tests/esp: Add test for logging ESP flow/netflow

diff --git a/tests/eve-flow-esp/input.pcap b/tests/eve-flow-esp/input.pcap
new file mode 100644 (file)
index 0000000..c320806
Binary files /dev/null and b/tests/eve-flow-esp/input.pcap differ

diff --git a/tests/eve-flow-esp/suricata.yaml b/tests/eve-flow-esp/suricata.yaml
new file mode 100644 (file)
index 0000000..969d222
--- /dev/null
+++ b/tests/eve-flow-esp/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - flow
+        - netflow

diff --git a/tests/eve-flow-esp/test.yaml b/tests/eve-flow-esp/test.yaml
new file mode 100644 (file)
index 0000000..253546b
--- /dev/null
+++ b/tests/eve-flow-esp/test.yaml
@@ -0,0 +1,74 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 7
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        spi: 123
+        src_ip: 190.0.0.1
+        dest_ip: 190.0.0.2
+        flow.pkts_toserver: 2
+        flow.pkts_toclient: 0
+  - filter:
+      count: 1
+      match:
+        event_type: netflow
+        spi: 123
+        src_ip: 190.0.0.1
+        dest_ip: 190.0.0.2
+        netflow.pkts: 2
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        spi: 321
+        src_ip: 190.0.0.1
+        dest_ip: 190.0.0.2
+        flow.pkts_toserver: 2
+        flow.pkts_toclient: 0
+  - filter:
+      count: 1
+      match:
+        event_type: netflow
+        spi: 321
+        src_ip: 190.0.0.1
+        dest_ip: 190.0.0.2
+        netflow.pkts: 2
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        spi: 123
+        src_ip: 190.0.0.1
+        dest_ip: 190.0.0.3
+        flow.pkts_toserver: 2
+        flow.pkts_toclient: 0
+  - filter:
+      count: 1
+      match:
+        event_type: netflow
+        spi: 123
+        src_ip: 190.0.0.1
+        dest_ip: 190.0.0.3
+        netflow.pkts: 2
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        spi: 123
+        src_ip: 0000:0000:0000:0000:0000:0000:0000:0001
+        dest_ip: 0000:0000:0000:0000:0000:0000:0000:0002
+        flow.pkts_toserver: 2
+        flow.pkts_toclient: 0
+  - filter:
+      count: 1
+      match:
+        event_type: netflow
+        spi: 123
+        src_ip: 0000:0000:0000:0000:0000:0000:0000:0001
+        dest_ip: 0000:0000:0000:0000:0000:0000:0000:0002
+        netflow.pkts: 2

diff --git a/tests/eve-flow-esp/writepcap.py b/tests/eve-flow-esp/writepcap.py
new file mode 100755 (executable)
index 0000000..1173d4c
--- /dev/null
+++ b/tests/eve-flow-esp/writepcap.py
@@ -0,0 +1,42 @@
+#!/usr/bin/env python
+from scapy.all import *
+import struct
+
+pkts = []
+
+# First flow
+pkts += Ether()/ \
+    IP(src='190.0.0.1', dst='190.0.0.2')/ \
+    ESP(spi=123, seq=1)
+pkts += Ether()/ \
+    IP(src='190.0.0.1', dst='190.0.0.2')/ \
+    ESP(spi=123, seq=2)
+
+# Second flow
+# Same src/dst, diffrent SPI
+pkts += Ether()/ \
+    IP(src='190.0.0.1', dst='190.0.0.2')/ \
+    ESP(spi=321, seq=1)
+pkts += Ether()/ \
+    IP(src='190.0.0.1', dst='190.0.0.2')/ \
+    ESP(spi=321, seq=2)
+
+# Third flow
+# Same SPI, different dst
+pkts += Ether()/ \
+    IP(src='190.0.0.1', dst='190.0.0.3')/ \
+    ESP(spi=123, seq=1)
+pkts += Ether()/ \
+    IP(src='190.0.0.1', dst='190.0.0.3')/ \
+    ESP(spi=123, seq=2)
+
+# Fourth flow
+# IPv6
+pkts += Ether()/ \
+    IPv6(src='::1', dst='::2')/ \
+    ESP(spi=123, seq=1)
+pkts += Ether()/ \
+    IPv6(src='::1', dst='::2')/ \
+    ESP(spi=123, seq=2)
+
+wrpcap('input.pcap', pkts)