From 6fe829237b4da69880909a54d28a0a469c85b2b1 Mon Sep 17 00:00:00 2001
From: Juliana Fajardini <jufajardini@gmail.com>
Date: Fri, 27 Sep 2024 17:55:50 -0300
Subject: [PATCH 1/3] tests: add test for bug-7199

More of a change in behavior than a bug, but important to be documented

Related to
Bug https://redmine.openinfosecfoundation.org/issues/7199
---
 tests/bug-7199/README.md                    |  15 +++++++++
 tests/bug-7199/TLPW-curl-http-suricata.pcap | Bin 0 -> 1219 bytes
 tests/bug-7199/suricata.yaml                |  22 +++++++++++++
 tests/bug-7199/test.rules                   |   3 ++
 tests/bug-7199/test.yaml                    |  33 ++++++++++++++++++++
 5 files changed, 73 insertions(+)
 create mode 100644 tests/bug-7199/README.md
 create mode 100644 tests/bug-7199/TLPW-curl-http-suricata.pcap
 create mode 100644 tests/bug-7199/suricata.yaml
 create mode 100644 tests/bug-7199/test.rules
 create mode 100644 tests/bug-7199/test.yaml

diff --git a/tests/bug-7199/README.md b/tests/bug-7199/README.md
new file mode 100644
index 000000000..b8ac42937
--- /dev/null
+++ b/tests/bug-7199/README.md
@@ -0,0 +1,15 @@
+# Test
+
+Showcase change of behavior from Suricata-7.0.5 to Suricata-7.0.6.
+Before, a non-stream rule that matched traffic associated with an app-layer
+transaction would result in app-layer metadata being logged with the alert, if
+metadata was enabled. Starting with 7.0.6, this will only be achieved if the
+rule is an app-layer/stream one.
+
+### Pcap
+
+Packet capture resulting of a curl to suricata.io.
+
+### Ticket
+
+https://redmine.openinfosecfoundation.org/issues/7199
diff --git a/tests/bug-7199/TLPW-curl-http-suricata.pcap b/tests/bug-7199/TLPW-curl-http-suricata.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..144e4fcaa6042e9ad4a2187f64700b7e7ec32d51
GIT binary patch
literal 1219
zcmaKrPfXKL9LHbBVC>B%;)#QYXVeSObt?r%{lk!dV?t6wHO7l}<*_wv?d%F}{tE|<
zA>nAEMxz)LW1@I4B#;=v1ig5b1TN@7NbqJ%;4ow2dtDeX7Mi}K{k`_n@Avonc4_hb
z3m0&Mox=?na`Wu_=J3(y9uOthbWMJl`58@Jz3sglJ5dd~05}b=he5dN{DV)gf%o_l
zXjlycIdJ(;l9Hxe`QK|l0C2f0XWXu8c;9^UmDZVx3J)b;oc0#U1!jR?AOjEv*Q!qX
zD3#KIyc+gQM7jt)HFe}4Xn*ODCn;I0Kif>{+vHb-e2#pHu6>$Cm~}KiDbbuF^zQM)
z%+}g6(a2D}Z)HlRT0g(@f=Nm%N4x`b4pA;ktYx;=j}?gnl-SdyARa{&MdpM4APXaA
z#+FcK)Y3K8R{grk!V4K}aqV$zkPU6rO7bCplRv=1c1^=+Qmf<ZSja-EZRCTm=yqQp
z#SI_r;~7s$AG=8(XNlXqzFE*lbj=gT1C+Qt?*msz0O%?uG6NfjDDl*<vcy^@|MXsw
zxIl^9K2c*Ji2BVjJcMLyrBs8MOXgTOh^;YfNyv!nMwW%0s*NS2Bt{#M(2NFg8VLbG
zM1mkWC+g`}SlD42HhG;>a%u9gjk7kNPO7@Gv(tx-xSf!YAUZVzYqoA05*ooc&8bO!
z470G$B>i@(3ENI*B%a?j1HLd9E`rq|Dla68K_L`~1+>N{Ev5y7V#{zSrna_*)TZV}
zwS|S3IN36@Ij%$15}4~XhD`}|DiRqm3#oT*zk6qZe@VL!i0cg}T#rk_HS3w^)yM!h
zcg1yu3~_-D@Y}+H#G4NBQCVV5dE&=4wy3c*5<uKwosd=TjYO|TLN+&E!{p<O+mUFC
hl1QvjjqAIJWq#6Ij>d;28s~`Xp}nrBu~y#}{SSC<c(VWi

