WIP

tests/rule-hooks/http-body-hook-01/test.rules

@@ -0,0 +1,6 @@
+alert http1:response_not_started any any -> any any (sid:1;)
+alert http1:response_line any any -> any any (sid:2;)
+alert http1:response_headers any any -> any any (sid:3;)
+alert http1:response_body any any -> any any (sid:4;)
+alert http1:response_trailer any any -> any any (sid:5;)
+alert http1:response_complete any any -> any any (sid:6;)

tests/rule-hooks/http-body-hook-01/test.yaml

@@ -0,0 +1,41 @@
+requires:
+  min-version: 8
+
+pcap: ../../issue-1882/input.pcap
+
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: http
+      http.url: "/index.php?action=3&current_dir=/bin/&filename=systemd"
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 1 # not started
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 2 # request_line
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 3 # header
+- filter:
+    count: 108
+    match:
+      event_type: alert
+      alert.signature_id: 4 # body update
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 5 # trailer
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 6 # complete