From 1f777b57b8265e50cf042cacb1544920f01f1aeb Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 8 May 2018 15:12:12 -0500
Subject: [PATCH] BIT-1926: add unit tests for misc. HTTP patches

---
 CHANGES                                          |  15 +++++++++++++++
 VERSION                                          |   2 +-
 .../http.log                                     |  10 ++++++++++
 .../weird.log                                    |  10 ++++++++++
 .../http.log                                     |  10 ++++++++++
 .../scripts.base.protocols.http.x-gzip/http.log  |  10 ++++++++++
 .../Traces/http/content-range-less-than-len.pcap | Bin 0 -> 1066 bytes
 .../btest/Traces/http/fake-content-length.pcap   | Bin 0 -> 1012 bytes
 testing/btest/Traces/http/x-gzip.pcap            | Bin 0 -> 1034 bytes
 .../http/content-range-less-than-len.bro         |   3 +++
 .../base/protocols/http/fake-content-length.bro  |   2 ++
 .../btest/scripts/base/protocols/http/x-gzip.bro |   2 ++
 12 files changed, 63 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/http.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.fake-content-length/http.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.x-gzip/http.log
 create mode 100755 testing/btest/Traces/http/content-range-less-than-len.pcap
 create mode 100755 testing/btest/Traces/http/fake-content-length.pcap
 create mode 100755 testing/btest/Traces/http/x-gzip.pcap
 create mode 100644 testing/btest/scripts/base/protocols/http/content-range-less-than-len.bro
 create mode 100644 testing/btest/scripts/base/protocols/http/fake-content-length.bro
 create mode 100644 testing/btest/scripts/base/protocols/http/x-gzip.bro

diff --git a/CHANGES b/CHANGES
index 56288489a6..9c9e5169aa 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,19 @@
 
+2.5-565 | 2018-05-08 15:29:53 -0500
+
+  * BIT-1926: add unit tests for misc. HTTP patches (Corelight)
+
+  * Fix case insensitive HTTP/MIME header name comparisons
+    (Jeffrey Bencteux)
+
+  * Don't use chunked mode Transfer-Encoding with HTTP/1.0 (Jeffrey Bencteux)
+
+  * Fix handling of HTTP body length when Content-Range length differs
+    from Content-Length. (Jeffrey Bencteux)
+
+  * Decode 'x-gzip' HTTP Content-Encoding the same as 'gzip'
+    (Jeffrey Bencteux)
+
 2.5-559 | 2018-05-08 11:23:28 -0700
 
   * Add test for dump_current_packet bif. (Johanna Amann)
diff --git a/VERSION b/VERSION
index a04526640f..05811b62f0 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-559
+2.5-565
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/http.log b/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/http.log
new file mode 100644
index 0000000000..5ff9ffc319
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/http.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2018-05-08-20-04-16
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1523627611.747988	CHhAvVGS1DHFjwGM9	127.0.0.1	58128	127.0.0.1	80	1	GET	localhost	/	-	1.1	Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0	0	33	206	ok	-	-	(empty)	-	-	-	-	-	-	FE5OS23mJkGTBhF8ig	-	text/plain
+#close	2018-05-08-20-04-17
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log
new file mode 100644
index 0000000000..7cd09fb789
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2018-05-08-20-04-16
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1523627611.748118	CHhAvVGS1DHFjwGM9	127.0.0.1	58128	127.0.0.1	80	HTTP_range_not_matching_len	-	F	bro
+#close	2018-05-08-20-04-17
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.fake-content-length/http.log b/testing/btest/Baseline/scripts.base.protocols.http.fake-content-length/http.log
new file mode 100644
index 0000000000..aa9c61af96
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.fake-content-length/http.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2018-05-08-20-10-35
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1523631796.315381	CHhAvVGS1DHFjwGM9	127.0.0.1	58176	127.0.0.1	80	1	GET	localhost	/	-	1.1	Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0	0	14	200	ok	-	-	(empty)	-	-	-	-	-	-	FCcRXl1oyxVr6ipJA8	-	text/plain
+#close	2018-05-08-20-10-35
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.x-gzip/http.log b/testing/btest/Baseline/scripts.base.protocols.http.x-gzip/http.log
new file mode 100644
index 0000000000..c90eb3315a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.x-gzip/http.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2018-05-08-19-59-11
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1473086764.095192	CHhAvVGS1DHFjwGM9	127.0.0.1	54890	127.0.0.1	80	1	GET	localhost	/	-	1.1	Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.6.0	0	19	200	ok	-	-	(empty)	-	-	-	-	-	-	FLWf9w4QphGhQ5XQRa	-	text/plain
+#close	2018-05-08-19-59-11
diff --git a/testing/btest/Traces/http/content-range-less-than-len.pcap b/testing/btest/Traces/http/content-range-less-than-len.pcap
new file mode 100755
index 0000000000000000000000000000000000000000..53ca520e8395ae1918aa1a6f45197dd7ca89286c
GIT binary patch
literal 1066
zcmaKrPfXKr6vuxZM3<5##1j|HFM3g2*KRNZ1rpF8U@$>o#6Jn9mbb2~`?a(kPA+=%
z<Utb77(JN9aPZ*4D>pPcHxe%DL6oa^FZg?f;%3NR`jTJY@AcF7-uL(0-G2KbM%qba
zhlhj+{N>)e>fMW02f4x5=#3U9<Ae;?e~gmRGx@#8`~&p;PBJs1eyU;SW~@@#_)SQx
z{cx{678iv#-73a~wzjiK9&AY_1j)niBQlxU@7(JC{G8M4o98N(Kew96NRP-<oP3r4
z3BA$6n)~YeVa?wo@^Q^|PG5i0DJ*>4;57<I^&%B(-Q~oGd?e_NhD5=t|3sqs`cz_<
zu&{a1Oq>{>rwW~%pPx}u$&@5cI)0#0+c9)I&zF*z^}&<JOkg~G(^<1@TURnkm0r4?
zN)6Fzi<Qc>JkWo?zi)_ot6C<VR4>yBFba;6R#Pf}QuMmzLCz^FxG9Nah5;_81yBx@
zd{DF#y6f7Op$C@3lrl!Hl>d(w?V*(sH945*QF_AFKm?Mfb!L`y6Eq4;&dw!(g$bFH
zgmGp#OBORVYOYysf-XVM)&r2lYYt;z;BPfr0B~j9wpMvO>zbav1o9N~!6<nk&%#Ox
z{J_^JACV-Y4BuJ`TYHHzET4~LI6gA#BWg9yg<bq`r&$IhE-ZJDFI-XdMhlP1cI_1s
zt!JkayM)E3g=S(TDNU>W)G0{f9C)kXY1Frht_`?-GN4&LLEz0jcocvijwRrF%hSNj
zAg|Hh-hZ($^*EENa-V{mk{E`mU({_IJR0P6M)`0XDA-_*H`wAX{0i^F*QmjxyHJg9
ObyqLo$aZ#`8~h6^4HJF<

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/http/fake-content-length.pcap b/testing/btest/Traces/http/fake-content-length.pcap
new file mode 100755
index 0000000000000000000000000000000000000000..fc1ac91c1c37360722748f6bc8be8541d05c75da
GIT binary patch
literal 1012
zcmaKrPiWIn9LHa}q9afcy^MMAT?RUvCN1rl>4a9P`$Id5Yllv#g!C;9O_MB1Yv=@p
zo&`nl;$?a)*n{jOy9u(JJ4}ZcsqQF<unFGk@5N@cGWsJwc<+~&PrmPce{cW&+gAY;
zM1J&o2r)3({;;>!`WQq@Fs3;e<0ymBT(_G-sWbP!Jc18s9;Q%!YWFBdS8fH`?dO*e
z3Iuxx!N54n>|A(5>&)2LSxSC7l8g`~&%N`>D1Vsx^sv+f`tsKKc6+fiOr~_7`~t`~
z;7>FM!_yq^e)BYUeR5y(GSD|4pJP@p9)U*YpI%C(T7Lua0UQa<!JtG&?S7}kwf3pR
z31;<I`h?h_#Q97C^LU|9$n()iG{i0#wj*NAkR`1G!w_4viN&QAqC+`nG*wNL_(Vj&
zm+wTQNt{*nx{KY}nfo*GB(@r2A{G&@;CUif4L&AB1$d(PmTHl8!{zDA5Sx}|Vgk(}
zuESTHniiH!Q&VNhQ4O7UY2~W>f3>D1H?9kjYvE~r+8fRKATBHEN?lTjh>6Y>SHeX1
z79>s<WOUgmtGXg$rKy@>Tqf(9<d6`1)6jJy)8C4?N{Goxn%aPR(Nrv{Ot?keCUV^(
z+-<T^C$?jY7>+2!QXBq^G&c8{+VJy-Z$rOjHm7!vTVQNya(l>z4ka$_1<^}zl;&V~
zt@0#y;1QplN}OOyJFka{zNI)O2-v8G*cD<mh$UiMt(h93ue}3sz*#O!bj7K_?&3qW
t{&t;;YGZh8Q?eY1O1%qGM|3r`G2FzjzEqgPO+0QvSMSrVo|K2B{soqt5$^y1

