add test for base64_data w fast_pattern

inashivb · victorjulien · commit f8eaf95e1f13 · 2024-04-15T10:08:40.000+02:00
Bug 6859
diff --git a/tests/bug-6859/README.md b/tests/bug-6859/README.md
@@ -0,0 +1,9 @@
+# Test Description
+This test demonstrates that fast_pattern along with base64_data
+should lead to an Info message about it being an ineffective operation.
+
+## PCAP
+None
+
+## Related issues
+https://redmine.openinfosecfoundation.org/issues/6859
diff --git a/tests/bug-6859/test.rules b/tests/bug-6859/test.rules
@@ -0,0 +1 @@
+alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"POST"; http.request_body; base64_decode:bytes 28; base64_data; content:"something"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;)
diff --git a/tests/bug-6859/test.yaml b/tests/bug-6859/test.yaml
@@ -0,0 +1,11 @@
+requires:
+  pcap: false
+  version: 7
+
+args:
+  - --engine-analysis
+
+checks:
+    - shell:
+        args: grep "fast_pattern is ineffective with base64_data" suricata.log | grep "Info" | wc -l
+        expect: 1

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"POST"; http.request_body; base64_decode:bytes 28; base64_data; content:"something"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;)`