]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: be969fd)
tests: add tests for decode encapsulation types 2580/head
authorJuliana Fajardini <jufajardini@oisf.net>
Thu, 5 Jun 2025 15:43:12 +0000 (12:43 -0300)
committerVictor Julien <victor@inliniac.net>
Sat, 21 Jun 2025 19:32:48 +0000 (21:32 +0200)
Add simple tests for alert to match on TCP traffic over:

- IPv4 over IPv4 - bug-4571-01
- IPv6           - bug-4571-02
- IPv6 over IPv6 - bug-4571-03
- IPv6 over IPv4 - bug-4571-04
- IPv4           - bug-4571-05
- IPv4 over IPv6 - bug-4571-06

Related to
Bug #4571
Bug #7725
Bug #7752

30 files changed:
tests/bug-4571-01/README.md [new file with mode: 0644] patch | blob
tests/bug-4571-01/ipv4_over_ipv4.pcap [new file with mode: 0644] patch | blob
tests/bug-4571-01/suricata.yaml [new file with mode: 0644] patch | blob
tests/bug-4571-01/test.rules [new file with mode: 0644] patch | blob
tests/bug-4571-01/test.yaml [new file with mode: 0644] patch | blob
tests/bug-4571-02/README.md [new file with mode: 0644] patch | blob
tests/bug-4571-02/ipv6.pcap [new file with mode: 0644] patch | blob
tests/bug-4571-02/suricata.yaml [new file with mode: 0644] patch | blob
tests/bug-4571-02/test.rules [new file with mode: 0644] patch | blob
tests/bug-4571-02/test.yaml [new file with mode: 0644] patch | blob
tests/bug-4571-03/README.md [new file with mode: 0644] patch | blob
tests/bug-4571-03/ipv6_over_ipv6.pcap [new file with mode: 0644] patch | blob
tests/bug-4571-03/suricata.yaml [new file with mode: 0644] patch | blob
tests/bug-4571-03/test.rules [new file with mode: 0644] patch | blob
tests/bug-4571-03/test.yaml [new file with mode: 0644] patch | blob
tests/bug-4571-04/README.md [new file with mode: 0644] patch | blob
tests/bug-4571-04/ipv6_over_ipv4.pcap [new file with mode: 0644] patch | blob
tests/bug-4571-04/suricata.yaml [new file with mode: 0644] patch | blob
tests/bug-4571-04/test.rules [new file with mode: 0644] patch | blob
tests/bug-4571-04/test.yaml [new file with mode: 0644] patch | blob
tests/bug-4571-05/README.md [new file with mode: 0644] patch | blob
tests/bug-4571-05/ipv4.pcap [new file with mode: 0644] patch | blob
tests/bug-4571-05/suricata.yaml [new file with mode: 0644] patch | blob
tests/bug-4571-05/test.rules [new file with mode: 0644] patch | blob
tests/bug-4571-05/test.yaml [new file with mode: 0644] patch | blob
tests/bug-4571-06/README.md [new file with mode: 0644] patch | blob
tests/bug-4571-06/ipv4_over_ipv6.pcap [new file with mode: 0644] patch | blob
tests/bug-4571-06/suricata.yaml [new file with mode: 0644] patch | blob
tests/bug-4571-06/test.rules [new file with mode: 0644] patch | blob
tests/bug-4571-06/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/bug-4571-01/README.md b/tests/bug-4571-01/README.md
new file mode 100644 (file)
index 0000000..5ea1f13
--- /dev/null
+++ b/tests/bug-4571-01/README.md
@@ -0,0 +1,12 @@
+# Test
+
+Check for proper engine behavior for IPv4 over IPv4 tunneling.
+
+## Pcap
+
+Shared by reporter on Redmine ticket.
