From 5df16ddc4805a22d9c5074ddfdf00c2d3d2194ec Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Tue, 1 Apr 2025 16:16:14 -0600 Subject: [PATCH] test: test pcap filter on pcap-log Ticket: #6832 --- tests/output-pcap-log-filter/README.md | 4 ++++ .../expected/log.pcap.1444144603 | Bin 0 -> 876 bytes tests/output-pcap-log-filter/input.pcap | Bin 0 -> 2175 bytes tests/output-pcap-log-filter/suricata.yaml | 17 +++++++++++++++++ tests/output-pcap-log-filter/test.yaml | 16 ++++++++++++++++ 5 files changed, 37 insertions(+) create mode 100644 tests/output-pcap-log-filter/README.md create mode 100644 tests/output-pcap-log-filter/expected/log.pcap.1444144603 create mode 100644 tests/output-pcap-log-filter/input.pcap create mode 100644 tests/output-pcap-log-filter/suricata.yaml create mode 100644 tests/output-pcap-log-filter/test.yaml diff --git a/tests/output-pcap-log-filter/README.md b/tests/output-pcap-log-filter/README.md new file mode 100644 index 000000000..08740eb4a --- /dev/null +++ b/tests/output-pcap-log-filter/README.md @@ -0,0 +1,4 @@ +Simple test to check that the BPF filter on pcap-log is applied. + +To check, we verify against an expected output file that only has the UDP DNS +traffic in it. diff --git a/tests/output-pcap-log-filter/expected/log.pcap.1444144603 b/tests/output-pcap-log-filter/expected/log.pcap.1444144603 new file mode 100644 index 0000000000000000000000000000000000000000..5c9ee35b3925845257e32c31a4312dca5ccc1a3a GIT binary patch literal 876 zc-p&ic+)~A1{MYcU}0bclCFlsWL^u=;!t_JF7gqX#doRgWFSE8Go#-37?Uyzhv!JM3*3zBAZ z16mL&%F2)kR0hHjqaoISEeMX22U&2;A7nVl5(ZPC753-qXRdB+0GU9*f&)BIMfwaZ zCZPqQAPeKR@G$rSg?zF3$bOyz$ilWHn2!!A0)3<{mci?f@DXcLPJVJWhGp(R!|Qz+ z8A5?dLa`a{KJPFC(D0+%VTLzt0vc{CR6GS0sRnUdX(269Ar#*d;knCRao z2p!Oeh9U<8i>{TMBFGJ*?d%LuK%ppXZt#gy1iK*w;Rc{rEwpc}dyR-TY#xQh7vp9I zmW<|8=^j9vG=6d7Nr6k&fNZM21PjuKN{|$28A((M1X(ceHz&Rns08+k55g-zE9@2H NEh9-wfx3_s2mn|@#v=d# literal 0 Hc-jL100001 diff --git a/tests/output-pcap-log-filter/input.pcap b/tests/output-pcap-log-filter/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..0f33aa1f5d3e98b67b1a45dbd9f176831d0558fd GIT binary patch literal 2175 zc-obfUuauZ9LLX1(>1-xm3G>0%z>wc>9%^4+@f%&7D+BL<##HXaYZ@q`Jz2;b>IO}n@qzZ=g<3mQb|`30pH z_3oJTvJH%N>eX9``yn)ZeQf9g-F()hHM|u@$Yid)YBpI|*E4rMr}IorO&uiMOo4b6cv z%@=__aiRfj+}!|;jG^}?B~#*8K%}NFR3g5;kfy}QFBOTq(MIpnTZx{*Aa+Eh4C!d+ zr${QL^0TUzirMv?j=jO)utTs592?3IjX#_qiY{U~tEC*B_I9V;$+2EFL#NajnNgK# zGG|wa&asDOnWSO-yYI_7JaK)@V}(9wcYn>R2F2H? za!SN|Oz3@x1|8)@=FGl(l=!Vyk+>UapSElz7QEs^PA3i=;n-249VeQIl|)j>!AghS z#jyjDPDC8cl4r5A0|#UswhL}7xJ98ubUCrdALQ76RnehSd~hxen{|@Y9qE*mR7xv8 zq9pVw5euCh>yt7%?^k2Vc#_2af$bKZLY_SsloBFtb$19Z;_h_wg3wxMH-A)85+ozy z=$uY6Fq?qt0*HQz@0a8$_~Csah~t_%gX6RItdg_KQgM;@sp@n#U1^U9#~e;dz=G}+ zXYu~bv1~HtaM@kY$>W5c{-`IMiF&#c;X~bXQO`)$h(mHu z)z{*f@mlz|hS+0Wvn;JZ93HOQiXpy550DZUpR7vM45F_hu@Q*Y?ZlgVt48)mBeLsT z1GcmRR2vYr_1B64TcT7-{CRIxjTuAZkur@opspIO>$hlJ8vJQs%=YeMXary*MdIx* zPCYy~WDxt`IR(VVlfO|S4Cd<(kQ+IgQ>QP%JHzC!*LpdXq?wfCbump%N7Y=7tj^G7 zW(W#|nre{*+vv!nA8Ep9B(F8Y?==pN~^re?iP{O|yShj6$av*biDBVO0 zMy}eBAEx}39Q7<>TJZH~!O>?e;Ha&6iVKt+)kagQJiV=$2jKI528Ccts1n?>cmr$?+|``E{D8rmaE2}2bv1C;p}c_u4V!;fv`DV62El?cwzVuCF&wNuS85q} zIO<;E0!GVBRUAOOY7HIr$eQ0`N(jq4mmQm3v>-Dt4z*AXO(*Nn1WZj-(%_4<7#e~l z4Pdpa?e^sdrDLmPv~XU`hsaD5>V-=C|ERB$!1M3XO7q_oT6(WFpTO?%|CB&lVDZoT ZY6)yLtoTY+phQp0WcT?0OCX<5;NQbKC~p7& literal 0 Hc-jL100001 diff --git a/tests/output-pcap-log-filter/suricata.yaml b/tests/output-pcap-log-filter/suricata.yaml new file mode 100644 index 000000000..c99b1013f --- /dev/null +++ b/tests/output-pcap-log-filter/suricata.yaml @@ -0,0 +1,17 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - stats: + - pcap-log: + enabled: yes + filename: log.pcap + limit: 1gb + max-files: 1000 + mode: normal + use-stream-depth: no + honor-pass-rules: no + bpf-filter: udp and port 53 diff --git a/tests/output-pcap-log-filter/test.yaml b/tests/output-pcap-log-filter/test.yaml new file mode 100644 index 000000000..9c64995ec --- /dev/null +++ b/tests/output-pcap-log-filter/test.yaml @@ -0,0 +1,16 @@ +requires: + min-version: 8 + +args: + - --runmode single + +checks: + - file-compare: + filename: log.pcap.1444144603 + expected: expected/log.pcap.1444144603 + - filter: + count: 1 + match: + event_type: stats + stats.pcap_log.written: 8 + stats.pcap_log.filtered_bpf: 10 -- 2.47.2