From a60b1432789ad8499ad0c8c8801733ef9485fdd0 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 10 Oct 2023 12:04:48 +0200
Subject: [PATCH] Adds a test about filestore

That it does not store too many files
---
 tests/filestore-dont/README.md     |  11 +++++++++++
 tests/filestore-dont/input.pcap    | Bin 0 -> 3776 bytes
 tests/filestore-dont/suricata.yaml |  15 +++++++++++++++
 tests/filestore-dont/test.rules    |   1 +
 tests/filestore-dont/test.yaml     |  13 +++++++++++++
 5 files changed, 40 insertions(+)
 create mode 100644 tests/filestore-dont/README.md
 create mode 100644 tests/filestore-dont/input.pcap
 create mode 100644 tests/filestore-dont/suricata.yaml
 create mode 100644 tests/filestore-dont/test.rules
 create mode 100644 tests/filestore-dont/test.yaml

diff --git a/tests/filestore-dont/README.md b/tests/filestore-dont/README.md
new file mode 100644
index 000000000..b1dd64828
--- /dev/null
+++ b/tests/filestore-dont/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test filestore does not store too much
+
+# Ticket
+
+https://redmine.openinfosecfoundation.org/issues/6390
+
+# PCAP
+
+The pcap was manually crafted to have HTTP/1 pipelining POST request  with multipart files when the first response is not over
diff --git a/tests/filestore-dont/input.pcap b/tests/filestore-dont/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..5e67b07276ab3d3fc95d7c6ec22a9083fcfa71e9
GIT binary patch
literal 3776
zcmeH~&2G~`5P;WC+6IFm;)pn`atc+P*shzVsVY^Xg-Re|RCC8o*2R+l6mOK|#Ix`U
zyaKPlt8flG?7B^CO068YB$h^5Te~x}-~8<6=a28-WK>1jvsm!ai(fB4!^jdMv)>DZ
zbcD{(*)Bp~5t2aE7P9Lwkv)mbSIgDKLaJ2uK!?P>KcoZMY74V@Opla2FX{l>Eg`~>
z<~@E$nCY<VTnE^%uyt2L#M(ibwQnyR-0}QzO7W%R*d3#7sLExW(mtjnrR`xHs*0+B
z34r&B?GuEXkUr*3h%HKNi_OfvOfNQd9S`2A%Ii3yB%<1T65Y@*efHhzff3y>53IxP
zQSaEj9*&5&Y3~4ehe4h(x*!~~O!JUME;cce_A|)#;EDw@@e>mG5h=uSI-R!f;+X}&
znJ1)=!%0B>#2wR)7mq`2<WlzpU&oVZ<c{a3;XE4_17~$Dh?}PUZPK})CUNRhKaTo%
zNps|e<h0@WBp4Zu)v&Lx$^4_~xOdb&v<^%|UsF>+jK&G}{D5#TKaeSQ$c*CicsL1J
z&bH}{Hf|G`^P_A+Ckb3Xg5A9N$FsIq=6~}_(|ED7)`wcG&_P787kUvdc4@zkWSZsS
zrqyhIzfi+_rP;|_c1!&p*wsq2t8Cfj*gXPvLU_%hLe28CL#7y2Z_f_ku9W6p-Ez-y
ze_Wc~&X!${-4kHPk`;vKtX#-he$MP}*)6flpF5lO4n0d1y$*Wb!~L$d((j(KH8(=U
n+F|~l&GW9dl6NKk%&gvN?*aoZKVv2}A;Rpdd(4vMYZdwpyz!QC

literal 0
HcmV?d00001

diff --git a/tests/filestore-dont/suricata.yaml b/tests/filestore-dont/suricata.yaml
new file mode 100644
index 000000000..f168a4151
--- /dev/null
+++ b/tests/filestore-dont/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - files
+        - alert
+        - http
+  - file-store:
+      version: 2
+      enabled: yes
+      force-filestore: no
+      stream-depth: 0
diff --git a/tests/filestore-dont/test.rules b/tests/filestore-dont/test.rules
new file mode 100644
index 000000000..cce790919
--- /dev/null
+++ b/tests/filestore-dont/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"FILE HTTP filtore"; http.uri; content: "pipeline"; filestore:both,flow; sid:2; rev:1;)
diff --git a/tests/filestore-dont/test.yaml b/tests/filestore-dont/test.yaml
new file mode 100644
index 000000000..6530edebb
--- /dev/null
+++ b/tests/filestore-dont/test.yaml
@@ -0,0 +1,13 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: fileinfo
+      fileinfo.sha256: eb076a2ec6ced9ee2e823e098446513cf5b2bb60fbcb04e6c85dc23dedaa414a
+      fileinfo.stored: false