literal 0
HcmV?d00001

diff --git a/tests/bug-7199/suricata.yaml b/tests/bug-7199/suricata.yaml
new file mode 100644
index 000000000..e7c828a2c
--- /dev/null
+++ b/tests/bug-7199/suricata.yaml
@@ -0,0 +1,22 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert:
+            enabled: true
+            tagged-packets: true
+            metadata: true
+            http-body: true
+        - http:
+            extended: true
+            tagged-packets: true
+        - tls:
+            extended: true
+
+detect:
+  force-applayer-findtx: yes
\ No newline at end of file
diff --git a/tests/bug-7199/test.rules b/tests/bug-7199/test.rules
new file mode 100644
index 000000000..3df3608a6
--- /dev/null
+++ b/tests/bug-7199/test.rules
@@ -0,0 +1,3 @@
+reject ip any any -> any any (msg: "Reject by AntreaNetworkPolicy:default/ingress-allow-http-request-to-api-v2"; flow: to_server, established; sid: 1;)
+pass http any any -> any any (msg: "Allow http by AntreaNetworkPolicy:default/ingress-allow-http-request-to-api-v2"; http.uri; content:"/api/v2/"; startswith; http.method; content:"GET"; http.host; content:"foo.bar.com"; startswith; endswith; sid: 2;)
+alert http any any -> any any (msg: "Alert by AntreaNetworkPolicy:default/ingress-allow-http-request-to-api-v2"; http.uri; content:!"/api/v2/"; sid: 3;)
diff --git a/tests/bug-7199/test.yaml b/tests/bug-7199/test.yaml
new file mode 100644
index 000000000..510fe6017
--- /dev/null
+++ b/tests/bug-7199/test.yaml
@@ -0,0 +1,33 @@
+requires:
+  features:
+    - LIBNET1.1
+
+args:
+- -k none
+- --set stream.midstream=true
+- --simulate-ips
+
+checks:
+    - filter:
+        count: 4
+        match:
+            event_type: alert
+            alert.signature_id: 1
+    - filter:
+        min-version: 8
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 1
+            has-key: http
+    - filter:
+        count: 0
+        match:
+            event_type: alert
+            alert.signature_id: 2
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 3
+            has-key: http

From 1b16789f9dfc0b5c0aa2520b7fc3bf7ccf73e587 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 28 Nov 2024 11:19:15 +0100
Subject: [PATCH 2/3] output: use detect.force-applayer-findtx for http-ish
 content test

Ticket: 7199
---
 tests/bug-130/test.yaml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/tests/bug-130/test.yaml b/tests/bug-130/test.yaml
index 36fe83840..5e5d8a942 100644
--- a/tests/bug-130/test.yaml
+++ b/tests/bug-130/test.yaml
@@ -1,10 +1,8 @@
 requires:
   min-version: 5.0.0
-  features:
-    - HAVE_LIBJANSSON
 
 args:
- - -k none
+ - -k none --set detect.force-applayer-findtx=true
 
 checks:
 - filter:

From 5fa7f3bc5f3a81e80130eb1142f2fbbb466057af Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 28 Nov 2024 13:37:47 +0100
Subject: [PATCH 3/3] pgsql: use detect.force-applayer-findtx for content test

Ticket: 7199
---
 tests/pgsql/pgsql-7000-ids/suricata.yaml     | 3 +++
 tests/pgsql/pgsql-7000-ids/test.yaml         | 7 -------
 tests/pgsql/pgsql-bug-6983-ips/suricata.yaml | 3 +++
 3 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/tests/pgsql/pgsql-7000-ids/suricata.yaml b/tests/pgsql/pgsql-7000-ids/suricata.yaml
index aac151f99..31efb6daa 100644
--- a/tests/pgsql/pgsql-7000-ids/suricata.yaml
+++ b/tests/pgsql/pgsql-7000-ids/suricata.yaml
@@ -15,3 +15,6 @@ app-layer:
   protocols:
     pgsql:
       enabled: yes
+
+detect:
+  force-applayer-findtx: true
\ No newline at end of file
diff --git a/tests/pgsql/pgsql-7000-ids/test.yaml b/tests/pgsql/pgsql-7000-ids/test.yaml
index 0e5d976c6..0f5e5ec5d 100644
--- a/tests/pgsql/pgsql-7000-ids/test.yaml
+++ b/tests/pgsql/pgsql-7000-ids/test.yaml
@@ -171,11 +171,4 @@ checks:
         Dumbledore....prof_dumbledore@gmail.comD...2.....\nMcGonagall....prof_mc.gonagall@gmail.comD...'......Rogue....prof_rogue@yahoo.comD...)......Hagrid....prof_hagrid@gmail.comD...,......Hermione....prof_gramger@gmail.comD...'......Remus....prof_lupin@gmail.comD...)......Maugre....prof_folloy@gmail.comD...-......Londubat....prof_londubat@gmail.comC...\r\
         SELECT 8.Z....I"
       pcap_cnt: 87
-      pgsql.request.simple_query: SELECT * FROM new_table;
-      pgsql.response.command_completed: SELECT 8
-      pgsql.response.data_rows: 8
-      pgsql.response.data_size: 236
-      pgsql.response.field_count: 2
-      pgsql.tx_id: 26
       stream: 1
-      tx_id: 25
diff --git a/tests/pgsql/pgsql-bug-6983-ips/suricata.yaml b/tests/pgsql/pgsql-bug-6983-ips/suricata.yaml
index b1049819c..6e79935b3 100755
--- a/tests/pgsql/pgsql-bug-6983-ips/suricata.yaml
+++ b/tests/pgsql/pgsql-bug-6983-ips/suricata.yaml
@@ -16,3 +16,6 @@ app-layer:
   protocols:
     pgsql:
       enabled: yes
+
+detect:
+  force-applayer-findtx: true
\ No newline at end of file