OISF · jlucovsky · Jun 17, 2025 · catenacyber · Aug 27, 2025
diff --git a/tests/bug-7549-01/test.yaml b/tests/bug-7549-01/test.yaml
@@ -1,6 +1,9 @@
 requires:
   min-version: 8
 
+args:
+  - --strict-rule-keywords
+
 checks:
   - shell:
         args: grep "Unknown byte_extract var seen.*rpkt_len" stderr | wc -l | xargs

diff --git a/tests/detect-bytemath-05/README.md b/tests/detect-bytemath-05/README.md
@@ -0,0 +1,3 @@
+This test is for Redmine issue https://redmine.openinfosecfoundation.org/issues/1412
+
+Ensure that variable usage is restricted to a single buffer
diff --git a/tests/detect-bytemath-07/test.rules b/tests/detect-bytemath-07/test.rules
@@ -0,0 +1,5 @@
+alert tcp any any -> any any (msg:"byte_math varname test sig"; \
+    ipv4.hdr; byte_extract:1,5,rpkt_len,relative; \
+    byte_math:bytes rpkt_len, offset 1, oper +, rvalue 102, result result_val; \
+    tcp.hdr; byte_test: 1, =, result_val, 1, relative; \
+    sid:1;)
diff --git a/tests/detect-bytemath-07/test.yaml b/tests/detect-bytemath-07/test.yaml
@@ -0,0 +1,14 @@
+pcap: ../detect-bytemath-01/input.pcap
+
+requires:
+  min-version: 8
+
+args:
+- --strict-rule-keywords
+
+exit-code: 1
+
+checks:
+  - shell:
+     args: grep "Unknown byte_extract var seen in byte_test - result_val" suricata.log | wc -l | xargs
+     expect: 1
diff --git a/tests/detect-bytemath-08/test.rules b/tests/detect-bytemath-08/test.rules
@@ -0,0 +1,6 @@
+alert http any any -> any any (msg:"byte_extract Test"; \
+        flow:established,to_client; \
+        http.header.raw; content:"Content|2D|Length|3A 20|"; content:!"|0D 0A|"; within:3; \
+        byte_extract:2,0,content-length,relative,string,dec; content:"|0D 0A|"; distance:0; within:2; \
+        http.server; content:"Neuro"; byte_test:2,=,content-length,0,relative,little; \
+        priority:3; sid:1;);
diff --git a/tests/detect-bytemath-08/test.yaml b/tests/detect-bytemath-08/test.yaml
@@ -0,0 +1,14 @@
+pcap: ../detect-bytemath-01/input.pcap
+
+requires:
+  min-version: 8
+
+args:
+- --strict-rule-keywords
+
+exit-code: 1
+
+checks:
+  - shell:
+     args: grep "Unknown byte_extract var seen in byte_test - content-length" suricata.log | wc -l | xargs
+     expect: 1
diff --git a/tests/detect-bytemath-09/input.pcap b/tests/detect-bytemath-09/input.pcap
diff --git a/tests/detect-bytemath-09/test.rules b/tests/detect-bytemath-09/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"byte_extract Test"; flow:established,to_client; content:"Content|2D|Length|3A 20|"; http_raw_header; content:!"|0D 0A|"; within:3; http_raw_header; byte_extract:2,0,content-length,relative,string,dec; content:"|0D 0A|"; distance:0; within:2; http_raw_header; file_data; content:"test"; byte_test:2,=,content-length,0,relative,little; priority:3; sid:44412999;)
diff --git a/tests/detect-bytemath-09/test.yaml b/tests/detect-bytemath-09/test.yaml
@@ -0,0 +1,12 @@
+
+checks:
+  - shell:
+     min-version: 8
+     args: grep "Warning. detect-byte. Using byte variable from a different buffer may produce indeterminate results; variable. \"content-length\"" suricata.log | wc -l | xargs
+     expect: 1
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 44412999
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		This test is for Redmine issue https://redmine.openinfosecfoundation.org/issues/1412

		Ensure that variable usage is restricted to a single buffer
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		alert http any any -> any any (msg:"byte_extract Test"; flow:established,to_client; content:"Content\|2D\|Length\|3A 20\|"; http_raw_header; content:!"\|0D 0A\|"; within:3; http_raw_header; byte_extract:2,0,content-length,relative,string,dec; content:"\|0D 0A\|"; distance:0; within:2; http_raw_header; file_data; content:"test"; byte_test:2,=,content-length,0,relative,little; priority:3; sid:44412999;)