From 1b7e92daef00b1c8c70192b1e6695d000c5993f4 Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Tue, 13 Aug 2019 10:59:02 -0400
Subject: [PATCH] tests: Update anomaly logging to use new config

---
 .../anomaly.pcap                              | Bin
 tests/output-eve-anomaly-01/suricata.yaml     |  11 +++++++
 .../test.yaml                                 |   7 ++++-
 tests/output-eve-anomaly-02/input.pcap        | Bin 0 -> 978 bytes
 .../suricata.yaml                             |   1 -
 tests/output-eve-anomaly-02/test.yaml         |  28 ++++++++++++++++++
 tests/output-eve-anomaly-03/input.pcap        | Bin 0 -> 978 bytes
 tests/output-eve-anomaly-03/suricata.yaml     |  12 ++++++++
 tests/output-eve-anomaly-03/test.yaml         |  28 ++++++++++++++++++
 .../suricata.yaml                             |   3 +-
 tests/output-eve-anomaly-packethdr/test.yaml  |   8 ++++-
 11 files changed, 94 insertions(+), 4 deletions(-)
 rename tests/{output-eve-anomaly => output-eve-anomaly-01}/anomaly.pcap (100%)
 create mode 100644 tests/output-eve-anomaly-01/suricata.yaml
 rename tests/{output-eve-anomaly => output-eve-anomaly-01}/test.yaml (78%)
 create mode 100644 tests/output-eve-anomaly-02/input.pcap
 rename tests/{output-eve-anomaly => output-eve-anomaly-02}/suricata.yaml (79%)
 create mode 100644 tests/output-eve-anomaly-02/test.yaml
 create mode 100644 tests/output-eve-anomaly-03/input.pcap
 create mode 100644 tests/output-eve-anomaly-03/suricata.yaml
 create mode 100644 tests/output-eve-anomaly-03/test.yaml

diff --git a/tests/output-eve-anomaly/anomaly.pcap b/tests/output-eve-anomaly-01/anomaly.pcap
similarity index 100%
rename from tests/output-eve-anomaly/anomaly.pcap
rename to tests/output-eve-anomaly-01/anomaly.pcap
diff --git a/tests/output-eve-anomaly-01/suricata.yaml b/tests/output-eve-anomaly-01/suricata.yaml
new file mode 100644
index 000000000..d56ffcb20
--- /dev/null
+++ b/tests/output-eve-anomaly-01/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - anomaly:
+            types:
+              decode: yes
diff --git a/tests/output-eve-anomaly/test.yaml b/tests/output-eve-anomaly-01/test.yaml
similarity index 78%
rename from tests/output-eve-anomaly/test.yaml
rename to tests/output-eve-anomaly-01/test.yaml
index c70239ddb..e9b6f8f17 100644
--- a/tests/output-eve-anomaly/test.yaml
+++ b/tests/output-eve-anomaly-01/test.yaml
@@ -9,11 +9,16 @@ args:
   - -k none
 
 checks:
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly
+        anomaly.type: stream
   - filter:
       count: 48
       match:
         event_type: anomaly
-        anomaly.type: packet
+        anomaly.type: decode
   - filter:
       count: 4
       match:
diff --git a/tests/output-eve-anomaly-02/input.pcap b/tests/output-eve-anomaly-02/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..d50be332598fbf896b900c429b22f19b53bd3492
GIT binary patch
literal 978
zc-p&ic+)~A1{MYcU}0bclCmbb5g|&f3|>Gs2s4O^^Rj)vak}g6LN^WuR|W=~Lk}Go
z9M}@qa|tkV12JR60tT_e+%Fe`6fa;Z5=ho(U|?cl-NM4e!NvSh+W{ob$jr<RGWmfr
z!eoe<5c44>GcbTmR+$Jg6=XVtSi=Ib#B+i`(-$oeDpattLYT~W%eft7I?UvcK$D$-
zraEDBv&o@HU^j0=bMqpg=|T+x3{P)50^P_6aWBYZkco;atPFiX!}_q9*l_4E*u+e%
zCQ2|oowWzmM0eK^1$_mNkdOd<Lp?)YE|2`;5-SBm13g1CJ)nS<kr6LfXmM(hu48&?
z9#AH^v?xd4T+h@9q}VYzIkf;NsHLyP%f-tDa@`gcgnuzY(xi7P$aT}1(Lz!P=)!kE
z|31F)9pXAzD1uB3NMmJ)1ez9!%|!3sX&@7)y~b*y1jFM;AK)g=0GSvZ?4fI<XQ1m}
zkeUZ%$D8SyfqVk8C@KwaR6PL)>=v|ueFwBm6BJc9PQU}!6=WGWs?u2*LV<>bVspBC
z?{u)!-=R5O6Xx_7RTQVY1{CF&<R|CnDCA}q=O&gUXXt^Qt(K10*-ydF-i*cBHehFO
h#dLO0Cf+!l0ggikG-um@oh`!fSWXRMBFH%)Qvn%l`;h<u

