of a payload can be present while ensuring the packet still "endswith" the
+desired content." This happens for this pcap.
+
+## Pcap
+
+35_bytes.pcap Shared by Brandon Murphy in the aforementioned ticket.
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/5030

tests/bug-docs-5030-01/test.rules

@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"Test"; content:"yYYYYYYYYYYYYYYYY"; distance:9; within:29; endswith; sid:1;)

tests/bug-docs-5030-01/test.yaml

@@ -0,0 +1,9 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+        event_type: alert
+        alert.signature_id: 1

tests/bug-docs-5030-02/README.md

@@ -0,0 +1,19 @@
+# Test
+
+Showcase the usage of `distance`, `within` and `endswith`, as proposed
+in https://redmine.openinfosecfoundation.org/issues/5030.
+
+## Behavior
+
+There should be no alert. "The distance and within effectively limit how much
+of a payload can be present while ensuring the packet still "endswith" the
+desired content." As the content is greater than the 38 bytes limit (9+29) set
+by the rule, the signature isn't fired..
+
+## Pcap
+
+39_bytes.pcap shared by Brandon Murphy in the aforementioned ticket.
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/5030

tests/bug-docs-5030-02/test.rules

@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"Test"; content:"yYYYYYYYYYYYYYYYY"; distance:9; within:29; endswith; sid:1;)

tests/bug-docs-5030-02/test.yaml

@@ -0,0 +1,9 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+        event_type: alert
+        alert.signature_id: 1

tests/dataset-hash-collisions/README.md

@@ -0,0 +1,21 @@
+Test Description
+================
+
+Datasets use a static DJB2 hash function to hash all types of datasets. These hashed
+datasets are stored in the THash API which has no randomization in place. As
+a result of this, the hash table can be exploited with a worst case time scenario of
+O(n) where n is the total number of entries in the table as a result of excessive chaining
+in a single row.
+
+The test shows that it takes excess time for the THash API to load the datasets from the file
+as many of them evaluate the exact same hash using the algorithm so this is not even the worst
+case scenario. With bigger dataset and lesser system specs/availability of resources,
+this can be worse. Note that it is not just about the number of datasets as there already
+does exist a test already that loads 1m+ datasets.
+
+Test data procured from: https://bugs.php.net/bug.php?id=70644
+
+Redmine Ticket
+==============
+
+https://redmine.openinfosecfoundation.org/issues/7209