OISF · catenacyber · Oct 10, 2023 · Oct 10, 2023
diff --git a/tests/filestore-dont/README.md b/tests/filestore-dont/README.md
@@ -0,0 +1,12 @@
+# Description
+
+Test filestore does not store too much
+
+# Ticket 
+
+https://redmine.openinfosecfoundation.org/issues/6388
+https://redmine.openinfosecfoundation.org/issues/6390
+
+# PCAP
+
+The pcap was manually crafted to have HTTP/1 pipelining POST request  with multipart files when the first response is not over
diff --git a/tests/filestore-dont/input.pcap b/tests/filestore-dont/input.pcap
diff --git a/tests/filestore-dont/suricata.yaml b/tests/filestore-dont/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - files
+        - alert
+        - http
+  - file-store:
+      version: 2
+      enabled: yes
+      force-filestore: no
+      stream-depth: 0
diff --git a/tests/filestore-dont/test.rules b/tests/filestore-dont/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"FILE HTTP filtore"; http.uri; content: "pipeline"; filestore:both,flow; sid:2; rev:1;)
diff --git a/tests/filestore-dont/test.yaml b/tests/filestore-dont/test.yaml
@@ -0,0 +1,12 @@
+requires:
+  min-version: 6
+  features:
+    - HAVE_NSS
+
+args:
+- -k none
+
+checks:
+  - shell:
+        # if there is this file hash, it must have the full 2048 bytes content
+        args: not test -e output//filestore/eb/eb076a2ec6ced9ee2e823e098446513cf5b2bb60fbcb04e6c85dc23dedaa414a || ( wc -c output//filestore/eb/eb076a2ec6ced9ee2e823e098446513cf5b2bb60fbcb04e6c85dc23dedaa414a | grep 2048 )
diff --git a/tests/filestore-response/README.md b/tests/filestore-response/README.md
@@ -0,0 +1,8 @@
+# Description
+
+Test filestore stores all files with one direction
+
+# Ticket 
+
+https://redmine.openinfosecfoundation.org/issues/6388
+https://redmine.openinfosecfoundation.org/issues/6392
diff --git a/tests/filestore-response/input.pcap b/tests/filestore-response/input.pcap
diff --git a/tests/filestore-response/suricata.yaml b/tests/filestore-response/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - files
+        - alert
+        - http
+  - file-store:
+      version: 2
+      enabled: yes
+      force-filestore: no
+      stream-depth: 0
diff --git a/tests/filestore-response/test.rules b/tests/filestore-response/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"FILE HTTP filtore"; file.data; content: "123456789abcdef"; filestore:response,flow; sid:2; rev:1;)
diff --git a/tests/filestore-response/test.yaml b/tests/filestore-response/test.yaml
@@ -0,0 +1,26 @@
+requires:
+  min-version: 6
+  features:
+    - HAVE_NSS
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      app_proto: http
+      event_type: fileinfo
+      fileinfo.sha256: eb076a2ec6ced9ee2e823e098446513cf5b2bb60fbcb04e6c85dc23dedaa414a
+      fileinfo.stored: true
+    count: 1
+    match:
+      app_proto: http
+      event_type: fileinfo
+      fileinfo.sha256: a87f126892a71279399ddda2dab8bbe1fcc6681b051c506e95294e71f639af72
+      fileinfo.stored: true
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		alert http any any -> any any (msg:"FILE HTTP filtore"; http.uri; content: "pipeline"; filestore:both,flow; sid:2; rev:1;)