From 9e66688aa42815392ecf49eda9bb493373967ed6 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 1 Aug 2024 21:21:13 +0200 Subject: [PATCH] datasets: test with delayed set postmatch Ticket: 5576 Signature full match does not happen on first packet inspected, but signature gets stored as partially matching so far, and then postmatch retreieves the buffer to set in the dataset. --- tests/datasets-delayed-postmatch/README.md | 14 ++++++++++++ .../expected/http_match.csv | 1 + tests/datasets-delayed-postmatch/input.pcap | Bin 0 -> 1182 bytes tests/datasets-delayed-postmatch/test.rules | 2 ++ tests/datasets-delayed-postmatch/test.yaml | 21 ++++++++++++++++++ 5 files changed, 38 insertions(+) create mode 100644 tests/datasets-delayed-postmatch/README.md create mode 100644 tests/datasets-delayed-postmatch/expected/http_match.csv create mode 100644 tests/datasets-delayed-postmatch/input.pcap create mode 100644 tests/datasets-delayed-postmatch/test.rules create mode 100644 tests/datasets-delayed-postmatch/test.yaml diff --git a/tests/datasets-delayed-postmatch/README.md b/tests/datasets-delayed-postmatch/README.md new file mode 100644 index 000000000..a073a6dd2 --- /dev/null +++ b/tests/datasets-delayed-postmatch/README.md @@ -0,0 +1,14 @@ +Test +==== + +Test datasets only sets when there is a full signature match. +Test is with a signature using different keywords matching at different stages, +and pcap having different packets making the transaction progress step by step. + +https://redmine.openinfosecfoundation.org/issues/5576 + +PCAP +==== + +Pcap crafted with some http server and some python client that delays or not the writing of the headers + diff --git a/tests/datasets-delayed-postmatch/expected/http_match.csv b/tests/datasets-delayed-postmatch/expected/http_match.csv new file mode 100644 index 000000000..352340277 --- /dev/null +++ b/tests/datasets-delayed-postmatch/expected/http_match.csv @@ -0,0 +1 @@ +L3BhZ2U/cGFyYW09dmFsdWU= diff --git a/tests/datasets-delayed-postmatch/input.pcap b/tests/datasets-delayed-postmatch/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..41fc99473f59ea6b92a2b1c74e4157aaa7c365a8 GIT binary patch literal 1182 zcmb7^L2DC17>2*3q3S?DS`UE=otse-lT90vu7qZ5OIM;;%AyAkGOW|AuqJ7`5rv>V zOalC4eGb#c_a#03pim)U>g856+iQMhY zld+%sagz;mox4?AxDMVjdhD^sqig8XUqJmIK@EX^962|i0hp*xQTjLm z#bL+3(5sX5v3tMHLX%jg6t`qu(|ONZW5j)q+)>BW=eIiOr)}k0h2~l0Tzd;}3Ee2l zuQ!=P#&Y$y-(28lINgr6<@;rnUxqOPw-Edvg7%NEYY6bB|BAy#s>fM5g`Cp>zX0SpB}o7P literal 0 HcmV?d00001 diff --git a/tests/datasets-delayed-postmatch/test.rules b/tests/datasets-delayed-postmatch/test.rules new file mode 100644 index 000000000..d0ffafcc0 --- /dev/null +++ b/tests/datasets-delayed-postmatch/test.rules @@ -0,0 +1,2 @@ +alert http any any -> any any ( sid: 1; http.uri; content: "param"; fast_pattern; pcre: "/param=(.*)/,flow:paramval"; http.request_header; content: "Header1";) +alert http any any -> any any ( sid: 2; http.uri; content: "param"; fast_pattern; dataset:set,http_match,type string,save http_match.csv; http.request_header; content: "Header1";) \ No newline at end of file diff --git a/tests/datasets-delayed-postmatch/test.yaml b/tests/datasets-delayed-postmatch/test.yaml new file mode 100644 index 000000000..c3e88184d --- /dev/null +++ b/tests/datasets-delayed-postmatch/test.yaml @@ -0,0 +1,21 @@ +requires: + min-version: 8 + +args: +- -k none --data-dir=${OUTPUT_DIR} + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + #TODO ticket 7197 metadata.flowvars[0].paramval: value +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- file-compare: + filename: http_match.csv + expected: expected/http_match.csv \ No newline at end of file