From a7ece356518a4ae46989a8d9574b02cd1b1da266 Mon Sep 17 00:00:00 2001
From: Andreas Herz <git@herzandreas.de>
Date: Tue, 11 Jun 2024 17:44:02 +0200
Subject: [PATCH] tests: add test to verify unmatched signatures does not write
 to dataset

Related to https://redmine.openinfosecfoundation.org/issues/5576
---
 tests/datasets-validate-postmatch/README.md  |   7 ++++++
 tests/datasets-validate-postmatch/input.pcap | Bin 0 -> 1929 bytes
 tests/datasets-validate-postmatch/test.rules |   4 +++
 tests/datasets-validate-postmatch/test.yaml  |  25 +++++++++++++++++++
 4 files changed, 36 insertions(+)
 create mode 100644 tests/datasets-validate-postmatch/README.md
 create mode 100644 tests/datasets-validate-postmatch/input.pcap
 create mode 100644 tests/datasets-validate-postmatch/test.rules
 create mode 100644 tests/datasets-validate-postmatch/test.yaml

diff --git a/tests/datasets-validate-postmatch/README.md b/tests/datasets-validate-postmatch/README.md
new file mode 100644
index 000000000..a8ccb5a9a
--- /dev/null
+++ b/tests/datasets-validate-postmatch/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test datasets only sets when there is a full signature match.
+
+# Ticket
+
+https://redmine.openinfosecfoundation.org/issues/5576
diff --git a/tests/datasets-validate-postmatch/input.pcap b/tests/datasets-validate-postmatch/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a554c13c8469891db8ed26baf6c4a2625cb99f89
GIT binary patch
literal 1929
zcmaKtc~BEq9LL}0Lej1Q2P)8ETn{v$A-hWsvbDt|M1l|uC6U9UlP1fug4vj?fG|@j
zvGmZwP)o7xjA*B{cI-^OYKvnlRXpnWhgUu7(GEI9rFLx9X^V{XZBi-*#+|&G&D-}r
z@B96}_uD;pc=t9DkbwWM1ppxM58Cyf>l9D`6TBB1NL-G@CxWRD0f?CdEC6VRXDt9t
zGJT2s<K%VL#HFdBX~5nZI(A(c+$0*h>)i~1NFv>fh{cl-L?W6DiJi$2T9_DSMYs{7
zBLsj}#<mMIfeP%QX;gpfr;vK1Y0Ah**WLe!kOrx-0`YbV06Ms$(8g(04yT1Ru87ij
z15&%~aT3v$LjVYrK}b<T+d_+`ASuJM1&XeELQ0ZE^yOs$@+=NaZChxmb2ONWY?eS>
ziNm<a#5n!AjLn?KIE^M#u@>j}`ZRK36<)#Dq>-kE>=M?VudlO|E~(G0DK2(8*hS8K
z6T3varf7|pfg^Qrl)t(}UtC_cvZ2~+F&28O%dC3FZ1vgUqrwVCQ)F}6jA>c9nAPF1
ztBFhkm76)Qmv-|k=cTX$n)a!THEb=7%8hO}?c*sdL!E)jodMdfGBUImcGy_Ap9^r6
zyvpof>*G12Jzq`WnK&x9asl|9a|e8x9+qL<w4cv(bE{A}Di?B_w{A@O(fg@%+zIbz
zXViXnw}y_Nx5t6tFN-7T9|!{A6h~U*ggrhL;ylOi0;RHULP`<{&PD+k^^TD^jx8=2
zwW@mA<z?sqg}u6#rvtE;p(%_Yby+YYm%EBq!K8RUS3_Z|T=gm!L%&F9v|2-UI6@vq
zqjIeE!6`1EuZDHIghbUs7Aij-@NwP%%rw`<!vQwVI}anYSP@qXC6EM0=qat1B6V1v
z&4J1-yo;f*89Ks1l9e8hity-Xz}|Wv3qcfCN_*gJ{g~M}MUoV*iOeo^1$dQ>^RSgH
z?U`sToWcqCi;OOz{k628!Yt+zOzEz2sj~@#Asv;Mslt{i%$g4s3C0C~g|wI9t0+vP
zhvx>B<ITufIRdseBPZeQaartK86uU&;IMw1ksjFfHU9dRPo9$`6wPp8NgV^%y#tD&
zp`IysWK-J=NeaO_ytFv3&DLa9-~oI!o{z`Mq;n^WMJZAsNidw*u=-JI^1fI0{Gn`{
zc|cOW%-k_CO%x{zwXc5IH2qdi|D|BC(B9hw#;ve5ezc2(J0DpTmBnVXSX=%=5#$*u
z5H}+Tn4`87%#y_?ZSQ*9uI2i5`&v5YZ%h5NG59O9f8LI7tw%m1vzKdgcI@@U6r&5S
zc}_Kc_@H~_r$MH0P`qWR`@li(#>Aa7-~H&~F;(OGgsNLHtpnYqUu{gj+HARd`os_Q
z^|a-*hEKR}{l3zDv}$TkZ>T`C{f+$w(a*2V|Lx#O#ftkG)th&&B7e-jL}_k{+qUMg
zpEv#^Px)eZ>vuV+-<-LoRurFGFTH*5kh|0L(x7GFoofR((|7frH9b3|yZ5|r(*y8k
zCVihyn0~eI^2#PdSD!vtasHh0dh;Vjksq+{t3BFzr0o6nwik>9*%3PS_oIf=tPOEj
z(>C3D*t_06UntdGbC9RKDCdM<l*^uc#T`FS^|$xg<HREu_X4m8QpC&A$CPme?|(}u
z)q>$COSS#*Xu)40A{66_F_h>Ji*i^Q*0S_zTGl`<C-B(ETE<h-!<32%De=(J9smSN
zO>hiloTCm}aFjkR%26M5bip1Ef>$ylln+|QP{wP?2x}>i(sBW&dnBChZUFuTp_xv{

literal 0
HcmV?d00001

diff --git a/tests/datasets-validate-postmatch/test.rules b/tests/datasets-validate-postmatch/test.rules
new file mode 100644
index 000000000..a028fa089
--- /dev/null
+++ b/tests/datasets-validate-postmatch/test.rules
@@ -0,0 +1,4 @@
+# this will not match, and thus not write to the dataset
+alert http any any -> $HOME_NET any (msg:"HTTP learning"; flow:established,to_client; http.content_type; content:"noone"; http.server; content:"ECS"; fast_pattern; dataset:set,http_none,type string,state output/none.intel; sid:2; rev:1; priority:2;)
+# this will match, and thus write to the dataset
+alert http any any -> $HOME_NET any (msg:"HTTP learning"; flow:established,to_client; http.content_type; content:"ocsp"; http.server; content:"ECS"; fast_pattern; dataset:set,http_match,type string,state output/match.intel; sid:3; rev:1; priority:2;)
diff --git a/tests/datasets-validate-postmatch/test.yaml b/tests/datasets-validate-postmatch/test.yaml
new file mode 100644
index 000000000..4f4e4b73e
--- /dev/null
+++ b/tests/datasets-validate-postmatch/test.yaml
@@ -0,0 +1,25 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+checks:
+  # only sid 3 should trigger
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  # data should only be written to one dataset
+  - shell:
+      args: cat none.intel | wc -l | xargs
+      expect: 0
+  - shell:
+      args: cat match.intel | wc -l | xargs
+      expect: 1