diff --git a/tests/filestore-response/README.md b/tests/filestore-response/README.md new file mode 100644 index 000000000..f12cb98d9 --- /dev/null +++ b/tests/filestore-response/README.md @@ -0,0 +1,8 @@ +# Description + +Test filestore stores all files with one direction + +# Ticket + +https://redmine.openinfosecfoundation.org/issues/6388 +https://redmine.openinfosecfoundation.org/issues/6392 diff --git a/tests/filestore-response/input.pcap b/tests/filestore-response/input.pcap new file mode 100644 index 000000000..5e67b0727 Binary files /dev/null and b/tests/filestore-response/input.pcap differ diff --git a/tests/filestore-response/suricata.yaml b/tests/filestore-response/suricata.yaml new file mode 100644 index 000000000..f168a4151 --- /dev/null +++ b/tests/filestore-response/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - files + - alert + - http + - file-store: + version: 2 + enabled: yes + force-filestore: no + stream-depth: 0 diff --git a/tests/filestore-response/test.rules b/tests/filestore-response/test.rules new file mode 100644 index 000000000..fea9e5993 --- /dev/null +++ b/tests/filestore-response/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"FILE HTTP filtore"; file.data; content: "123456789abcdef"; filestore:response,flow; sid:2; rev:1;) diff --git a/tests/filestore-response/test.yaml b/tests/filestore-response/test.yaml new file mode 100644 index 000000000..758892f9b --- /dev/null +++ b/tests/filestore-response/test.yaml @@ -0,0 +1,26 @@ +requires: + min-version: 6 + features: + - HAVE_NSS + +args: +- -k none + +checks: +- filter: + count: 1 + match: + app_proto: http + event_type: fileinfo + fileinfo.sha256: eb076a2ec6ced9ee2e823e098446513cf5b2bb60fbcb04e6c85dc23dedaa414a + fileinfo.stored: true + count: 1 + match: + app_proto: http + event_type: fileinfo + fileinfo.sha256: a87f126892a71279399ddda2dab8bbe1fcc6681b051c506e95294e71f639af72 + fileinfo.stored: true + count: 1 + match: + event_type: alert + alert.signature_id: 2