Added test to validate the pppoe decoder can handle an 8 bit protocol field.

Redmine https://redmine.openinfosecfoundation.org/issues/4810

diff --git a/tests/bug-4810/README.md b/tests/bug-4810/README.md
new file mode 100644 (file)
index 0000000..f147add
--- /dev/null
+++ b/tests/bug-4810/README.md
@@ -0,0 +1,4 @@
+# Description
+
+Test if 8 bit protocol fields are correctly handled by pppoe decoder
+by identifying the http payload.

diff --git a/tests/bug-4810/pppoe-session-http.pcap b/tests/bug-4810/pppoe-session-http.pcap
new file mode 100644 (file)
index 0000000..90a24d3
Binary files /dev/null and b/tests/bug-4810/pppoe-session-http.pcap differ

diff --git a/tests/bug-4810/suricata.yaml.bkp b/tests/bug-4810/suricata.yaml.bkp
new file mode 100644 (file)
index 0000000..1987f04
--- /dev/null
+++ b/tests/bug-4810/suricata.yaml.bkp
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - http:
+            dump-all-headers: both

diff --git a/tests/bug-4810/test.yaml b/tests/bug-4810/test.yaml
new file mode 100644 (file)
index 0000000..37c86c9
--- /dev/null
+++ b/tests/bug-4810/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 5.0.0
+
+checks:
+ 
+  # Correctly identify the http header in the pppoe payload with a 
+  # 8 bit ppp protocol field
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.status: 200
+        http.http_method: "GET"
+        http.url: "/"