literal 0
Hc-jL100001

diff --git a/tests/output-eve-anomaly/suricata.yaml b/tests/output-eve-anomaly-02/suricata.yaml
similarity index 79%
rename from tests/output-eve-anomaly/suricata.yaml
rename to tests/output-eve-anomaly-02/suricata.yaml
index fe12f6bbd..284402839 100644
--- a/tests/output-eve-anomaly/suricata.yaml
+++ b/tests/output-eve-anomaly-02/suricata.yaml
@@ -7,4 +7,3 @@ outputs:
       filetype: regular
       types:
         - anomaly:
-            protodecode: yes
diff --git a/tests/output-eve-anomaly-02/test.yaml b/tests/output-eve-anomaly-02/test.yaml
new file mode 100644
index 000000000..d4b4eb649
--- /dev/null
+++ b/tests/output-eve-anomaly-02/test.yaml
@@ -0,0 +1,28 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+  files:
+    - src/output-json-anomaly.c
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: anomaly
+        anomaly.type: applayer
+        anomaly.event: APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
+        anomaly.layer: proto_detect
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly
+        anomaly.type: decode
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly
+        anomaly.type: stream
diff --git a/tests/output-eve-anomaly-03/input.pcap b/tests/output-eve-anomaly-03/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..d50be332598fbf896b900c429b22f19b53bd3492
GIT binary patch
literal 978
zc-p&ic+)~A1{MYcU}0bclCmbb5g|&f3|>Gs2s4O^^Rj)vak}g6LN^WuR|W=~Lk}Go
z9M}@qa|tkV12JR60tT_e+%Fe`6fa;Z5=ho(U|?cl-NM4e!NvSh+W{ob$jr<RGWmfr
z!eoe<5c44>GcbTmR+$Jg6=XVtSi=Ib#B+i`(-$oeDpattLYT~W%eft7I?UvcK$D$-
zraEDBv&o@HU^j0=bMqpg=|T+x3{P)50^P_6aWBYZkco;atPFiX!}_q9*l_4E*u+e%
zCQ2|oowWzmM0eK^1$_mNkdOd<Lp?)YE|2`;5-SBm13g1CJ)nS<kr6LfXmM(hu48&?
z9#AH^v?xd4T+h@9q}VYzIkf;NsHLyP%f-tDa@`gcgnuzY(xi7P$aT}1(Lz!P=)!kE
z|31F)9pXAzD1uB3NMmJ)1ez9!%|!3sX&@7)y~b*y1jFM;AK)g=0GSvZ?4fI<XQ1m}
zkeUZ%$D8SyfqVk8C@KwaR6PL)>=v|ueFwBm6BJc9PQU}!6=WGWs?u2*LV<>bVspBC
z?{u)!-=R5O6Xx_7RTQVY1{CF&<R|CnDCA}q=O&gUXXt^Qt(K10*-ydF-i*cBHehFO
h#dLO0Cf+!l0ggikG-um@oh`!fSWXRMBFH%)Qvn%l`;h<u

literal 0
Hc-jL100001

diff --git a/tests/output-eve-anomaly-03/suricata.yaml b/tests/output-eve-anomaly-03/suricata.yaml
new file mode 100644
index 000000000..9e573b997
--- /dev/null
+++ b/tests/output-eve-anomaly-03/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - anomaly:
+            types:
+                stream: yes
+                applayer: no
diff --git a/tests/output-eve-anomaly-03/test.yaml b/tests/output-eve-anomaly-03/test.yaml
new file mode 100644
index 000000000..e3e7a185d
--- /dev/null
+++ b/tests/output-eve-anomaly-03/test.yaml
@@ -0,0 +1,28 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+  files:
+    - src/output-json-anomaly.c
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: anomaly
+        anomaly.type: stream
+        anomaly.event: stream.pkt_invalid_timestamp
+
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly
+        anomaly.type: decode
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly
+        anomaly.type: applayer
diff --git a/tests/output-eve-anomaly-packethdr/suricata.yaml b/tests/output-eve-anomaly-packethdr/suricata.yaml
index 9340e81a8..0579626c2 100644
--- a/tests/output-eve-anomaly-packethdr/suricata.yaml
+++ b/tests/output-eve-anomaly-packethdr/suricata.yaml
@@ -7,5 +7,6 @@ outputs:
       filetype: regular
       types:
         - anomaly:
-            protodecode: yes
+            types:
+              decode: yes
             packethdr: yes            # enable dumping of packet header
diff --git a/tests/output-eve-anomaly-packethdr/test.yaml b/tests/output-eve-anomaly-packethdr/test.yaml
index eff89ddba..f71256de0 100644
--- a/tests/output-eve-anomaly-packethdr/test.yaml
+++ b/tests/output-eve-anomaly-packethdr/test.yaml
@@ -9,11 +9,17 @@ args:
   - -k none
 
 checks:
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly
+        anomaly.type: stream
+
   - filter:
       count: 48
       match:
         event_type: anomaly
-        anomaly.type: packet
+        anomaly.type: decode
         packet_info.linktype: 1
         has-key: packet
   - filter:
-- 
2.47.2