From c0047335ee3e61e66f753a334314b4255ea78257 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 15 Oct 2024 14:41:16 +0200
Subject: [PATCH] datasets: test with multi-buffer and occurences in different
 packets

Ticket: 5576
---
 tests/datasets-delayed-multi-postmatch/README.md  | 14 ++++++++++++++
 .../expected/http_match.csv                       |  2 ++
 tests/datasets-delayed-multi-postmatch/test.rules |  1 +
 tests/datasets-delayed-multi-postmatch/test.yaml  | 15 +++++++++++++++
 4 files changed, 32 insertions(+)
 create mode 100644 tests/datasets-delayed-multi-postmatch/README.md
 create mode 100644 tests/datasets-delayed-multi-postmatch/expected/http_match.csv
 create mode 100644 tests/datasets-delayed-multi-postmatch/test.rules
 create mode 100644 tests/datasets-delayed-multi-postmatch/test.yaml

diff --git a/tests/datasets-delayed-multi-postmatch/README.md b/tests/datasets-delayed-multi-postmatch/README.md
new file mode 100644
index 000000000..b794e7276
--- /dev/null
+++ b/tests/datasets-delayed-multi-postmatch/README.md
@@ -0,0 +1,14 @@
+Test
+====
+
+Test datasets only sets when there is a full signature match.
+Test is with a signature using different keywords matching at different stages,
+and pcap having different packets making the transaction progress step by step.
+And test is using a multi-buffer to test that we only save the right occurences.
+
+https://redmine.openinfosecfoundation.org/issues/5576
+
+PCAP
+====
+
+Pcap crafted with some http server and some python client that delays or not the writing of the headers
diff --git a/tests/datasets-delayed-multi-postmatch/expected/http_match.csv b/tests/datasets-delayed-multi-postmatch/expected/http_match.csv
new file mode 100644
index 000000000..9a2e45ed0
--- /dev/null
+++ b/tests/datasets-delayed-multi-postmatch/expected/http_match.csv
@@ -0,0 +1,2 @@
+WC1maXJzdDogc2VjcmV0
+SGVhZGVyMTogZmlyc3Q=
diff --git a/tests/datasets-delayed-multi-postmatch/test.rules b/tests/datasets-delayed-multi-postmatch/test.rules
new file mode 100644
index 000000000..0a24aa480
--- /dev/null
+++ b/tests/datasets-delayed-multi-postmatch/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any ( sid: 1; http.stat_code; content: "200"; fast_pattern; http.response_header; content: "first"; dataset:set,http_match,type string,save http_match.csv; file.data; content: "later";)
diff --git a/tests/datasets-delayed-multi-postmatch/test.yaml b/tests/datasets-delayed-multi-postmatch/test.yaml
new file mode 100644
index 000000000..e8ffbcfd2
--- /dev/null
+++ b/tests/datasets-delayed-multi-postmatch/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  min-version: 8
+
+args:
+- -k none --data-dir=${OUTPUT_DIR}
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- file-compare:
+    filename: http_match.csv
+    expected: expected/http_match.csv
\ No newline at end of file