tests/mac-eve-packet: check packet context metadata

This refers to Redmine bug #4109.

diff --git a/tests/mac-eve-packet/suricata.yaml b/tests/mac-eve-packet/suricata.yaml
new file mode 100644 (file)
index 0000000..56c9cc6
--- /dev/null
+++ b/tests/mac-eve-packet/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      ethernet: yes
+      types:
+        - alert

diff --git a/tests/mac-eve-packet/test.pcap b/tests/mac-eve-packet/test.pcap
new file mode 100644 (file)
index 0000000..0f19a2e
Binary files /dev/null and b/tests/mac-eve-packet/test.pcap differ

diff --git a/tests/mac-eve-packet/test.rules b/tests/mac-eve-packet/test.rules
new file mode 100644 (file)
index 0000000..41725c3
--- /dev/null
+++ b/tests/mac-eve-packet/test.rules
@@ -0,0 +1 @@
+alert ip any any -> any any (msg:"test"; sid:1;)

diff --git a/tests/mac-eve-packet/test.yaml b/tests/mac-eve-packet/test.yaml
new file mode 100644 (file)
index 0000000..59db8ba
--- /dev/null
+++ b/tests/mac-eve-packet/test.yaml
@@ -0,0 +1,13 @@
+requires:
+  min-version: 6.0.0
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        ether.dest_mac: 00:25:90:e3:d2:e1
+        ether.src_mac: 0c:86:10:ed:d7:c6