datasets: test with delayed set postmatch

Ticket: 5576

Signature full match does not happen on first packet inspected,
but signature gets stored as partially matching so far,
and then postmatch retreieves the buffer to set in the dataset.

Author: catenacyber

tests/datasets-delayed-postmatch/README.md

@@ -0,0 +1,14 @@
+Test
+====
+
+Test datasets only sets when there is a full signature match.
+Test is with a signature using different keywords matching at different stages,
+and pcap having different packets making the transaction progress step by step.
+
+https://redmine.openinfosecfoundation.org/issues/5576
+
+PCAP
+====
+
+Pcap crafted with some http server and some python client that delays or not the writing of the headers
+

tests/datasets-delayed-postmatch/expected/http_match.csv

@@ -0,0 +1 @@
+L3BhZ2U/cGFyYW09dmFsdWU=

tests/datasets-delayed-postmatch/input.pcap

@@ -0,0 +1,2 @@
+alert http any any -> any any ( sid: 1; http.uri; content: "param"; fast_pattern; pcre: "/param=(.*)/,flow:paramval"; http.request_header; content: "Header1";)
+alert http any any -> any any ( sid: 2; http.uri; content: "param"; fast_pattern; dataset:set,http_match,type string,save http_match.csv; http.request_header; content: "Header1";)

tests/datasets-delayed-postmatch/test.rules

@@ -0,0 +1,21 @@
+requires:
+  min-version: 8
+
+args:
+- -k none --data-dir=${OUTPUT_DIR}
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      #TODO ticket 7197 metadata.flowvars[0].paramval: value
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- file-compare: 
+    filename: http_match.csv
+    expected: expected/http_match.csv