OISF · catenacyber · Jan 27, 2026
diff --git a/tests/http-trailer/README.md b/tests/http-trailer/README.md
@@ -0,0 +1,14 @@
+Test
+====
+
+Test `http_headers` keyword behavior on trailers
+
+Ticket
+======
+
+https://redmine.openinfosecfoundation.org/issues/8256
+
+PCAP
+====
+
+Pcap adapted/crafted from libhtp test file 27-request-trailer-raw.t
diff --git a/tests/http-trailer/input.pcap b/tests/http-trailer/input.pcap
diff --git a/tests/http-trailer/test.rules b/tests/http-trailer/test.rules
@@ -0,0 +1,3 @@
+# same signature, except for the choice of fast_pattern
+alert http1 any any -> any any (msg:"ua fast pattern, trailer"; http.user_agent; content: "Mozilla"; fast_pattern; http.header; content: "Server-Timing:"; sid:2;)
+alert http1 any any -> any any (msg:"trailer fast_pattern, ua"; http.user_agent; content: "Mozilla"; http.header; content: "Server-Timing:"; fast_pattern; sid:3;)
diff --git a/tests/http-trailer/test.yaml b/tests/http-trailer/test.yaml
@@ -0,0 +1,17 @@
+requires:
+  min-version: 9
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3