]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5e25724)
test/decode: Test SLL2 decode 2523/head 2525/head
authorJeff Lucovsky <jeff.lucovsky@corelight.com>
Sat, 24 May 2025 15:26:40 +0000 (11:26 -0400)
committerJeff Lucovsky <jlucovsky@oisf.net>
Tue, 27 May 2025 12:37:24 +0000 (08:37 -0400)
This test checks SLL2 decode operation.

tests/decode-sll2-01/README.md [new file with mode: 0644] patch | blob
tests/decode-sll2-01/input.pcap [new file with mode: 0644] patch | blob
tests/decode-sll2-01/test.yaml [new file with mode: 0644] patch | blob
tests/decode-sll2-02/README.md [new file with mode: 0644] patch | blob
tests/decode-sll2-02/input.pcap [new file with mode: 0644] patch | blob
tests/decode-sll2-02/input.rules [new file with mode: 0644] patch | blob
tests/decode-sll2-02/suricata.yaml [new file with mode: 0644] patch | blob
tests/decode-sll2-02/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/decode-sll2-01/README.md b/tests/decode-sll2-01/README.md
new file mode 100644 (file)
index 0000000..42f2546
--- /dev/null
+++ b/tests/decode-sll2-01/README.md
@@ -0,0 +1 @@
+Suricata 8+ Ensure SLL2 packets are decoded
diff --git a/tests/decode-sll2-01/input.pcap b/tests/decode-sll2-01/input.pcap
new file mode 100644 (file)
index 0000000..de400d6
Binary files /dev/null and b/tests/decode-sll2-01/input.pcap differ
diff --git a/tests/decode-sll2-01/test.yaml b/tests/decode-sll2-01/test.yaml
new file mode 100644 (file)
index 0000000..9ef168d
--- /dev/null
+++ b/tests/decode-sll2-01/test.yaml
@@ -0,0 +1,10 @@
+requires:
+
+  min-version: 8
+
+checks:
+
+- stats:
+    decoder.ipv4: 5
+    decoder.tcp: 5
+    decoder.sll2: 5
diff --git a/tests/decode-sll2-02/README.md b/tests/decode-sll2-02/README.md
new file mode 100644 (file)
index 0000000..9a7fc38
--- /dev/null
+++ b/tests/decode-sll2-02/README.md
@@ -0,0 +1 @@
+Suricata 8+ Ensure SLL2 packets are decoded and HTTP alerts validated.
diff --git a/tests/decode-sll2-02/input.pcap b/tests/decode-sll2-02/input.pcap
new file mode 100644 (file)
index 0000000..c4d8588
Binary files /dev/null and b/tests/decode-sll2-02/input.pcap differ
diff --git a/tests/decode-sll2-02/input.rules b/tests/decode-sll2-02/input.rules
new file mode 100644 (file)
index 0000000..1a68057
--- /dev/null
+++ b/tests/decode-sll2-02/input.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"SLL2/HTTP test"; flow:established, to_server; http.uri; content: "/testing"; sid: 1;)
diff --git a/tests/decode-sll2-02/suricata.yaml b/tests/decode-sll2-02/suricata.yaml
new file mode 100644 (file)
index 0000000..29d9fdd
--- /dev/null
+++ b/tests/decode-sll2-02/suricata.yaml
@@ -0,0 +1,19 @@
+%YAML 1.1
+---
+
+outputs:
+  - fast:
+      enabled: yes
+
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert:
+            packet: yes              # enable dumping of packet (without stream segments)
+        - http:
+            extended: yes     # enable this for extended logging information
+        - stats:
+            enabled: yes
+            filename: stats.log
diff --git a/tests/decode-sll2-02/test.yaml b/tests/decode-sll2-02/test.yaml
new file mode 100644 (file)
index 0000000..5ef15da
--- /dev/null
+++ b/tests/decode-sll2-02/test.yaml
@@ -0,0 +1,24 @@
+requires:
+
+  min-version: 8
+
+args:
+  - -k none
+checks:
+
+- stats:
+    decoder.sll2: 159
+    decoder.tcp: 159
+    decoder.ipv4: 159
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      packet_info.linktype_name: LINUX_SLL2
+- filter:
+    count: 1
+    match:
+      event_type: http
+      http.hostname: 192.168.1.21
+      http.http_method: GET
Mirror of https://github.com/OISF/suricata-verify.git