tests: Update anomaly logging to use new config

diff --git a/tests/output-eve-anomaly/anomaly.pcap b/tests/output-eve-anomaly-01/anomaly.pcap
similarity index 100%
rename from tests/output-eve-anomaly/anomaly.pcap
rename to tests/output-eve-anomaly-01/anomaly.pcap

diff --git a/tests/output-eve-anomaly-01/suricata.yaml b/tests/output-eve-anomaly-01/suricata.yaml
new file mode 100644 (file)
index 0000000..d56ffcb
--- /dev/null
+++ b/tests/output-eve-anomaly-01/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - anomaly:
+            types:
+              decode: yes

diff --git a/tests/output-eve-anomaly/test.yaml b/tests/output-eve-anomaly-01/test.yaml
similarity index 78%
rename from tests/output-eve-anomaly/test.yaml
rename to tests/output-eve-anomaly-01/test.yaml
index c70239ddb21f9c8a0139b89b5d7e484d5f201616..e9b6f8f17cbe941354ce5257da32779d1d0d69ab 100644 (file)
--- a/tests/output-eve-anomaly/test.yaml
+++ b/tests/output-eve-anomaly-01/test.yaml
@@ -9,11 +9,16 @@ args:
   - -k none
 
 checks:
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly
+        anomaly.type: stream
   - filter:
       count: 48
       match:
         event_type: anomaly
-        anomaly.type: packet
+        anomaly.type: decode
   - filter:
       count: 4
       match:

diff --git a/tests/output-eve-anomaly-02/input.pcap b/tests/output-eve-anomaly-02/input.pcap
new file mode 100644 (file)
index 0000000..d50be33
Binary files /dev/null and b/tests/output-eve-anomaly-02/input.pcap differ

diff --git a/tests/output-eve-anomaly/suricata.yaml b/tests/output-eve-anomaly-02/suricata.yaml
similarity index 79%
rename from tests/output-eve-anomaly/suricata.yaml
rename to tests/output-eve-anomaly-02/suricata.yaml
index fe12f6bbd63a9c4c4256d7b865d03a653e928c3e..284402839cb1507cf7477c6c4575b52251766602 100644 (file)
--- a/tests/output-eve-anomaly/suricata.yaml
+++ b/tests/output-eve-anomaly-02/suricata.yaml
@@ -7,4 +7,3 @@ outputs:
       filetype: regular
       types:
         - anomaly:
-            protodecode: yes

diff --git a/tests/output-eve-anomaly-02/test.yaml b/tests/output-eve-anomaly-02/test.yaml
new file mode 100644 (file)
index 0000000..d4b4eb6
--- /dev/null
+++ b/tests/output-eve-anomaly-02/test.yaml
@@ -0,0 +1,28 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+  files:
+    - src/output-json-anomaly.c
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: anomaly
+        anomaly.type: applayer
+        anomaly.event: APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS
+        anomaly.layer: proto_detect
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly
+        anomaly.type: decode
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly
+        anomaly.type: stream

diff --git a/tests/output-eve-anomaly-03/input.pcap b/tests/output-eve-anomaly-03/input.pcap
new file mode 100644 (file)
index 0000000..d50be33
Binary files /dev/null and b/tests/output-eve-anomaly-03/input.pcap differ

diff --git a/tests/output-eve-anomaly-03/suricata.yaml b/tests/output-eve-anomaly-03/suricata.yaml
new file mode 100644 (file)
index 0000000..9e573b9
--- /dev/null
+++ b/tests/output-eve-anomaly-03/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - anomaly:
+            types:
+                stream: yes
+                applayer: no

diff --git a/tests/output-eve-anomaly-03/test.yaml b/tests/output-eve-anomaly-03/test.yaml
new file mode 100644 (file)
index 0000000..e3e7a18
--- /dev/null
+++ b/tests/output-eve-anomaly-03/test.yaml
@@ -0,0 +1,28 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+  files:
+    - src/output-json-anomaly.c
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: anomaly
+        anomaly.type: stream
+        anomaly.event: stream.pkt_invalid_timestamp
+
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly
+        anomaly.type: decode
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly
+        anomaly.type: applayer

diff --git a/tests/output-eve-anomaly-packethdr/suricata.yaml b/tests/output-eve-anomaly-packethdr/suricata.yaml
index 9340e81a840814dc21f3a85111d458f118f58498..0579626c22e1e890d0031e6496201f68833edcd5 100644 (file)
--- a/tests/output-eve-anomaly-packethdr/suricata.yaml
+++ b/tests/output-eve-anomaly-packethdr/suricata.yaml
@@ -7,5 +7,6 @@ outputs:
       filetype: regular
       types:
         - anomaly:
-            protodecode: yes
+            types:
+              decode: yes
             packethdr: yes            # enable dumping of packet header

diff --git a/tests/output-eve-anomaly-packethdr/test.yaml b/tests/output-eve-anomaly-packethdr/test.yaml
index eff89ddba88a7cf4f2be9d330e1eb1dcd7f2e695..f71256de0dba754facd4e0ae3b7caae6563648a5 100644 (file)
--- a/tests/output-eve-anomaly-packethdr/test.yaml
+++ b/tests/output-eve-anomaly-packethdr/test.yaml
@@ -9,11 +9,17 @@ args:
   - -k none
 
 checks:
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly
+        anomaly.type: stream
+
   - filter:
       count: 48
       match:
         event_type: anomaly
-        anomaly.type: packet
+        anomaly.type: decode
         packet_info.linktype: 1
         has-key: packet
   - filter: