From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Tue, 13 Aug 2019 14:59:02 +0000 (-0400)
Subject: tests: Update anomaly logging to use new config
X-Git-Tag: suricata-6.0.4~397
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F123%2Fhead;p=thirdparty%2Fsuricata-verify.git

tests: Update anomaly logging to use new config
---

diff --git a/tests/output-eve-anomaly/anomaly.pcap b/tests/output-eve-anomaly-01/anomaly.pcap
similarity index 100%
rename from tests/output-eve-anomaly/anomaly.pcap
rename to tests/output-eve-anomaly-01/anomaly.pcap
diff --git a/tests/output-eve-anomaly-01/suricata.yaml b/tests/output-eve-anomaly-01/suricata.yaml
new file mode 100644
index 000000000..d56ffcb20
--- /dev/null
+++ b/tests/output-eve-anomaly-01/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - anomaly:
+            types:
+              decode: yes
diff --git a/tests/output-eve-anomaly/test.yaml b/tests/output-eve-anomaly-01/test.yaml
similarity index 78%
rename from tests/output-eve-anomaly/test.yaml
rename to tests/output-eve-anomaly-01/test.yaml
index c70239ddb..e9b6f8f17 100644
--- a/tests/output-eve-anomaly/test.yaml
+++ b/tests/output-eve-anomaly-01/test.yaml
@@ -9,11 +9,16 @@ args:
   - -k none
 
 checks:
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly
+        anomaly.type: stream
   - filter:
       count: 48
       match:
         event_type: anomaly
-        anomaly.type: packet
+        anomaly.type: decode
   - filter:
       count: 4
       match:
diff --git a/tests/output-eve-anomaly-02/input.pcap b/tests/output-eve-anomaly-02/input.pcap
new file mode 100644
index 000000000..d50be3325
Binary files /dev/null and b/tests/output-eve-anomaly-02/input.pcap differ
diff --git a/tests/output-eve-anomaly/suricata.yaml b/tests/output-eve-anomaly-02/suricata.yaml
similarity index 79%
rename from tests/output-eve-anomaly/suricata.yaml
rename to tests/output-eve-anomaly-02/suricata.yaml
index fe12f6bbd..284402839 100644
--- a/tests/output-eve-anomaly/suricata.yaml
+++ b/tests/output-eve-anomaly-02/suricata.yaml
@@ -7,4 +7,3 @@ outputs:
       filetype: regular
       types:
         - anomaly:
-            protodecode: yes
diff --git a/tests/output-eve-anomaly-02/test.yaml b/tests/output-eve-anomaly-02/test.yaml
new file mode 100644
index 000000000..d4b4eb649
--- /dev/null
+++ b/tests/output-eve-anomaly-02/test.yaml
@@ -0,0 +1,28 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+  files:
+    - src/output-json-anomaly.c
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: anomaly
+        anomaly.type: applayer
+        anomaly.event: APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
+        anomaly.layer: proto_detect
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly
+        anomaly.type: decode
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly
+        anomaly.type: stream
diff --git a/tests/output-eve-anomaly-03/input.pcap b/tests/output-eve-anomaly-03/input.pcap
new file mode 100644
index 000000000..d50be3325
Binary files /dev/null and b/tests/output-eve-anomaly-03/input.pcap differ
diff --git a/tests/output-eve-anomaly-03/suricata.yaml b/tests/output-eve-anomaly-03/suricata.yaml
new file mode 100644
index 000000000..9e573b997
--- /dev/null
+++ b/tests/output-eve-anomaly-03/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - anomaly:
+            types:
+                stream: yes
+                applayer: no
diff --git a/tests/output-eve-anomaly-03/test.yaml b/tests/output-eve-anomaly-03/test.yaml
new file mode 100644
index 000000000..e3e7a185d
--- /dev/null
+++ b/tests/output-eve-anomaly-03/test.yaml
@@ -0,0 +1,28 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+  files:
+    - src/output-json-anomaly.c
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: anomaly
+        anomaly.type: stream
+        anomaly.event: stream.pkt_invalid_timestamp
+
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly
+        anomaly.type: decode
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly
+        anomaly.type: applayer
diff --git a/tests/output-eve-anomaly-packethdr/suricata.yaml b/tests/output-eve-anomaly-packethdr/suricata.yaml
index 9340e81a8..0579626c2 100644
--- a/tests/output-eve-anomaly-packethdr/suricata.yaml
+++ b/tests/output-eve-anomaly-packethdr/suricata.yaml
@@ -7,5 +7,6 @@ outputs:
       filetype: regular
       types:
         - anomaly:
-            protodecode: yes
+            types:
+              decode: yes
             packethdr: yes            # enable dumping of packet header
diff --git a/tests/output-eve-anomaly-packethdr/test.yaml b/tests/output-eve-anomaly-packethdr/test.yaml
index eff89ddba..f71256de0 100644
--- a/tests/output-eve-anomaly-packethdr/test.yaml
+++ b/tests/output-eve-anomaly-packethdr/test.yaml
@@ -9,11 +9,17 @@ args:
   - -k none
 
 checks:
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly
+        anomaly.type: stream
+
   - filter:
       count: 48
       match:
         event_type: anomaly
-        anomaly.type: packet
+        anomaly.type: decode
         packet_info.linktype: 1
         has-key: packet
   - filter: