From: Jason Ish <jason.ish@oisf.net>
Date: Tue, 1 Apr 2025 22:16:14 +0000 (-0600)
Subject: test: test pcap filter on pcap-log
X-Git-Tag: suricata-7.0.11~109
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F2426%2Fhead;p=thirdparty%2Fsuricata-verify.git

test: test pcap filter on pcap-log

Ticket: #6832
---

diff --git a/tests/output-pcap-log-filter/README.md b/tests/output-pcap-log-filter/README.md
new file mode 100644
index 000000000..08740eb4a
--- /dev/null
+++ b/tests/output-pcap-log-filter/README.md
@@ -0,0 +1,4 @@
+Simple test to check that the BPF filter on pcap-log is applied.
+
+To check, we verify against an expected output file that only has the UDP DNS
+traffic in it.
diff --git a/tests/output-pcap-log-filter/expected/log.pcap.1444144603 b/tests/output-pcap-log-filter/expected/log.pcap.1444144603
new file mode 100644
index 000000000..5c9ee35b3
Binary files /dev/null and b/tests/output-pcap-log-filter/expected/log.pcap.1444144603 differ
diff --git a/tests/output-pcap-log-filter/input.pcap b/tests/output-pcap-log-filter/input.pcap
new file mode 100644
index 000000000..0f33aa1f5
Binary files /dev/null and b/tests/output-pcap-log-filter/input.pcap differ
diff --git a/tests/output-pcap-log-filter/suricata.yaml b/tests/output-pcap-log-filter/suricata.yaml
new file mode 100644
index 000000000..c99b1013f
--- /dev/null
+++ b/tests/output-pcap-log-filter/suricata.yaml
@@ -0,0 +1,17 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - stats:
+  - pcap-log:
+      enabled: yes
+      filename: log.pcap
+      limit: 1gb
+      max-files: 1000
+      mode: normal
+      use-stream-depth: no
+      honor-pass-rules: no
+      bpf-filter: udp and port 53
diff --git a/tests/output-pcap-log-filter/test.yaml b/tests/output-pcap-log-filter/test.yaml
new file mode 100644
index 000000000..9c64995ec
--- /dev/null
+++ b/tests/output-pcap-log-filter/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  min-version: 8
+
+args:
+  - --runmode single
+
+checks:
+  - file-compare:
+      filename: log.pcap.1444144603
+      expected: expected/log.pcap.1444144603
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.pcap_log.written: 8
+        stats.pcap_log.filtered_bpf: 10