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/http/x-gzip.pcap b/testing/btest/Traces/http/x-gzip.pcap
new file mode 100755
index 0000000000000000000000000000000000000000..7c89026cc595aed0f83a0ed642e7e54a7b20b805
GIT binary patch
literal 1034
zcmaKqJ#5oJ6vxkQfXI?11WPw=gA_Zq+cZj@2Bo0T1QHQw+ENJ>8TaZqacmPi!Ri7G
zNJX$PgsDTy08$pBj)<_ZAfz&(!h+aXnV7?!iD^<*dGeF)-kpE<e;;2z?(Nbb1On^#
z0if`Pd$Pa!*rC8Rye2+uVUPh}zNMu>`sABi5AhGg4=SLT>c00cw&_l%^BVv<)c+Qu
z!wjfJG;%;qOq?R*?XhG42zmZpKnBHwN@?%uJxr(CXF8o%e~yqbJs`ip<jeRa;=|@^
zj<w3Z=Cy!4&`e>v`sg&Z(vY!6YM>WWiPrC!SivPBK5T?Y-D&BB_*y)cI7zKM-yJ0`
zW=c?i*;1(}NKuJpvX<k@(6Cg+DB~r|EIX*qFKEcb;exfL8-^mxMn!nxwj?ECUN;*a
z^b+yA@mLbpoAOK|Dn{TUQmd9QElMK(BzRS?qfN^b$RW(B=mAn3WRPt<DzeOisv;ZX
zUF5k!*{vCzV%vtUDz0vsf=413y`#~Zk-VQ0qjTJpFy*fj0f^5lrq)n2BtvBK%S#+G
z{R^}IFJw&B+R#l+hT4{Hb8rJ~8j6cp=89#SNF~q8u!@k)D~8_0ah4&K|1q|g?GUN_
zPA{nZU`o_fw->>^Tz8q#$`c~zQs4t_BJpAKr=#0G;S<xx5+|wk*!Czf=pvjJMQBx7
zW(n1ss4hcCuh|A7$9{?~ZYF<N1CJ+FI6TQCQ*+BQoS7qupL-St=do0}@9bayawAu`
znSJ}2D}Krr@;ROcJC}aZXR&mWjfArqGwT(9)>ngU{>^$Xf@l3FnRVyoXf}TVnI!-}

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/http/content-range-less-than-len.bro b/testing/btest/scripts/base/protocols/http/content-range-less-than-len.bro
new file mode 100644
index 0000000000..c95816b29f
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/content-range-less-than-len.bro
@@ -0,0 +1,3 @@
+# @TEST-EXEC: bro -r $TRACES/http/content-range-less-than-len.pcap
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff weird.log
diff --git a/testing/btest/scripts/base/protocols/http/fake-content-length.bro b/testing/btest/scripts/base/protocols/http/fake-content-length.bro
new file mode 100644
index 0000000000..5993b18ed1
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/fake-content-length.bro
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -r $TRACES/http/fake-content-length.pcap
+# @TEST-EXEC: btest-diff http.log
diff --git a/testing/btest/scripts/base/protocols/http/x-gzip.bro b/testing/btest/scripts/base/protocols/http/x-gzip.bro
new file mode 100644
index 0000000000..a73fc5f71f
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/x-gzip.bro
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -r $TRACES/http/x-gzip.pcap
+# @TEST-EXEC: btest-diff http.log