datasets: add tests for string memcap

Ticket 3910

tests/datasets-memcap-01/README.md

@@ -0,0 +1,14 @@
+Test Description
+================
+
+This test demonstrates that the memcap settings DO NOT take the string length into account in 7.0.x or below.
+
+PCAP
+====
+
+Comes from existing test `flowbit-oring`.
+
+Related tickets
+===============
+
+https://redmine.openinfosecfoundation.org/issues/3910

tests/datasets-memcap-01/datasets.csv

@@ -0,0 +1 @@
+Y3VybC83LjQzLjA=

tests/datasets-memcap-01/test.rules

@@ -0,0 +1 @@
+alert http any any -> any any (http.user_agent; dataset:isset,ua-seen,type string,load datasets.csv,memcap 88074,hashsize 1; sid:1;)

tests/datasets-memcap-01/test.yaml

@@ -0,0 +1,18 @@
+pcap: ../flowbit-oring/input.pcap
+
+requires:
+  lt-version: 8
+
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1

tests/datasets-memcap-02/README.md

@@ -0,0 +1,14 @@
+Test Description
+================
+
+This test demonstrates that the memcap settings take the string length into account in 8.0.x.
+
+PCAP
+====
+
+Comes from existing test `flowbit-oring`.
+
+Related tickets
+===============
+
+https://redmine.openinfosecfoundation.org/issues/3910

tests/datasets-memcap-02/datasets.csv

@@ -0,0 +1 @@
+Y3VybC83LjQzLjA=

tests/datasets-memcap-02/test.rules

@@ -0,0 +1 @@
+alert http any any -> any any (http.user_agent; dataset:isset,ua-seen,type string,load datasets.csv,memcap 88074,hashsize 1; sid:1;)

tests/datasets-memcap-02/test.yaml

@@ -0,0 +1,15 @@
+pcap: ../flowbit-oring/input.pcap
+
+requires:
+  min-version: 8
+  os: linux
+
+exit-code: 1
+
+args:
+ - -k none
+
+checks:
+    - shell:
+        args: grep "dataset too large for set memcap" suricata.log | wc -l
+        expect: 1