From 3c71400a951975ad718cadc0eadadf04bfb32041 Mon Sep 17 00:00:00 2001
From: Eric Leblond <el@stamus-networks.com>
Date: Wed, 30 Oct 2024 10:05:15 +0100
Subject: [PATCH 1/3] tests: add more filestore tests

Add tests exhibiting issue on filestore

Tickets: #7346 #7347
---
 .../suricata.yaml                             | 15 +++++++++++++
 .../test.rules                                |  2 ++
 .../filestore-v2.10-wrong-direction/test.yaml | 17 +++++++++++++++
 .../filestore-v2.11-with-option/suricata.yaml | 15 +++++++++++++
 tests/filestore-v2.11-with-option/test.rules  |  2 ++
 tests/filestore-v2.11-with-option/test.yaml   | 21 +++++++++++++++++++
 .../filestore-v2.12-with-option/suricata.yaml | 15 +++++++++++++
 tests/filestore-v2.12-with-option/test.rules  |  2 ++
 tests/filestore-v2.12-with-option/test.yaml   | 21 +++++++++++++++++++
 9 files changed, 110 insertions(+)
 create mode 100644 tests/filestore-v2.10-wrong-direction/suricata.yaml
 create mode 100644 tests/filestore-v2.10-wrong-direction/test.rules
 create mode 100644 tests/filestore-v2.10-wrong-direction/test.yaml
 create mode 100644 tests/filestore-v2.11-with-option/suricata.yaml
 create mode 100644 tests/filestore-v2.11-with-option/test.rules
 create mode 100644 tests/filestore-v2.11-with-option/test.yaml
 create mode 100644 tests/filestore-v2.12-with-option/suricata.yaml
 create mode 100644 tests/filestore-v2.12-with-option/test.rules
 create mode 100644 tests/filestore-v2.12-with-option/test.yaml

diff --git a/tests/filestore-v2.10-wrong-direction/suricata.yaml b/tests/filestore-v2.10-wrong-direction/suricata.yaml
new file mode 100644
index 000000000..66ab441dd
--- /dev/null
+++ b/tests/filestore-v2.10-wrong-direction/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - files
+        - stats
+        - alert
+  - file-store:
+      version: 2
+      enabled: yes
+      stream-depth: 0
+      write-fileinfo: true
diff --git a/tests/filestore-v2.10-wrong-direction/test.rules b/tests/filestore-v2.10-wrong-direction/test.rules
new file mode 100644
index 000000000..3d7917b6c
--- /dev/null
+++ b/tests/filestore-v2.10-wrong-direction/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any (msg:"alert png images"; http.uri; content:".png"; nocase; sid:1; rev:1;)
+alert http any any -> any any (msg:"store png images"; http.uri; content:".png"; nocase; filestore; sid:2; rev:1;)
diff --git a/tests/filestore-v2.10-wrong-direction/test.yaml b/tests/filestore-v2.10-wrong-direction/test.yaml
new file mode 100644
index 000000000..acd9553ad
--- /dev/null
+++ b/tests/filestore-v2.10-wrong-direction/test.yaml
@@ -0,0 +1,17 @@
+pcap: ../filestore-filecontainer-http/filecontainer-http.pcap
+
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+
diff --git a/tests/filestore-v2.11-with-option/suricata.yaml b/tests/filestore-v2.11-with-option/suricata.yaml
new file mode 100644
index 000000000..66ab441dd
--- /dev/null
+++ b/tests/filestore-v2.11-with-option/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - files
+        - stats
+        - alert
+  - file-store:
+      version: 2
+      enabled: yes
+      stream-depth: 0
+      write-fileinfo: true
diff --git a/tests/filestore-v2.11-with-option/test.rules b/tests/filestore-v2.11-with-option/test.rules
new file mode 100644
index 000000000..7d7a60b8f
--- /dev/null
+++ b/tests/filestore-v2.11-with-option/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any (msg:"alert png images"; http.uri; content:".png"; nocase; sid:1; rev:1;)
+alert http any any -> any any (msg:"store png images"; http.uri; content:".png"; nocase; filestore:to_client,flow; sid:2; rev:1;)
diff --git a/tests/filestore-v2.11-with-option/test.yaml b/tests/filestore-v2.11-with-option/test.yaml
new file mode 100644
index 000000000..23eaf4320
--- /dev/null
+++ b/tests/filestore-v2.11-with-option/test.yaml
@@ -0,0 +1,21 @@
+pcap: ../filestore-filecontainer-http/filecontainer-http.pcap
+
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.stored: true
diff --git a/tests/filestore-v2.12-with-option/suricata.yaml b/tests/filestore-v2.12-with-option/suricata.yaml
new file mode 100644
index 000000000..66ab441dd
--- /dev/null
+++ b/tests/filestore-v2.12-with-option/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - files
+        - stats
+        - alert
+  - file-store:
+      version: 2
+      enabled: yes
+      stream-depth: 0
+      write-fileinfo: true
diff --git a/tests/filestore-v2.12-with-option/test.rules b/tests/filestore-v2.12-with-option/test.rules
new file mode 100644
index 000000000..a2925b691
--- /dev/null
+++ b/tests/filestore-v2.12-with-option/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any (msg:"alert png images"; http.uri; content:".png"; nocase; sid:1; rev:1;)
+alert http any any -> any any (msg:"store png images"; http.uri; content:".png"; nocase; filestore:to_client,tx; sid:2; rev:1;)
diff --git a/tests/filestore-v2.12-with-option/test.yaml b/tests/filestore-v2.12-with-option/test.yaml
new file mode 100644
index 000000000..23eaf4320
--- /dev/null
+++ b/tests/filestore-v2.12-with-option/test.yaml
@@ -0,0 +1,21 @@
+pcap: ../filestore-filecontainer-http/filecontainer-http.pcap
+
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.stored: true

From 8ab24c4162b93ea13bf3373bef659db1d440d539 Mon Sep 17 00:00:00 2001
From: Eric Leblond <el@stamus-networks.com>
Date: Sat, 2 Nov 2024 09:46:21 +0100
Subject: [PATCH 2/3] tests: filestore with fileinfo counter

Make sure the result are correct with regards to filestore keyword
impact.
---
 tests/filestore-v2.10-wrong-direction/test.yaml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/tests/filestore-v2.10-wrong-direction/test.yaml b/tests/filestore-v2.10-wrong-direction/test.yaml
index acd9553ad..90b3c2dff 100644
--- a/tests/filestore-v2.10-wrong-direction/test.yaml
+++ b/tests/filestore-v2.10-wrong-direction/test.yaml
@@ -14,4 +14,12 @@ checks:
       match:
         event_type: alert
         alert.signature_id: 2
-
+  - filter:
+      count: 0
+      match:
+        event_type: fileinfo
+        fileinfo.stored: true
+  - filter:
+      count: 11
+      match:
+        event_type: fileinfo

From b3949509ad147d6a2f0cf6c0a71bf25ce286c872 Mon Sep 17 00:00:00 2001
From: Eric Leblond <el@stamus-networks.com>
Date: Thu, 19 Dec 2024 22:10:04 +0100
Subject: [PATCH 3/3] tests: filestore and file.data combination

---
 tests/filestore-v2.13-filedata/README.md     |   5 +++++
 tests/filestore-v2.13-filedata/suricata.yaml |  15 +++++++++++++++
 tests/filestore-v2.13-filedata/test.rules    |   1 +
 tests/filestore-v2.13-filedata/test.yaml     |  12 ++++++++++++
 tests/filestore-v2.13-filedata/toto.pcap     | Bin 0 -> 5646 bytes
 5 files changed, 33 insertions(+)
 create mode 100644 tests/filestore-v2.13-filedata/README.md
 create mode 100644 tests/filestore-v2.13-filedata/suricata.yaml
 create mode 100644 tests/filestore-v2.13-filedata/test.rules
 create mode 100644 tests/filestore-v2.13-filedata/test.yaml
 create mode 100644 tests/filestore-v2.13-filedata/toto.pcap

diff --git a/tests/filestore-v2.13-filedata/README.md b/tests/filestore-v2.13-filedata/README.md
new file mode 100644
index 000000000..bfb3561ba
--- /dev/null
+++ b/tests/filestore-v2.13-filedata/README.md
@@ -0,0 +1,5 @@
+The pcap file contains 3 HTTP requests:
+- GET on /toto url
+- POST on /toto url with toto content
+- POST on /toto url with tata content
+
diff --git a/tests/filestore-v2.13-filedata/suricata.yaml b/tests/filestore-v2.13-filedata/suricata.yaml
new file mode 100644
index 000000000..66ab441dd
--- /dev/null
+++ b/tests/filestore-v2.13-filedata/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - files
+        - stats
+        - alert
+  - file-store:
+      version: 2
+      enabled: yes
+      stream-depth: 0
+      write-fileinfo: true
diff --git a/tests/filestore-v2.13-filedata/test.rules b/tests/filestore-v2.13-filedata/test.rules
new file mode 100644
index 000000000..7c1cdd779
--- /dev/null
+++ b/tests/filestore-v2.13-filedata/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (http.uri; content: "toto"; filestore; file.data; content: "tata"; sid:1;)
diff --git a/tests/filestore-v2.13-filedata/test.yaml b/tests/filestore-v2.13-filedata/test.yaml
new file mode 100644
index 000000000..59b60a760
--- /dev/null
+++ b/tests/filestore-v2.13-filedata/test.yaml
@@ -0,0 +1,12 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
diff --git a/tests/filestore-v2.13-filedata/toto.pcap b/tests/filestore-v2.13-filedata/toto.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..7c3723f2d3d652cab80ff2a056b20ebf6cfcccec
GIT binary patch
literal 5646
