From 7ae219e1cf52d0e0f563887c950201252e1fc048 Mon Sep 17 00:00:00 2001
From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Mon, 18 Dec 2023 13:46:03 +0530
Subject: [PATCH] add test for bug 6617

---
 tests/bug-6617/README.md     | 13 +++++++++++++
 tests/bug-6617/suricata.yaml | 14 ++++++++++++++
 tests/bug-6617/test.rules    |  1 +
 tests/bug-6617/test.yaml     | 15 +++++++++++++++
 4 files changed, 43 insertions(+)
 create mode 100644 tests/bug-6617/README.md
 create mode 100644 tests/bug-6617/suricata.yaml
 create mode 100644 tests/bug-6617/test.rules
 create mode 100644 tests/bug-6617/test.yaml

diff --git a/tests/bug-6617/README.md b/tests/bug-6617/README.md
new file mode 100644
index 000000000..1a9631cc8
--- /dev/null
+++ b/tests/bug-6617/README.md
@@ -0,0 +1,13 @@
+# Test Description
+
+If the file transfer is happening in one direction, it should only
+be stored/logged in that direction when `filestore:flow, to_server`
+type of syntax defines the direction.
+
+## PCAP
+
+Comes from the test `filestore-v2.1-forced`.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6617
diff --git a/tests/bug-6617/suricata.yaml b/tests/bug-6617/suricata.yaml
new file mode 100644
index 000000000..d8c979c76
--- /dev/null
+++ b/tests/bug-6617/suricata.yaml
@@ -0,0 +1,14 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - files
+        - alert
+        - http
+  - file-store:
+      version: 2
+      enabled: yes
+      stream-depth: 0
diff --git a/tests/bug-6617/test.rules b/tests/bug-6617/test.rules
new file mode 100644
index 000000000..2a837c186
--- /dev/null
+++ b/tests/bug-6617/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"Filestore toserver"; filestore:to_server,flow; sid:1; rev:1;)
diff --git a/tests/bug-6617/test.yaml b/tests/bug-6617/test.yaml
new file mode 100644
index 000000000..2aa9a47ce
--- /dev/null
+++ b/tests/bug-6617/test.yaml
@@ -0,0 +1,15 @@
+pcap: ../filestore-v2.1-forced/suricata-update-pdf.pcap
+
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+   count: 1
+   match:
+     event_type: fileinfo
+     fileinfo.sha256: 291389dc5926982448d90e551689ef857650c0ad4fa656841e687d984609ec02
+     fileinfo.stored: false