From: Juliana Fajardini <jufajardini@oisf.net>
Date: Thu, 8 May 2025 19:05:51 +0000 (-0300)
Subject: tests: add checks for ip version
X-Git-Tag: suricata-7.0.11~65
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F2502%2Fhead;p=thirdparty%2Fsuricata-verify.git

tests: add checks for ip version

Related to
Task #7047
---

diff --git a/tests/bittorrent-dht/test.yaml b/tests/bittorrent-dht/test.yaml
index fc9abaf7e..79fee6688 100644
--- a/tests/bittorrent-dht/test.yaml
+++ b/tests/bittorrent-dht/test.yaml
@@ -295,3 +295,37 @@ checks:
       proto: UDP
       src_ip: 190.0.0.1
       src_port: 40000
+- filter:
+    min-version: 8
+    count: 1
+    match:
+      bittorrent_dht.request.id: 6162636465666768696a30313233343536373839
+      bittorrent_dht.request_type: ping
+      bittorrent_dht.transaction_id: '6161'
+      dest_ip: 190.0.0.3
+      dest_port: 30000
+      event_type: bittorrent_dht
+      pcap_cnt: 3
+      pkt_src: wire/pcap
+      proto: UDP
+      src_ip: 190.0.0.1
+      src_port: 20000
+      ip_v: 4
+- filter:
+    min-version: 8
+    count: 1
+    match:
+      anomaly.app_proto: bittorrent-dht
+      anomaly.event: malformed_packet
+      anomaly.layer: proto_parser
+      anomaly.type: applayer
+      dest_ip: 190.0.0.3
+      dest_port: 30000
+      event_type: anomaly
+      pcap_cnt: 15
+      pkt_src: wire/pcap
+      proto: UDP
+      src_ip: 190.0.0.1
+      src_port: 20000
+      tx_id: 12
+      ip_v: 4
diff --git a/tests/bug-4877/test.yaml b/tests/bug-4877/test.yaml
index 4e06f4e09..06c8de74e 100644
--- a/tests/bug-4877/test.yaml
+++ b/tests/bug-4877/test.yaml
@@ -70,3 +70,22 @@ checks:
       proto: TCP
       dest_ip: 192.168.100.230
       dest_port: 20
+- filter:
+    min-version: 8
+    count: 1
+    match:
+      app_proto: ftp-data
+      src_ip: 192.168.100.16
+      src_port: 42987
+      event_type: fileinfo
+      fileinfo.filename: test.pdf
+      fileinfo.gaps: false
+      fileinfo.sha256: 7d400735ff3054837da5d92a10ad2faa8b6825f100dc167a6b008e753015b382
+      fileinfo.size: 118196
+      fileinfo.state: CLOSED
+      fileinfo.stored: true
+      fileinfo.tx_id: 0
+      proto: TCP
+      dest_ip: 192.168.100.230
+      dest_port: 20
+      ip_v: 4
diff --git a/tests/eve-ip-version-4/README.md b/tests/eve-ip-version-4/README.md
new file mode 100644
index 000000000..f4c9cb34a
--- /dev/null
+++ b/tests/eve-ip-version-4/README.md
@@ -0,0 +1,7 @@
+# Test
+
+Specific test for the `ip_v` field on common EVE fields.
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/7047
diff --git a/tests/eve-ip-version-4/suricata.yaml b/tests/eve-ip-version-4/suricata.yaml
new file mode 100644
index 000000000..28c863d0a
--- /dev/null
+++ b/tests/eve-ip-version-4/suricata.yaml
@@ -0,0 +1,24 @@
+%YAML 1.1
+---
+
+logging:
+  default-log-level: notice
+  default-output-filter:
+  outputs:
+  - console:
+      enabled: yes
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            payload: yes
+            payload-buffer-size: 4kb
+            payload-printable: yes
+            packet: yes
+            http: yes
+        - http
+        - flow
diff --git a/tests/eve-ip-version-4/test.rules b/tests/eve-ip-version-4/test.rules
new file mode 100644
index 000000000..9f1307bdb
--- /dev/null
+++ b/tests/eve-ip-version-4/test.rules
@@ -0,0 +1 @@
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;)
diff --git a/tests/eve-ip-version-4/test.yaml b/tests/eve-ip-version-4/test.yaml
new file mode 100644
index 000000000..101090511
--- /dev/null
+++ b/tests/eve-ip-version-4/test.yaml
@@ -0,0 +1,24 @@
+requires:
+  min-version: 8
+
+pcap: ../alert-testmyids-async/input.pcap
+
+args:
+- -k none --set stream.midstream=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ip_v: 4
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        ip_v: 4
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        ip_v: 4
diff --git a/tests/eve-ip-version-6/README.md b/tests/eve-ip-version-6/README.md
new file mode 100644
index 000000000..f4c9cb34a
--- /dev/null
+++ b/tests/eve-ip-version-6/README.md
@@ -0,0 +1,7 @@
+# Test
+
+Specific test for the `ip_v` field on common EVE fields.
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/7047
diff --git a/tests/eve-ip-version-6/test.rules b/tests/eve-ip-version-6/test.rules
new file mode 100644
index 000000000..17d7bcccb
--- /dev/null
+++ b/tests/eve-ip-version-6/test.rules
@@ -0,0 +1 @@
+alert ip any any -> any any (ipv6.hdr; content:"|40|"; offset:7; depth:1; sid:1234;)
diff --git a/tests/eve-ip-version-6/test.yaml b/tests/eve-ip-version-6/test.yaml
new file mode 100644
index 000000000..3504a2454
--- /dev/null
+++ b/tests/eve-ip-version-6/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  min-version: 8
+
+pcap: ../ipv6-hdr-keyword-01/input.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ip_v: 6
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        ip_v: 6