From 2daf692c95df35f912861c0651654fa36e533e8d Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Tue, 4 Mar 2025 15:38:20 +0000
Subject: [PATCH] Add two protocol mismatch testcases

These traces contain different protocols being used by originator/responder.

Traces from GH-4251
---
 .../conn-http-to-ssh.log                         |  11 +++++++++++
 .../conn-https-to-http.log                       |  11 +++++++++++
 testing/btest/Traces/http/http-to-ssh.pcap       | Bin 0 -> 1259 bytes
 testing/btest/Traces/tls/https-to-http.pcap      | Bin 0 -> 1763 bytes
 .../request-response-protocol-differences.zeek   |  10 ++++++++++
 5 files changed, 32 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.analyzer.request-response-protocol-differences/conn-http-to-ssh.log
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.analyzer.request-response-protocol-differences/conn-https-to-http.log
 create mode 100644 testing/btest/Traces/http/http-to-ssh.pcap
 create mode 100644 testing/btest/Traces/tls/https-to-http.pcap
 create mode 100644 testing/btest/scripts/base/frameworks/analyzer/request-response-protocol-differences.zeek

diff --git a/testing/btest/Baseline/scripts.base.frameworks.analyzer.request-response-protocol-differences/conn-http-to-ssh.log b/testing/btest/Baseline/scripts.base.frameworks.analyzer.request-response-protocol-differences/conn-http-to-ssh.log
new file mode 100644
index 0000000000..af72f66ac8
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.analyzer.request-response-protocol-differences/conn-http-to-ssh.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	40896	127.0.0.1	22	tcp	-	0.001845	75	78	RSTR	T	T	0	ShADadFr	7	447	6	398	-	6
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.frameworks.analyzer.request-response-protocol-differences/conn-https-to-http.log b/testing/btest/Baseline/scripts.base.frameworks.analyzer.request-response-protocol-differences/conn-https-to-http.log
new file mode 100644
index 0000000000..5e026f7c3d
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.analyzer.request-response-protocol-differences/conn-https-to-http.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	50382	127.0.0.1	80	tcp	-	0.028273	517	468	RSTO	T	T	0	ShADadfR	5	785	4	684	-	6
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/http/http-to-ssh.pcap b/testing/btest/Traces/http/http-to-ssh.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..7393dd6f53007c966c58ddf8278fb29b40180088
GIT binary patch
literal 1259
zcmaKrKWGzi6vuzLq_$i*X@k_d-Jn(jx#W`CrnO2>3`T=kXzG^K<dTMia82{awQ<!H
zU8HK2)=6-1a1=`ejxG*`4&vq}D57R@INy7@U%A6@FFbPj_j%vX`&|w`ynQLK0OMs@
zjQQZjo2hQ))At~|0oT~h8eu8M<};@k*ut@&k2l~4*gIV|{_0eC48OT6Sck8VGbRMA
z!+<a%Zmqs}fbaYK{$V74^CUBd<oS1;%*J=Rj~))!fF9ZnSs%Zgbd!<J$?QjvU4cp1
z&Z5jynKP96IVanhLqK0|j|$9x02zJ#yhz2YDIjhF3foyk+{m0I;^IK!guuQQ+{A0C
ztQ?io+3aFeRa8k#uQi%;vKpUJV(?Js;&Dk_Zj|d0tx`7O6TMZhMw7|~B_@fQu9s`@
zUN{<-L`lSOH$8Q=6%6;c$ivx-T!%&G+M_<pf8QMriM?MzRs~ONXOV7RyF<j8fy4=)
z_4&^cv4aa-T1rRaN-T1#RyN^!WmcK4sq%8MWj0%pM2nu)gp%yr1b=%T-XyL18J}$*
zUJed#n+`AMn%zO0Fc3?if$c1^xvdq*<}xSR``M=bfX%%jH}Sf8w@@`oGMLCl3C_n@
zHS|K$STp5Dvu>Cb1!u;*EzXg}Q$EvSu}2mc-7}Gx1mabQkL@h7nAVD9k>f<$Vvk$&
zCf&sTt}l6~JWnZ~aHb>WKBb&>Gco0RZ(^8;TLXz>@YhTJPaNub-4B{h-g!>6z4yU8
P-#!7v#1U~5?#0eOv}z&=

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/tls/https-to-http.pcap b/testing/btest/Traces/tls/https-to-http.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..5037527177b9d9ca7d4bf216c6459353155b37ee
GIT binary patch
literal 1763
zcmds%{cqbu7{{MGJE`lzR7mMwc#+#xv}@@SCtYbPH%u#CqtT5@w38;4N$zaosa=vL
z&Xh@;2ydejFA_+M{lL170oo9g3PJ%YG`zZkGOGRnX!&&l6@FkE0trE3BRpp(TgpoR
z03PYF@9w$#+}G!?{jL4MDGEH4qEG-J*b&>T=)xZ!*p6+M<sm>1fReYiz!tBz_#`f1
zIWrIaQtrcTZ01Q?$cJhGC|}6)R1jYu`AK8rgySk0Sy)_&48X|BREZ4zGxO&zKfVs>
zy(jN1eDyZ&QBG#`61fh^TX83r<>6><&0k<-9ZKY)=3b<)&sI^Gqo|R%dKr~zt*r1u
zFOIV;4@RUN`DsQR{&QL4S_*IGZV(Mdtl<d7118rv?(i2^&PTqt4*Wj06Yic|JrEkW
z^jfEVEVyPo`}NDUhd!6Y+2-VTz8@m*eB5$HYyIo7;kPD!^R)$kIePXXJ#zZu1_=A8
zkMj}h0V@C}=FZNYnS0l2w)`+*)mx1)Vr{S*AZm$LHFQ{&mJdR39NvH~P+&9op@1^d
zunKq%P?HEXP!0FO8n_SE!CI^lLJ3EBsDjmS8#RK0VVViQyh+BHfb#%k%-f*}8hOsc
zc{!m%5QIuW6jlkm;1Rq$@enV*7>;n1rylC1&<q})<2epmfD(d&?uUBZRO*vI>z?Qy
z2~Lsm<KMh*O&)prxu#RE{Q9ic^vR|1`A2%;F1U!B{ZE3~>K?QeGbzjRaE&_n0<+bR
zZ6#Y3KY{g9F4vc>BG<lLTw*JO5hnyM)SyXOmWN|hVemypTu_%KqERyoONmPD!;f|k
z?C$T8A_F`6!lGiB`$wfwH5Tov(_?jEQNmCRUDe#C)7`I|s<hWolPTTos!N+sw6qsz
zI%RX8IjV<ylF4{dO6sXZJeJZGzdP#k{5OHha9lfB#x~?zR^pJe%z-D0<-KuD@03~t
z0mYwKQr@AbQfd@yTU8CWA4}^gQ%W6-nQBIAY#7SOZ9|zr2vf!kVg`zB=Wc(BJys1J
zwx74(n?4`0Putl8_D5qo-Kp~M^dz=){EqFTLz#}vo%S<$Ye$m&;83Q$9W!9RidVh%
zkbOjI*tqH63f+@o4<PB81fI2O?u*Bqhml&Ala1$?j-}FxL_BHgnuN!1#I>7P#qXY>
z;%6@}EHal&p-cYTcX^w+MEkqs688t0>pORO&sFr@_1XHRE@8yQ6^Vl{IZkdZ5nU(m
mx#~Fi4hpl<t;Ai?6*bN{8n2g#Wg36ZRwI$SL3|2-xyC=M5SktU

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/frameworks/analyzer/request-response-protocol-differences.zeek b/testing/btest/scripts/base/frameworks/analyzer/request-response-protocol-differences.zeek
new file mode 100644
index 0000000000..90332067ce
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/analyzer/request-response-protocol-differences.zeek
@@ -0,0 +1,10 @@
+# This test checks behavior when the originator and responder protocols
+# differ - e.g. when a HTTPS client connects to a HTTP port.
+#
+# @TEST-EXEC: zeek -r ${TRACES}/http/http-to-ssh.pcap
+# @TEST-EXEC: mv conn.log conn-http-to-ssh.log
+# @TEST-EXEC: zeek -r ${TRACES}/tls/https-to-http.pcap
+# @TEST-EXEC: mv conn.log conn-https-to-http.log
+# @TEST-EXEC: btest-diff conn-http-to-ssh.log
+# @TEST-EXEC: btest-diff conn-https-to-http.log
+