diff --git a/tests/bug-4623/input.pcap b/tests/bug-4623/input.pcap new file mode 100644 index 000000000..c4b257728 Binary files /dev/null and b/tests/bug-4623/input.pcap differ diff --git a/tests/bug-4623/test.rules b/tests/bug-4623/test.rules new file mode 100644 index 000000000..f77b24816 --- /dev/null +++ b/tests/bug-4623/test.rules @@ -0,0 +1,8 @@ +#1. (success) the following signature matches up to the second last byte in the buffer in [random_tcp.pcap]. A negative post_offset is used and the following pcre matches up to the end of the buffer. +drop tcp any any -> any any ( msg:"Test"; rev:1; content:"|3a 01 e8 ed 0f|"; byte_jump:0,0,relative,post_offset -7; pcre:"/^\x7c\xe0\x3a\x01\xe8\xed\x0f\x54/R"; sid:1; ) + +#2. (success) we write a signature to match and move the pointer to the last byte, and we see that content does successfully match the last byte. +drop tcp any any -> any any ( msg:"Test"; rev:1; content:"|01 e8 ed 0f 54|"; sid:2; ) + +#3 (success) the following signature matches up to the last byte in the buffer as in 2. The same negative post_offset is used and we try to match values immediately after where the pointer should be. This signature does not match. +drop tcp any any -> any any ( msg:"Test"; rev:1; content:"|01 e8 ed 0f 54|"; byte_jump:0,0,relative,post_offset -7; pcre:"/^\xe0\x3a\x01\xe8\xed\x0f\x54/R"; sid:3; ) diff --git a/tests/bug-4623/test.yaml b/tests/bug-4623/test.yaml new file mode 100644 index 000000000..070b6e857 --- /dev/null +++ b/tests/bug-4623/test.yaml @@ -0,0 +1,21 @@ +requires: + min-version: 7.0.3 + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + +