From 789280369b14c195f257126cacc151e7f272ce86 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 30 Nov 2023 14:46:04 +0100
Subject: [PATCH] Adds test for negated content and absent buffer

Ticket: 2224
---
 .../README.md                                  |  11 +++++++++++
 .../no_referer.pcap                            | Bin 0 -> 617 bytes
 .../test.rules                                 |   6 ++++++
 .../test.yaml                                  |  17 +++++++++++++++++
 4 files changed, 34 insertions(+)
 create mode 100644 tests/detect-negated-content-absent-buffer/README.md
 create mode 100644 tests/detect-negated-content-absent-buffer/no_referer.pcap
 create mode 100644 tests/detect-negated-content-absent-buffer/test.rules
 create mode 100644 tests/detect-negated-content-absent-buffer/test.yaml

diff --git a/tests/detect-negated-content-absent-buffer/README.md b/tests/detect-negated-content-absent-buffer/README.md
new file mode 100644
index 000000000..a5b9b8e39
--- /dev/null
+++ b/tests/detect-negated-content-absent-buffer/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test rules with negated content on buffers that are absent
+
+## PCAP
+
+From the issue https://redmine.openinfosecfoundation.org/issues/2224
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/2224
diff --git a/tests/detect-negated-content-absent-buffer/no_referer.pcap b/tests/detect-negated-content-absent-buffer/no_referer.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..0ef6c2e989b92da480aadfd77977e9f59f0d1545
GIT binary patch
literal 617
zcmca|c+)~A1{MYw`2U}Qff2}Y%?(NkXkcS71F}Ilv7&XK>vFU2g4+7Q91N}u3>qM1
z4r~tG2UdJZ;1Q@?efb<i08k+p5HkcYDKIpAg_u&?j4<WRlbF|~jv6y2nmv?4H3eh>
z$RvgUpg9Z-DL~8}AOtj}0b+`38^V+uPhyNaRSPAj9_+k^Y6_ZLxPhjm1_%I6X@r<k
z+{MPA33N9IpQ-Gt-@b32*W&!!8$hNoN<(~PFM-t*2?d7WDGUtmt|1Eg3LYUL0s4k|
zhP+%J`Nbtx3aJ%|xdl0?ddc~@yj-EhsYSYu>8W`@iM0HDUM|Pv<kSKnrzEwaL|;os
zA+ew!Co?&*Br`uxUkfI!>ywz5UYeMm3N$TGx3m~8?wXgJpOTrEZl#c3m06&pkdm5~
zlUS0<%jKM(R|2#|H>9!vs0rE7tm6DUuzX%>GRPJy1@F|<0$s<P%rYc>KB;->B^g!<
zh6V;e#fixosk$H|i}G`<6!P+QlR+Z9T)bSMq`=dQ2>zhROC9PHTgq4Ro_&uR{AiJw
P3Jm^#py03XV_*OPgu1Oz

literal 0
HcmV?d00001

diff --git a/tests/detect-negated-content-absent-buffer/test.rules b/tests/detect-negated-content-absent-buffer/test.rules
new file mode 100644
index 000000000..e4e8a29d7
--- /dev/null
+++ b/tests/detect-negated-content-absent-buffer/test.rules
@@ -0,0 +1,6 @@
+# Test to ensure it works without a negated content
+# This signature should alert with _any_  pcap
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TP test for URI"; flow:established,to_server; http.uri; bsize:1; content:"/"; sid:1;)
+
+# Test to prove FN when Referer is not included
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"FN test for Referer"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; content:!"example"; sid:6;)
diff --git a/tests/detect-negated-content-absent-buffer/test.yaml b/tests/detect-negated-content-absent-buffer/test.yaml
new file mode 100644
index 000000000..a5dbf4fae
--- /dev/null
+++ b/tests/detect-negated-content-absent-buffer/test.yaml
@@ -0,0 +1,17 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 6