tests: add multipart POST filestore

regit · Jan 25, 2025 · d3319b5 · d3319b5
1 parent a5aed36
commit d3319b5
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 0 deletions.
diff --git a/tests/filestore-v2.14-multipart/README.md b/tests/filestore-v2.14-multipart/README.md
@@ -0,0 +1,4 @@
+`http-multipart-post.pcap` contains a POST request with 2 files uploaded.
+
+The signature matches on the HTTP hostname and trigger filestore. The `filestore`
+keyword triggers on the 2 files and extract them.
diff --git a/tests/filestore-v2.14-multipart/http-multipart-post.pcap b/tests/filestore-v2.14-multipart/http-multipart-post.pcap
diff --git a/tests/filestore-v2.14-multipart/suricata.yaml b/tests/filestore-v2.14-multipart/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - files
+        - stats
+        - alert
+  - file-store:
+      version: 2
+      enabled: yes
+      stream-depth: 0
+      write-fileinfo: true
diff --git a/tests/filestore-v2.14-multipart/test.rules b/tests/filestore-v2.14-multipart/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"test"; http.host; content:"home"; filestore; sid:1;)
diff --git a/tests/filestore-v2.14-multipart/test.yaml b/tests/filestore-v2.14-multipart/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 2
+      match:
+        event_type: fileinfo
+        fileinfo.stored: true
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		alert http any any -> any any (msg:"test"; http.host; content:"home"; filestore; sid:1;)