From: Victor Julien Date: Thu, 16 Oct 2025 11:44:57 +0000 (+0200) Subject: tests: add test for bpf in pcap multi logging (issue 8002) X-Git-Tag: suricata-8.0.2~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F2698%2Fhead;p=thirdparty%2Fsuricata-verify.git tests: add test for bpf in pcap multi logging (issue 8002) --- diff --git a/tests/pcap-log-uncompressed-03-multi-bpf/README.md b/tests/pcap-log-uncompressed-03-multi-bpf/README.md new file mode 100644 index 000000000..fb9cb125b --- /dev/null +++ b/tests/pcap-log-uncompressed-03-multi-bpf/README.md @@ -0,0 +1 @@ +Test that Suricata will apply bpf in multi-mode. diff --git a/tests/pcap-log-uncompressed-03-multi-bpf/suricata.yaml b/tests/pcap-log-uncompressed-03-multi-bpf/suricata.yaml new file mode 100644 index 000000000..f3a75a0c2 --- /dev/null +++ b/tests/pcap-log-uncompressed-03-multi-bpf/suricata.yaml @@ -0,0 +1,27 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - stats: + - pcap-log: + enabled: yes + filename: log.pcap.%n-%t-%i + compression: none + mode: multi + limit: 4mb + ts-format: usec + bpf-filter: tcp and not port 443 + +# Enable enging logging to JSON so we can verify it. +logging: + outputs: + - console: + enabled: yes + - file: + enabled: yes + level: perf + filename: eve.json + type: json diff --git a/tests/pcap-log-uncompressed-03-multi-bpf/test.yaml b/tests/pcap-log-uncompressed-03-multi-bpf/test.yaml new file mode 100644 index 000000000..bf4b101dd --- /dev/null +++ b/tests/pcap-log-uncompressed-03-multi-bpf/test.yaml @@ -0,0 +1,18 @@ +requires: + min-version: 9 + +pcap: ../bug-2482-01/proxyCONNECT_443.pcap + +args: + - --runmode=single + +checks: + - filter: + count: 1 + match: + event_type: stats + stats.pcap_log.written: 38 + stats.pcap_log.filtered_bpf: 14063 + - shell: + args: find . -type f -name 'log.pcap.1-1523389*.*-*' | wc -l | xargs + expect: 1