tests: add test to verify unmatched signatures does not write to dataset

Related to https://redmine.openinfosecfoundation.org/issues/5576

Author: Andreas Herz

tests/datasets-validate-postmatch/README.md

@@ -0,0 +1,7 @@
+# Description
+
+Test datasets only sets when there is a full signature match.
+
+# Ticket
+
+https://redmine.openinfosecfoundation.org/issues/5576

tests/datasets-validate-postmatch/input.pcap

@@ -0,0 +1,4 @@
+# this will not match, and thus not write to the dataset
+alert http any any -> $HOME_NET any (msg:"HTTP learning"; flow:established,to_client; http.content_type; content:"noone"; http.server; content:"ECS"; fast_pattern; dataset:set,http_none,type string,state output/none.intel; sid:2; rev:1; priority:2;)
+# this will match, and thus write to the dataset
+alert http any any -> $HOME_NET any (msg:"HTTP learning"; flow:established,to_client; http.content_type; content:"ocsp"; http.server; content:"ECS"; fast_pattern; dataset:set,http_match,type string,state output/match.intel; sid:3; rev:1; priority:2;)

tests/datasets-validate-postmatch/test.rules

@@ -0,0 +1,25 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+checks:
+  # only sid 3 should trigger
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  # data should only be written to one dataset
+  - shell:
+      args: cat none.intel | wc -l | xargs
+      expect: 0
+  - shell:
+      args: cat match.intel | wc -l | xargs
+      expect: 1