proto: UDP
src_ip: 190.0.0.1
src_port: 40000
+- filter:
+ min-version: 8
+ count: 1
+ match:
+ bittorrent_dht.request.id: 6162636465666768696a30313233343536373839
+ bittorrent_dht.request_type: ping
+ bittorrent_dht.transaction_id: '6161'
+ dest_ip: 190.0.0.3
+ dest_port: 30000
+ event_type: bittorrent_dht
+ pcap_cnt: 3
+ pkt_src: wire/pcap
+ proto: UDP
+ src_ip: 190.0.0.1
+ src_port: 20000
+ ip_v: 4
+- filter:
+ min-version: 8
+ count: 1
+ match:
+ anomaly.app_proto: bittorrent-dht
+ anomaly.event: malformed_packet
+ anomaly.layer: proto_parser
+ anomaly.type: applayer
+ dest_ip: 190.0.0.3
+ dest_port: 30000
+ event_type: anomaly
+ pcap_cnt: 15
+ pkt_src: wire/pcap
+ proto: UDP
+ src_ip: 190.0.0.1
+ src_port: 20000
+ tx_id: 12
+ ip_v: 4
proto: TCP
dest_ip: 192.168.100.230
dest_port: 20
+- filter:
+ min-version: 8
+ count: 1
+ match:
+ app_proto: ftp-data
+ src_ip: 192.168.100.16
+ src_port: 42987
+ event_type: fileinfo
+ fileinfo.filename: test.pdf
+ fileinfo.gaps: false
+ fileinfo.sha256: 7d400735ff3054837da5d92a10ad2faa8b6825f100dc167a6b008e753015b382
+ fileinfo.size: 118196
+ fileinfo.state: CLOSED
+ fileinfo.stored: true
+ fileinfo.tx_id: 0
+ proto: TCP
+ dest_ip: 192.168.100.230
+ dest_port: 20
+ ip_v: 4
--- /dev/null
+# Test
+
+Specific test for the `ip_v` field on common EVE fields.
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/7047
--- /dev/null
+%YAML 1.1
+---
+
+logging:
+ default-log-level: notice
+ default-output-filter:
+ outputs:
+ - console:
+ enabled: yes
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes
+ payload-buffer-size: 4kb
+ payload-printable: yes
+ packet: yes
+ http: yes
+ - http
+ - flow
--- /dev/null
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../alert-testmyids-async/input.pcap
+
+args:
+- -k none --set stream.midstream=true
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ ip_v: 4
+ - filter:
+ count: 1
+ match:
+ event_type: http
+ ip_v: 4
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ ip_v: 4
--- /dev/null
+# Test
+
+Specific test for the `ip_v` field on common EVE fields.
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/7047
--- /dev/null
+alert ip any any -> any any (ipv6.hdr; content:"|40|"; offset:7; depth:1; sid:1234;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../ipv6-hdr-keyword-01/input.pcap
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ ip_v: 6
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ ip_v: 6
projects / thirdparty / suricata-verify.git / commitdiff
