datasets: test with multi-buffer and occurences in different packets

Ticket: 5576

Author: catenacyber

tests/datasets-delayed-multi-postmatch/README.md

@@ -0,0 +1,14 @@
+Test
+====
+
+Test datasets only sets when there is a full signature match.
+Test is with a signature using different keywords matching at different stages,
+and pcap having different packets making the transaction progress step by step.
+And test is using a multi-buffer to test that we only save the right occurences.
+
+https://redmine.openinfosecfoundation.org/issues/5576
+
+PCAP
+====
+
+Pcap crafted with some http server and some python client that delays or not the writing of the headers

tests/datasets-delayed-multi-postmatch/expected/http_match.csv

@@ -0,0 +1,2 @@
+WC1maXJzdDogc2VjcmV0
+SGVhZGVyMTogZmlyc3Q=

tests/datasets-delayed-multi-postmatch/input.pcap

@@ -0,0 +1 @@
+alert http any any -> any any ( sid: 1; http.stat_code; content: "200"; fast_pattern; http.response_header; content: "first"; dataset:set,http_match,type string,save http_match.csv; file.data; content: "later";)

tests/datasets-delayed-multi-postmatch/test.rules

@@ -0,0 +1,15 @@
+requires:
+  min-version: 8
+
+args:
+- -k none --no-random --data-dir=${OUTPUT_DIR}
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- file-compare:
+    filename: http_match.csv
+    expected: expected/http_match.csv