From 451501de6544265042f5751d90be236b87d9ee6b Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 28 Jun 2019 10:52:08 +0200 Subject: [PATCH] tests: add vxlan with ssh test --- tests/vxlan-decoder-03/README.md | 8 ++++++++ tests/vxlan-decoder-03/test.yaml | 29 +++++++++++++++++++++++++++++ tests/vxlan-decoder-03/vxlan.pcap | Bin 0 -> 27672 bytes 3 files changed, 37 insertions(+) create mode 100644 tests/vxlan-decoder-03/README.md create mode 100644 tests/vxlan-decoder-03/test.yaml create mode 100644 tests/vxlan-decoder-03/vxlan.pcap diff --git a/tests/vxlan-decoder-03/README.md b/tests/vxlan-decoder-03/README.md new file mode 100644 index 000000000..6acdd4fc4 --- /dev/null +++ b/tests/vxlan-decoder-03/README.md @@ -0,0 +1,8 @@ +# Description + +Test basic VXLAN decoding by tracking SSH over VXLAN + +# PCAP + +Pcap provided by Eric Leblond. Captured using AWS traffic mirror feature. + diff --git a/tests/vxlan-decoder-03/test.yaml b/tests/vxlan-decoder-03/test.yaml new file mode 100644 index 000000000..1611b4f6e --- /dev/null +++ b/tests/vxlan-decoder-03/test.yaml @@ -0,0 +1,29 @@ +requires: + min-version: 5.0.0 + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 13 + match: + event_type: flow + dest_port: 4789 + flow.pkts_toclient: 0 + flow.bytes_toclient: 0 + - filter: + count: 4 + match: + event_type: ssh + dest_port: 22 + - filter: + count: 1 + match: + event_type: flow + app_proto: ntp + dest_port: 123 + - filter: + count: 8 + match: + event_type: dns + dns.rrname: "ec2-18-196-145-224.eu-central-1.compute.amazonaws.com" diff --git a/tests/vxlan-decoder-03/vxlan.pcap b/tests/vxlan-decoder-03/vxlan.pcap new file mode 100644 index 0000000000000000000000000000000000000000..c71d5dcdc13cc9d37eeccae7bcb5444ef6e7cb8c GIT binary patch literal 27672 zc-rlp2|QHm|Hsb^S~Q4|w4zcmvL`8pWUCY@Z5oU%*_EQANV;iJNjJ$-T9u{3kc3uJ zSBW-C-Lz@Bg`)C%zK1!QX)?_<{qFyF|KoMlm^tUn`}usI^L@^ockZp?%p@`9%k^%t;Z*H}?QHaQ80IVaTRw2XURW@q)0-1Nh}8Q<`@54X)~+RC z56@X7G+6XJ#biN0r&5CCtJ?ow|4a?Bxi<)5A!v^fPHbKsY_SAe5n`L)1)D)l-^rL^ zk3KC@CEFjuUfT^Y+4|~ZQ{hO7SCe*ne?t( zL9rK2`*tZ5&Bm0iXt4;?HMB2Q@k*>65&@5u-RU1a~k*u`sxH!C-#7 z3};a1$RLMRj4~z|GJ)ayptRe=ncYj6zq6?vZuSFzrUNBx1Xyj-O1Svf12v$?jPU- z+p|5TrKipQl#Zr`s%U89#JTm^OhAKTMfa>n$;!Slzfw&-ce;Vr$sZMmi0P1pejmh3S|Nz0jzuA&%>eEUvPsLi0b|LRjB@tUe)0IcDmXe5q|vktZ&zO_lgI=G*Ptfpne~~spogBJC-c#jz|}avWWKWYp@{BFkxE| zkJVSFSD^**S#t}qAfAH0kFLx=i%MtpSG9YQWEvYm?LVTLZoVCDGx=ZL^I6_NqZ`Wt z$JdxsWlBdM>!QZRZGNOX{s|ILm>9L~{+I9&Tf{BY=@qo?-@7k5MmKRD6+1DKm@ zIn({&!T%<*pb!7A4NQh(r|s$mPG8W2Lu7=p1L*MqPS^gi9oPO|EZ6?)y14dtu93m7 z{jafJcc)i*oxB3q-Hj10#C7+d(1+21RC^3Te-7Jt;`6BweWhf-l;)JF=Il9YH+9>= z_r+tLQ5v^GwZenMnmdUN=aIx65JOm{rBPZd^g@ zMn+FqHy#fm){Q*iMn4IQ4n>D^L*M;4bTRaFuWuet5&op)bVPLe*oO(dU3O??o*dhB zHUe7){4Dq_&C(`N7NIg+n@~CAd5s*(# z(yH(@y(Q13i|U@#)`VYA*f!$Ejo0;*_%+t@JLJbnqHUai%wrCR=r?)uPI44$Q^`oroK3Qt58M5ZW zNT_#A8J|C&%HnhMGwU49=;?K`v_JZM+E}xmIY%3%q2^-|!^%)`EF2v%oD;+H4u&l( z431qenAG&g8D4T^KQKmg){R! zp!fq9Fq|1KfhEFSGfoUK9SnXf3~Rc`Wl4=3o=Z7fF8!IgoCqg!Nd}G!%MIpz@le(c z8?-s8K$+$wTbe!A%xhlN%;dQAtY%NQg-LD8W-Q-6{%+-DEj+W~e9r6!p4k)*nHl4m ziL+#u3=B8Aml-?5lG}ga4ALAKQ2$EMCl~^NAt-JKDQj)`y|1K4<0x;{TlP!pl|Gx( zCN%oFoLtBY)$}}twF#Qk`xdDRdiKB@r7XeU^KSrN<4JhM*dGoZ%El1~ktMtymc*dzKY_Rd|#*a6n>oP*0C%)6N_E zo(xj9JrHC6xwqf3x3a!|qi%Z&ZBeMDTVHA!mQH&rYJ6vUQ)a8;mwSq>1~S%F21YOr zkWpA*89PEu^8XBcw52m#m@J z)7^_ob9VLV4(=?Xcqx*#&2s&D#9{M#&7@Y zAhe*9;reP}p$LrhQ(%P@_!A986&oi-chaPyPc~>uZ6l%0 z6;u;#ZWWxiC(iykz$`I+0A=7aQ77Mu!Fz))G$%76gbhl=C#=LKP(9L>jZ4H-Kb6NN z?)tbyA^$5SYeJg+h#5X2L6;UV?z$^F<(uy?+DEHZEgYbZ#xr~{#@{wL5N|=vY%M4f zjcIGBBx-|dL<`D*F#$ugBF5k4>n6T*Ok&G)E8^G~Dv3S&L!HPp960bCM({a@L3j>L zY&mR19NX~aK!M013pk7r!=Wf~UL+iYn-FaE1BTbT35H3Cp}_AGQwYi~{6+{GP0eHq zL12;H)Gd~u5rUIiV*VVCcv?UR8peGq1nnY#hspA3vp6rcVQ{NWt3RGg0$VOEh-U<- zoJ!_0X*4wpSb*Vcv^Xz9kiks|wg%t~AsiXxNKKRcSsAzrL4fSDrCULLcOn&^fugxA zU@O{)`U3xfAOvsEV4g^J8vqm-nv=zOxfWn>yA~+U#u=t^WRSxuq{0b?-++Om5CpKx z2l+gU0`UsQvsTc5AcE7!XHjpWf((EI2HivAya+)CHzC-%92lOfaAZKUXysq54DCYj zR7nqcd)m`M0}4*tF(ws{5eUKmTSAaeI_@8mi2@-g5P||B*!~4QU+#!FFG7&PO$Zj} zz=BA#XIl{U>kEQ@gHH@q&BTHj4Sl~|2=3jv^Y@`)r$YyXeK=ygZ{2u-5EKYOfe;k* z;eWpngdTh^OPm)W$lxXfTUX%M{vNE?-9f*##Jqs(?#4<(;=21R^x;k+SX-B{G5M|P z#h0JbMEW@DD|ol{kkw?2dafLH^}?v6%4MC*pNhqK5rPbELa;a&)(z)Ztn0=LSU2)u z-Pp8+ST}Y8_dg>9lYM;6jLr@45{?h|8)7eGbuME%Irwhu%&0=^xlgaR(SAY*3TrnB z?^`q~?a2B^j9H0m2kj4V4_=%xN?&46!tkjcVUf5HOwsar6tHslt-eYIBk#?gIDD>| zOpVyp506TsPi8p%j`{vr2woiM7H%Y?OVybo{`HRlt8!DvFX|UBZ5ybenv#4!Hgo)u z8d0sXhte~Tjx8NPHav0uldhZ3o`~Gi^Um)@vxa8%F>O6}_KT#@=@PM|=Gx-~I~iA;k28$s$bfpsb#GRN1Jwq9j34vn_3M7Or%@j4GFdWL)BZsC z^xkQYX7-VhmM%~>@2xfbuQ^jsMy@vl-htW}FCvV=O@y_s!fR~9R^w*GTmdys%_eI6 z2AJ1Y*$J(6Pf|)axpv3kmP=7tt1Ww~crpeD*ydcA^YLQ-txeCSHC*zEYmSeI*&TLy z-r^0i~K8Uad5(T6A zBEkUqrXKc-MHqs1sCrW{`j?0>7{ZhB7%w7>!A*n}pT%2DFSZs_QD3lf0<;*K9MNKm z;k12f`NcZBE+nbXQ*dX>dQhoy06?erF3owZZDT2gk8wMpN?%mKCYs~??t@a3bE zeJ_#m3+iQMvgb-$X$9V{$36t!lRmAOZR}xVDF)+NXN>Xp_HZ!Xf?`=)(8>udF|USz z2)neCXhH8`Ou&$8#^m8rk8*N80;+hoI?nn!!EWQ3=qdq z5Mh_1i5wb%!vryeN|JezPr2Mgn1LrSq;(3P$(XGEiZiuL5f(h?TM=e4iz&i@<$Cv6 zenx~%)|E+Kk9Zz}2urR0R)j4W4m?bjXlXJpwaMjH8-rzdE(h6id5CzzL17pWwXv8D zEWof`hRlly%jG7*47_lL^&A=GNKFT`SQ)sAFo4`4)2*PsJCPy`p=bvx*oqdezapCi zB5dMT=83dm1b_lV;V3dM*8;iRt_30{;|%#68RW2vl_dnj7+~Ni!T`)mh0n9d8?Rsr zYX!4O2yPEPi!6x>&I34LXiz2dBEoXHi7*2nU^uMFkpa!3+RLmA?IKLYc(v=ewCacZ ze4+}}AL@P;h%kW&6NoT@2ov0Z<+lifo*$q_=0$|%auZ<@Q(!^de}ip7+@rrD-xoeH zygo%Nh$_(c+eMgq;5>`XM#EaJMkmerGIUdpK!gcIm_URH`tZMBgh3BBA5Z2*gynJ* zVFteVwZAXxb$7n6uFN60?rxlCO`fIi$Q!s<-3Bp=$%8#Jp_DaH4b{Os%fn$CKb zp3V<-R6jDOL0YVn`Gq-|7ZH}rO@u`l!Mc&+#JX-Af^{Pa)(yQlV%^XL?teyv&AO#* zFP-&a_4P~Z{2%Ns%fw<`_Gr$nDK9#(ZA+q~%4+T+OaZ(5LQHr1j^~P#Gp6fke2Hml z4u~+Un>efP-rVO!cXR{m;C-A!ALPaA_W5Jg%6QMqGLfZghfw<5HIU6qjfrZUT4?j+ z$095^J~LU-)=FtaU|jW=RW?;ulP7MyXL(FGdgJd4uEj;{3@%-FNUe0zpi{fnBx#No zf2==jsl3I;jpY?Z{c1gIF84BI+%&TYm}?Onap&5q!8##lPaL`n^^UY7^CH4>xrs0X z{GUOmZDX6GNxCveL|~4NAcT*F6V#l2oWS(FmCrX6jPVci<*ak?hzR1!0I8$?nV5r1 zfD0IEzLI&7I=S3Lm;wIJpws->a>-!ka(X+F%NF2R=Mi7OAk0nrY5?u{;f&^-!2@ro z8J4}*$U70MGs}8O#VgfQreii|JYN1b(-n9>eC2ayCU|DoIArz!&+Gt^84Z|$L9eY_ znSCe1BBtUDi5wYF@3^JL%8+bQxwrps&)r>Lghg04MSY*t$tJr=wQrSNbg!ZZONOG>f!+mbo%9bZ}JN)5%4*s{9v9$Y(zfOxLwsfB1uy zn$~-xKW++(MEcsoIA#b5@pAJkk*f&9e>rJsBJs;f(?NvM%gmyA5Mcloi@<)Z2t#N= zhiuHE|BeXj|F=aLe!`)#@gTx3aus2fc<2$#&`;wcY!~IQDqlnxAP*E4`o$s)K|4q_ z99HG82BdcjE4S-vkK5+TslA2I>KqIqF7QcpC^Ci z2ubD6yF>f;<;fjUK5)2o+rdG$ci!C|>h~;XO3{8Dl^t#t*~zIXzn7geUZQS3F!I&N z67&A9n?iR=gnwM3wRpEicB`-rjOR}=A^zST#(z&DZ69k3I;()jv>HU1S|!nfVqi?T zWauZv-=$+3p6OM#OjjcgMG#?Q9}tzs^`0r|@#k1w0h&a}O2vaL3a@YwR zz_5P>g%|nM$W4Sr*8{^sC4#{Slif192ZJfXZaw~1gjuzIE5b^<$MQ2G%xD?o`e?+H z2O@0Gv2R7#qHDmzWZAun!b@!$xz#568J^1+wp{WM&lpe`V`;JSN36YF(1 z#cCPj7F>5XMj8><-6GJ3J4IMqf~@cA{MuzAZ$9R~3fr$XL95@wgHL=D`#XyFdg-KS z)ycf?Bn7J`VfgoVBJ6612-E+TnRKQL5f)cJ8`g~}3s~2UTd;0~z`9XK{6^TK`@oG3 z^jY}7F2YV8QawIFYT<;U)B!Ug>`H44LCg(Ke1h=9z}RhgzE5 zdEIcRk$lEVrR`(9?g^nK3M!lC%%z*lFFul2v=81z{Db0RxocxLC6=3Rc>B~oQ+UHR z&9>BQIn>?T*X(f86XPVnBFEhH*!`ig+P1(VKeJ@+=(ebt^F*6yZ<9)oq+V5dc5JrN z*%(RDS@ai{g~|tQJvQ$ep)DHb-jLR#Ro=U-*Zy+a-U!Blw5@Nnitg-gjJO;1VTwo} z{LWK8g%<(V$W4GnH{hR3W!UCs$TCJ{3d~Kp>%`ooK&?3mu+a;}_@(kBh~4kvWar1X%QI{G9#Bmdj>lE@R#hx#$8%m;`B;mBgEV zRZ+7QmyRm1i_{DGBK07O-eVqBV*L7b?@bj|vYR$V>}+seRfXT&cHnbnws>Y|Ib@cD zXSR;WtT!;@!r!4=nSCd~>gV7L+c+|yo^hgzmBF@2s?AaQvRveh%g#A*Cuma546?cP zD$NW_M{DZqmJFNXmrts*w%8t}iQNNUeMd1~1Xv?C0T%rRuW>C~jdKw5b*S-TAEL(N zfcdSY@1XJvZ>F_ko@YiC=527L#7m`XmNXiSyRKnDwU?j0c(0a=qUF23#eb3K`6iA_ z-gw8QZed-@VX1k~&m2FGop%{%0^_iA6658jS29-t_6~P3>zOX5;2j7sYfBdo9tGF~ z1omqM7(xr$Ug6^L-xpx!&SJa>u!CF$*k5?)Zp_ektAGF-pQ1R8ZvxC6A^%zdhM*m? L*DFr@B?9a}*AhXz literal 0 Hc-jL100001 -- 2.47.2