+
+## Ticket
+
+https://redmine.openinfosecfoundation.org/issues/4571
+https://redmine.openinfosecfoundation.org/issues/7752
diff --git a/tests/bug-4571-01/ipv4_over_ipv4.pcap b/tests/bug-4571-01/ipv4_over_ipv4.pcap
new file mode 100644 (file)
index 0000000..21697bc
Binary files /dev/null and b/tests/bug-4571-01/ipv4_over_ipv4.pcap differ
diff --git a/tests/bug-4571-01/suricata.yaml b/tests/bug-4571-01/suricata.yaml
new file mode 100644 (file)
index 0000000..1099e1a
--- /dev/null
+++ b/tests/bug-4571-01/suricata.yaml
@@ -0,0 +1,25 @@
+%YAML 1.1
+---
+
+stats:
+  enabled: yes
+  interval: 8
+
+logging:
+  default-log-level: notice
+  default-output-filter:
+  outputs:
+  - console:
+      enabled: yes
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            alerts: yes
+        - flow
+        - stats
diff --git a/tests/bug-4571-01/test.rules b/tests/bug-4571-01/test.rules
new file mode 100644 (file)
index 0000000..859286d
--- /dev/null
+++ b/tests/bug-4571-01/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"found"; content: "hello"; sid:1;)
diff --git a/tests/bug-4571-01/test.yaml b/tests/bug-4571-01/test.yaml
new file mode 100644 (file)
index 0000000..15d0ef4
--- /dev/null
+++ b/tests/bug-4571-01/test.yaml
@@ -0,0 +1,43 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+- --simulate-ips
+- --set stream.midstream=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        pkt_src: wire/pcap
+        proto: TCP
+        pkt_src: ipv4 tunnel
+        src_ip: 10.1.0.3
+        dest_ip: 10.1.0.4
+        tunnel.src_ip: 10.1.0.1
+        tunnel.dest_ip: 10.1.0.2
+        tunnel.proto: IP-in-IP
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        proto: IP-in-IP
+        src_ip: 10.1.0.1
+        dest_ip: 10.1.0.2
+        flow.alerted: false
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        proto: TCP
+        src_ip: 10.1.0.3
+        dest_ip: 10.1.0.4
+        flow.alerted: true
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.decoder.ipv4_in_ipv4: 1
diff --git a/tests/bug-4571-02/README.md b/tests/bug-4571-02/README.md
new file mode 100644 (file)
index 0000000..a622a71
--- /dev/null
+++ b/tests/bug-4571-02/README.md
@@ -0,0 +1,12 @@
+# Test
+
+Check for proper engine behavior for IPv6 decoding.
+
+## Pcap
+
+Shared by reporter on Redmine ticket.
+
+## Ticket
+
+https://redmine.openinfosecfoundation.org/issues/4571
+
diff --git a/tests/bug-4571-02/ipv6.pcap b/tests/bug-4571-02/ipv6.pcap
new file mode 100644 (file)
index 0000000..f5ea841
Binary files /dev/null and b/tests/bug-4571-02/ipv6.pcap differ
diff --git a/tests/bug-4571-02/suricata.yaml b/tests/bug-4571-02/suricata.yaml
new file mode 100644 (file)
index 0000000..b9297ca
--- /dev/null
+++ b/tests/bug-4571-02/suricata.yaml
@@ -0,0 +1,24 @@
+%YAML 1.1
+---
+
+stats:
+  enabled: yes
+  interval: 8
+
+logging:
+  default-log-level: notice
+  default-output-filter:
+  outputs:
+  - console:
+      enabled: yes
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            alerts: yes
+        - flow
diff --git a/tests/bug-4571-02/test.rules b/tests/bug-4571-02/test.rules
new file mode 100644 (file)
index 0000000..859286d
--- /dev/null
+++ b/tests/bug-4571-02/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"found"; content: "hello"; sid:1;)
diff --git a/tests/bug-4571-02/test.yaml b/tests/bug-4571-02/test.yaml
new file mode 100644 (file)
index 0000000..755babe
--- /dev/null
+++ b/tests/bug-4571-02/test.yaml
@@ -0,0 +1,28 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+- --simulate-ips
+- --set stream.midstream=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        pkt_src: wire/pcap
+        proto: TCP
+        ip_v: 6
+        pkt_src: wire/pcap
+        src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
+        dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7335
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        proto: TCP
+        src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
+        dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7335
+        flow.alerted: true
diff --git a/tests/bug-4571-03/README.md b/tests/bug-4571-03/README.md
new file mode 100644 (file)
index 0000000..ab920cb
--- /dev/null
+++ b/tests/bug-4571-03/README.md
@@ -0,0 +1,11 @@
+# Test
+
+Check for proper engine behavior for IPv6 over IPv6 tunneling.
+
+## Pcap
+
+Shared by reporter on Redmine ticket.
+
+## Ticket
+
+https://redmine.openinfosecfoundation.org/issues/4571
diff --git a/tests/bug-4571-03/ipv6_over_ipv6.pcap b/tests/bug-4571-03/ipv6_over_ipv6.pcap
new file mode 100644 (file)
index 0000000..9a54716
Binary files /dev/null and b/tests/bug-4571-03/ipv6_over_ipv6.pcap differ
diff --git a/tests/bug-4571-03/suricata.yaml b/tests/bug-4571-03/suricata.yaml
new file mode 100644 (file)
index 0000000..b9297ca
--- /dev/null
+++ b/tests/bug-4571-03/suricata.yaml
@@ -0,0 +1,24 @@
+%YAML 1.1
+---
+
+stats:
+  enabled: yes
+  interval: 8
+
+logging:
+  default-log-level: notice
+  default-output-filter:
+  outputs:
+  - console:
+      enabled: yes
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            alerts: yes
+        - flow
diff --git a/tests/bug-4571-03/test.rules b/tests/bug-4571-03/test.rules
new file mode 100644 (file)
index 0000000..859286d
--- /dev/null
+++ b/tests/bug-4571-03/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"found"; content: "hello"; sid:1;)
diff --git a/tests/bug-4571-03/test.yaml b/tests/bug-4571-03/test.yaml
new file mode 100644 (file)
index 0000000..034d6e7
--- /dev/null
+++ b/tests/bug-4571-03/test.yaml
@@ -0,0 +1,42 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+- --simulate-ips
+- --set stream.midstream=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        pkt_src: ipv6 tunnel
+        proto: TCP
+        ip_v: 6
+        src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:8334
+        dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:8335
+        tunnel.src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
+        tunnel.dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7335
+        tunnel.proto: IPv6
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        proto: TCP
+        ip_v: 6
+        src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:8334
+        dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:8335
+        flow.alerted: true
+  - filter:
+      count: 1
+      match:
+        proto: IPv6
+        ip_v: 6
+        src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
+        dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7335
+  - filter:
+      count: 2
+      match:
+        event_type: flow
diff --git a/tests/bug-4571-04/README.md b/tests/bug-4571-04/README.md
new file mode 100644 (file)
index 0000000..6f114b4
--- /dev/null
+++ b/tests/bug-4571-04/README.md
@@ -0,0 +1,13 @@
+# Test
+
+Check for proper engine behavior for IPv6 over IPv4 tunneling.
+
+## Pcap
+
+Shared by reporter on Redmine ticket.
+
+## Ticket
+
+https://redmine.openinfosecfoundation.org/issues/4571
+https://redmine.openinfosecfoundation.org/issues/7752
+
diff --git a/tests/bug-4571-04/ipv6_over_ipv4.pcap b/tests/bug-4571-04/ipv6_over_ipv4.pcap
new file mode 100644 (file)
index 0000000..c3a961f
Binary files /dev/null and b/tests/bug-4571-04/ipv6_over_ipv4.pcap differ
diff --git a/tests/bug-4571-04/suricata.yaml b/tests/bug-4571-04/suricata.yaml
new file mode 100644 (file)
index 0000000..1099e1a
--- /dev/null
+++ b/tests/bug-4571-04/suricata.yaml
@@ -0,0 +1,25 @@
+%YAML 1.1
+---
+
+stats:
+  enabled: yes
+  interval: 8
+
+logging:
+  default-log-level: notice
+  default-output-filter:
+  outputs:
+  - console:
+      enabled: yes
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            alerts: yes
+        - flow
+        - stats
diff --git a/tests/bug-4571-04/test.rules b/tests/bug-4571-04/test.rules
new file mode 100644 (file)
index 0000000..859286d
--- /dev/null
+++ b/tests/bug-4571-04/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"found"; content: "hello"; sid:1;)
diff --git a/tests/bug-4571-04/test.yaml b/tests/bug-4571-04/test.yaml
new file mode 100644 (file)
index 0000000..25319c7
--- /dev/null
+++ b/tests/bug-4571-04/test.yaml
@@ -0,0 +1,45 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+- --simulate-ips
+- --set stream.midstream=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        pkt_src: wire/pcap
+        proto: TCP
+        pkt_src: ipv4 tunnel
+        src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
+        dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7335
+        tunnel.src_ip: 10.1.0.1
+        tunnel.dest_ip: 10.1.0.2
+        tunnel.proto: IPv6
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        proto: IPv6
+        src_ip: 10.1.0.1
+        dest_ip: 10.1.0.2
+        ip_v: 4
+        flow.alerted: false
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        proto: TCP
+        ip_v: 6
+        src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
+        dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7335
+        flow.alerted: true
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.decoder.ipv6_in_ipv4: 1
diff --git a/tests/bug-4571-05/README.md b/tests/bug-4571-05/README.md
new file mode 100644 (file)
index 0000000..824aaa5
--- /dev/null
+++ b/tests/bug-4571-05/README.md
@@ -0,0 +1,12 @@
+# Test
+
+Check for proper engine behavior for IPv4 decoding.
+
+## Pcap
+
+Shared by reporter on Redmine ticket.
+
+## Ticket
+
+https://redmine.openinfosecfoundation.org/issues/4571
+
diff --git a/tests/bug-4571-05/ipv4.pcap b/tests/bug-4571-05/ipv4.pcap
new file mode 100644 (file)
index 0000000..23befb3
Binary files /dev/null and b/tests/bug-4571-05/ipv4.pcap differ
diff --git a/tests/bug-4571-05/suricata.yaml b/tests/bug-4571-05/suricata.yaml
new file mode 100644 (file)
index 0000000..b9297ca
--- /dev/null
+++ b/tests/bug-4571-05/suricata.yaml
@@ -0,0 +1,24 @@
+%YAML 1.1
+---
+
+stats:
+  enabled: yes
+  interval: 8
+
+logging:
+  default-log-level: notice
+  default-output-filter:
+  outputs:
+  - console:
+      enabled: yes
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            alerts: yes
+        - flow
diff --git a/tests/bug-4571-05/test.rules b/tests/bug-4571-05/test.rules
new file mode 100644 (file)
index 0000000..859286d
--- /dev/null
+++ b/tests/bug-4571-05/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"found"; content: "hello"; sid:1;)
diff --git a/tests/bug-4571-05/test.yaml b/tests/bug-4571-05/test.yaml
new file mode 100644 (file)
index 0000000..ae6b0e5
--- /dev/null
+++ b/tests/bug-4571-05/test.yaml
@@ -0,0 +1,29 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+- --simulate-ips
+- --set stream.midstream=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        pkt_src: wire/pcap
+        proto: TCP
+        ip_v: 4
+        pkt_src: wire/pcap
+        src_ip: 10.1.0.1
+        dest_ip: 10.1.0.2
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        proto: TCP
+        src_ip: 10.1.0.1
+        dest_ip: 10.1.0.2
+        ip_v: 4
+        flow.alerted: true
diff --git a/tests/bug-4571-06/README.md b/tests/bug-4571-06/README.md
new file mode 100644 (file)
index 0000000..01e22d6
--- /dev/null
+++ b/tests/bug-4571-06/README.md
@@ -0,0 +1,11 @@
+# Test
+
+Check for proper engine behavior for IPv4 over IPv6 tunneling.
+
+## Pcap
+
+Shared by reporter on Redmine ticket.
+
+## Ticket
+
+https://redmine.openinfosecfoundation.org/issues/4571
diff --git a/tests/bug-4571-06/ipv4_over_ipv6.pcap b/tests/bug-4571-06/ipv4_over_ipv6.pcap
new file mode 100644 (file)
index 0000000..9c1f7d6
Binary files /dev/null and b/tests/bug-4571-06/ipv4_over_ipv6.pcap differ
diff --git a/tests/bug-4571-06/suricata.yaml b/tests/bug-4571-06/suricata.yaml
new file mode 100644 (file)
index 0000000..b9297ca
--- /dev/null
+++ b/tests/bug-4571-06/suricata.yaml
@@ -0,0 +1,24 @@
+%YAML 1.1
+---
+
+stats:
+  enabled: yes
+  interval: 8
+
+logging:
+  default-log-level: notice
+  default-output-filter:
+  outputs:
+  - console:
+      enabled: yes
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            alerts: yes
+        - flow
diff --git a/tests/bug-4571-06/test.rules b/tests/bug-4571-06/test.rules
new file mode 100644 (file)
index 0000000..859286d
--- /dev/null
+++ b/tests/bug-4571-06/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"found"; content: "hello"; sid:1;)
diff --git a/tests/bug-4571-06/test.yaml b/tests/bug-4571-06/test.yaml
new file mode 100644 (file)
index 0000000..1ff608d
--- /dev/null
+++ b/tests/bug-4571-06/test.yaml
@@ -0,0 +1,44 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+- --simulate-ips
+- --set stream.midstream=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        proto: TCP
+        ip_v: 4
+        pkt_src: ipv6 tunnel
+        src_ip: 10.1.0.1
+        dest_ip: 10.1.0.2
+        tunnel.src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
+        tunnel.dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7335
+        tunnel.proto: IP-in-IP
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        proto: TCP
+        ip_v: 4
+        src_ip: 10.1.0.1
+        dest_ip: 10.1.0.2
+        flow.alerted: true
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        proto: IP-in-IP
+        ip_v: 6
+        src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
+        dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7335
+        flow.alerted: false
+  - filter:
+      count: 2
+      match:
+        event_type: flow
Mirror of https://github.com/OISF/suricata-verify.git