From aac9b8f30e35b39e09b586b30a21c914cc2daa89 Mon Sep 17 00:00:00 2001
From: Thomas Winter <Thomas.Winter@alliedtelesis.co.nz>
Date: Tue, 22 Jul 2025 10:52:37 +1200
Subject: [PATCH] pppoe: Add test for pppoe decoder protocol alerts

Suricata commit b23fa51e ("detect: fix decoder only events") fixed
decoder events to go off properly. However it was found that the pppoe
decoder was going off on valid ppp packets.
With drop rules isntead of alert rules, a ppp connection could not
be established.

The following pcap is a valid ppp connection but valid pppoe packets
are being detected as wrong_type or unsup_proto.
---
 tests/pppoe/input.pcap | Bin 0 -> 2419 bytes
 tests/pppoe/test.rules |   9 +++++++++
 tests/pppoe/test.yaml  |   8 ++++++++
 3 files changed, 17 insertions(+)
 create mode 100644 tests/pppoe/input.pcap
 create mode 100644 tests/pppoe/test.rules
 create mode 100644 tests/pppoe/test.yaml

diff --git a/tests/pppoe/input.pcap b/tests/pppoe/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..6de528e48d374b73c8389b5423845856b59c215c
GIT binary patch
literal 2419
zc-pO0OK1~O6ut8@GbTedA8T8qXhzy1Xwi@^L=+T5Bj}<OOV_0tvEV1BX%K|wBZ!NF
zuEmyCkSb~u+*<>>u#2il7H&jT3c65K+$hv|?+i_vX5O1DI`ES4xaXXE&pny)^Cz<m
zWT-tdNcj1%IC1XBk_V39Z#ot80a!Y;^~8-4zXz{cBrKF%1a2P&!9!fpS00Gs@2Gi0
zEZ?tx`jZ$!u1$DxP{Jls##jnDt#27x3&jr$x22nle<zn;?2bLSx^rM(RgXA(U)TDx
z*sA?)$E(h@{qgu#`|Eq-fldN7_Gh3WzG`1<^ur%H`f)!HrlcckizF*$MJ?Z(T;Tch
z2)P2kWD!@Oq$>=3gJVWAlr%1nV<&vBpKXf$EH-@|zVkFnm<nQoSRJ&-s3l#+4N>LS
ze+tB~Cf4Zs99BkF9bzu<CK8EwC}kusj9wg08FAhch<34}Ko?SWH7<Z?{YbZYz!)(`
z(?&ehe>{4IK<7b)ZY=M%@7l(-$B1%=q1jxgMY$%f(_z@iT&IaMAAx3bofhSqxSsU_
zKi8}w*QWlhqrlH1tIyBG;IYp<f98>EW(xROT*tM4Zt4qR`lp@rSsjL_UqG%|%`qXa
z`h*k_^|o(g93ZZln3Dsnj*BoICjoYWb!;$NNynhNX?CjKdrH`COP0FTTx#h)>k;Ld
zxPFVdP+3D|(abfj`3%_qr7bRhb_M(L2IVWzfoGfR0D)d+fWI&X0dp81Q=!Kz(MXa+
zsCOB$$=M-uVcNHLxVxjUXPPkY5fcLI*kI5$R<(`l&t`?zsOC5_I6lNx%mV*)YjUBs
zOqG$GP!&y->rE7>UdlPC((8&U3puAqp{izW!D-gzoRiO}s?~O>=Y`sBCEd-Sb^S)|
XwO8^^J7cWbosC~}@`P3A5OMtntM4WA

literal 0
Hc-jL100001

diff --git a/tests/pppoe/test.rules b/tests/pppoe/test.rules
new file mode 100644
index 000000000..29452b59f
--- /dev/null
+++ b/tests/pppoe/test.rules
@@ -0,0 +1,9 @@
+alert pkthdr any any -> any any (msg:"SURICATA PPP packet too small"; decode-event:ppp.pkt_too_small; classtype:protocol-command-decode; sid:2200043; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA PPP VJU packet too small"; decode-event:ppp.vju_pkt_too_small; classtype:protocol-command-decode; sid:2200044; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA PPP IPv4 packet too small"; decode-event:ppp.ip4_pkt_too_small; classtype:protocol-command-decode; sid:2200045; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA PPP IPv6 too small"; decode-event:ppp.ip6_pkt_too_small; classtype:protocol-command-decode; sid:2200046; rev:2;)
+drop pkthdr any any -> any any (msg:"SURICATA PPP wrong type"; decode-event:ppp.wrong_type; classtype:protocol-command-decode; sid:2200047; rev:2;)
+drop pkthdr any any -> any any (msg:"SURICATA PPP unsupported protocol"; decode-event:ppp.unsup_proto; classtype:protocol-command-decode; sid:2200048; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA PPPOE packet too small"; decode-event:pppoe.pkt_too_small; classtype:protocol-command-decode; sid:2200049; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA PPPOE wrong code"; decode-event:pppoe.wrong_code; classtype:protocol-command-decode; sid:2200050; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA PPPOE malformed tags"; decode-event:pppoe.malformed_tags; classtype:protocol-command-decode; sid:2200051; rev:2;)
diff --git a/tests/pppoe/test.yaml b/tests/pppoe/test.yaml
new file mode 100644
index 000000000..b25475c1b
--- /dev/null
+++ b/tests/pppoe/test.yaml
@@ -0,0 +1,8 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
-- 
2.47.3