zcmdUzdu$X%9LKlEL7RgEG{k_A+_cev$i4dDaURV<TY02~0!2_v)AMex*W_;ZyxUSR
zv0#8EO?-rhDJIs|1n@894N?Lcd5A(wG+Gd;y=s)0C`uDG*4X;{&EDMZ-eYYdCNjw;
zd$YTr`OWwDoB4M7`T3)78#p7UG$WS-KW4n_ub=)4$JN3;Uh3A;S2wBWQEt{akGdD`
z@k4dXi4R#kZBxf?!_H2_$OX>9aR%ea1*0L))cNL#4(!hvGbR^DBQV->_>Gsk!D!rF
zCpYDvN3(e1L--|(xV?G`+{}>Yu`CNYkE`G~ceBaEdB&YPv;{)J>*@`Q=i;~>V~_+f
zUmuoZzK$`s)h*_+pT)dNm&|cUc6Twd#dGz>+168!1Krs9;K-F!GSV4&J&+f}NO-9m
zjk&maJdODzBPU`u0)5Wb$p&tC7Q~n%$BR_dcNY-*0EL&jQR21c36%J7M&eW;p4Sqq
zSFWicc1e^(vb3hA+U~SD&8DSdOmdNs=<|kxcst+WaF|VNV|>)QsGb+#nXfS#vd_0U
z>FbMpK0X4Sv+c9ZrZQ2G;1z2nFVssx7b#Y{YBooB7x6|Sp$4B<Y7hncCTmkulQkel
z!&U(Df=~4GezVDJlDv`^C;PgteC;3MWZxQMlT9RM4kV^y>*Sn~O!7T4$Z>g4;CQJU
zm2as1G9?yeB%*wGwDKi1bC42;ldKhDjgg2Lm3Ti1^HNaslUXxS;F*t^O>6k*Mn38y
zYZ}6l5Kq5z*yfVz&G4RJFS0ocZS&2ha<2pu)dU;o5a$9?&ihEAqp+A1I$chut7I-&
zQdL9s6nGyB2#E-ZF+NpdiQgpIgHky3gfHlg#&~IAqZF_LJ~cT-CG${iRC+e(qEo15
zT2{xIE{Q_zfI=P2rt~}@z5^=brEaKn&KvC?Be8uqBPMb;NOK2DkG!H)+MQp%vaIIm
z>I$gSs>)K68|OztUZH+r0WTDkng}#^koWrKTly2S;3Z6h0xCk{P5M}BkV1TEMKmf#
zNtBO8L?Onz?Q*ZovnxRNbE1E<iXC*OeF<IkGYXF+9%D_rus+=Oh~{w>AB%bG;h9d|
z*it`|gGDCcH$`CjbRkhbu@bq+h+pJmL=YvCs7E3N8)8I^@KO4<0(INvNx5mYl+r?2
zpkD|RX(1eAX;TW}^g1YnzcMYk<+{Z7Pw0~Soe||iIK7S*!ULK2z!!Ci&68-1M;TES
z<NB>xh&yzN?N?}wzcFGW#`O?mXQq96CM>A!KN_;RE?4~NXk7P5uf_9F>G3jLJn61G
zFb(_BXK=Ju7%hwI8m%LvbKN7oNQ4o~nd>6?XcjWvFx_pHsLcK_Q)aiv;xQci^%*3k
zyKcB2`&rCqbjcitWVP$=_N*S>cM<3t(p@*)-&PmyXXFoooP9HEtD-SWDKT#V`Xy~P
zWh$!B2gE%PJ6`HWRcL8jL5cYpiD(-yu+2;+E~&V;rfW7~jB(vrci+Gmg&$aq77x|)
z66kqQyM-&WK6b~z{Rz{>OWo+Kf9n2{673m@IO~DrtmBxSq*)d_ipi4=A)fA00kKg4
z&;Qr{Sm<)hyXXE`RD%A9;+_F1bV_O^Er2MKBC!k(t{&dMB}H76B96o>K->x5h?lxi
zf85r66N%xyj3}pT{}!4q^v5QRxbgekAE6{ttuE=0+EP*6E6rxLmWWkmB`ZWQKcSw4
zy^=2owkQR8Qs1zV7s%Sx%M@0s6JmmH>ZiP#ru=!9ASLAodbCa$PNsZNm)QLkT~FUL
zqMY&rJv8MS-%^N{pLNS}6^${%h^iQ`X`N6Z+H{HCw`h#tF=8UdYY^kRDSIcKwH0)H
z^+awqCmerw;%J=k&|!<GVDW3yahaq$;U93OkzEBx+XJIzaYEDe_~@MQ&|xIPh%=ZI
zBKiF+WZ4P3`cRpdZZT!{L@b_ZdnfEfQo0kiv|>N{6_PLOlDRY|+!MK4_ACMVu5>4C
zX>F@(X=UUdAZOpUy1u3{f148XE}-XYvnf+C*1VIsI_J->eo9=Dk%*p<Jb%i>|Lge^
z4#YUw2{760@&$}I+1|5kvK9|bO#ZaJW~+ABSLEwBm8*0942(tM7pgxrRYa68dH$4%
zNlX3j&!2@ZXVE?PSNZ&jO78<*vMb#cr)4$3l$IBl*$RbvJDbwyfSCRK8G!#ofznSg
zVj_39Y3|Tpljl!a>HFMY?~n5*7QzSmg)l%1A<ojK6hdvK)^(L7_n9s+kc-4#)qnSJ
x$<<cULeRLbLge1lE!J;njQts6tkSx!Ld?}A2J&c(rx{T$*4iqF(UxhS{u?j_bKC#`

literal 0
HcmV?d00001