diff --git a/tests/rule-hooks/http-body-hook-01/README.md b/tests/rule-hooks/http-body-hook-01/README.md new file mode 100644 index 000000000..b04d06a02 --- /dev/null +++ b/tests/rule-hooks/http-body-hook-01/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +Pcap from https://redmine.openinfosecfoundation.org/issues/2369 diff --git a/tests/rule-hooks/http-body-hook-01/input.pcap b/tests/rule-hooks/http-body-hook-01/input.pcap new file mode 100644 index 000000000..a4a7500eb Binary files /dev/null and b/tests/rule-hooks/http-body-hook-01/input.pcap differ diff --git a/tests/rule-hooks/http-body-hook-01/test.rules b/tests/rule-hooks/http-body-hook-01/test.rules new file mode 100644 index 000000000..44b3fe731 --- /dev/null +++ b/tests/rule-hooks/http-body-hook-01/test.rules @@ -0,0 +1,6 @@ +alert http1:response_not_started any any -> any any (sid:1;) +alert http1:response_line any any -> any any (sid:2;) +alert http1:response_headers any any -> any any (sid:3;) +alert http1:response_body any any -> any any (sid:4;) +alert http1:response_trailer any any -> any any (sid:5;) +alert http1:response_complete any any -> any any (sid:6;) diff --git a/tests/rule-hooks/http-body-hook-01/test.yaml b/tests/rule-hooks/http-body-hook-01/test.yaml new file mode 100644 index 000000000..eefcb02c2 --- /dev/null +++ b/tests/rule-hooks/http-body-hook-01/test.yaml @@ -0,0 +1,39 @@ +requires: + min-version: 8 + +checks: +- filter: + count: 1 + match: + event_type: http + http.url: "/~regit/ids-suricata-esiea.pdf" +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 # not started +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 # request_line +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 # header +- filter: + count: 443 + match: + event_type: alert + alert.signature_id: 4 # body update +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 5 # trailer +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 6 # complete