tests: lz4 pcap write tests

diff --git a/tests/pcap-log-lz4-01/README.md b/tests/pcap-log-lz4-01/README.md
new file mode 100644 (file)
index 0000000..ca40072
--- /dev/null
+++ b/tests/pcap-log-lz4-01/README.md
@@ -0,0 +1 @@
+Test that Suricata will write 2 lz4 compress pcap files.

diff --git a/tests/pcap-log-lz4-01/suricata.yaml b/tests/pcap-log-lz4-01/suricata.yaml
new file mode 100644 (file)
index 0000000..a6c1e13
--- /dev/null
+++ b/tests/pcap-log-lz4-01/suricata.yaml
@@ -0,0 +1,22 @@
+%YAML 1.1
+---
+
+outputs:
+  - pcap-log:
+      enabled: yes
+      filename: log.pcap
+      compression: lz4
+      mode: normal
+      limit: 4mb
+      ts-format: usec
+
+# Enable enging logging to JSON so we can verify it.
+logging:
+  outputs:
+    - console:
+        enabled: yes
+    - file:
+        enabled: yes
+        level: perf
+        filename: eve.json
+        type: json

diff --git a/tests/pcap-log-lz4-01/test.yaml b/tests/pcap-log-lz4-01/test.yaml
new file mode 100644 (file)
index 0000000..8d722f1
--- /dev/null
+++ b/tests/pcap-log-lz4-01/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  features:
+    - liblz4
+  min-version: 8
+      
+pcap: ../bug-2482-01/proxyCONNECT_443.pcap
+
+args:
+  - --runmode=single
+
+checks:
+    - shell:
+        args: ls -l log.pcap.15233891*.lz4 | wc -l | xargs
+        expect: 2

diff --git a/tests/pcap-log-lz4-02-multi/README.md b/tests/pcap-log-lz4-02-multi/README.md
new file mode 100644 (file)
index 0000000..f21dfe8
--- /dev/null
+++ b/tests/pcap-log-lz4-02-multi/README.md
@@ -0,0 +1 @@
+Test that Suricata will write 2 lz4 compress pcap files in multi mode.

diff --git a/tests/pcap-log-lz4-02-multi/suricata.yaml b/tests/pcap-log-lz4-02-multi/suricata.yaml
new file mode 100644 (file)
index 0000000..79dd2e8
--- /dev/null
+++ b/tests/pcap-log-lz4-02-multi/suricata.yaml
@@ -0,0 +1,22 @@
+%YAML 1.1
+---
+
+outputs:
+  - pcap-log:
+      enabled: yes
+      filename: log.pcap.%n-%t
+      compression: lz4
+      mode: multi
+      limit: 4mb
+      ts-format: usec
+
+# Enable enging logging to JSON so we can verify it.
+logging:
+  outputs:
+    - console:
+        enabled: yes
+    - file:
+        enabled: yes
+        level: perf
+        filename: eve.json
+        type: json

diff --git a/tests/pcap-log-lz4-02-multi/test.yaml b/tests/pcap-log-lz4-02-multi/test.yaml
new file mode 100644 (file)
index 0000000..6f25022
--- /dev/null
+++ b/tests/pcap-log-lz4-02-multi/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  features:
+    - liblz4
+  min-version: 8
+      
+pcap: ../bug-2482-01/proxyCONNECT_443.pcap
+
+args:
+  - --runmode=single
+
+checks:
+    - shell:
+        args: ls -l log.pcap.1-15233891*.lz4 | wc -l | xargs
+        expect: 2

diff --git a/tests/pcap-log-lz4-03-multi-ring/README.md b/tests/pcap-log-lz4-03-multi-ring/README.md
new file mode 100644 (file)
index 0000000..4cd4e7b
--- /dev/null
+++ b/tests/pcap-log-lz4-03-multi-ring/README.md
@@ -0,0 +1 @@
+Test that Suricata will write 1 lz4 compressed pcap files in multi mode, as ring setting (max-files) is 1.

diff --git a/tests/pcap-log-lz4-03-multi-ring/suricata.yaml b/tests/pcap-log-lz4-03-multi-ring/suricata.yaml
new file mode 100644 (file)
index 0000000..ac5b1b7
--- /dev/null
+++ b/tests/pcap-log-lz4-03-multi-ring/suricata.yaml
@@ -0,0 +1,25 @@
+%YAML 1.1
+---
+
+outputs:
+  - pcap-log:
+      enabled: yes
+      filename: log.pcap.%n-%t
+      compression: lz4
+      mode: multi
+      limit: 4mb
+      ts-format: usec
+      max-files: 1
+      lz4-checksum: yes
+      lz4-level: 16
+
+# Enable enging logging to JSON so we can verify it.
+logging:
+  outputs:
+    - console:
+        enabled: yes
+    - file:
+        enabled: yes
+        level: perf
+        filename: eve.json
+        type: json

diff --git a/tests/pcap-log-lz4-03-multi-ring/test.yaml b/tests/pcap-log-lz4-03-multi-ring/test.yaml
new file mode 100644 (file)
index 0000000..9944a3a
--- /dev/null
+++ b/tests/pcap-log-lz4-03-multi-ring/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  features:
+    - liblz4
+  min-version: 8
+      
+pcap: ../bug-2482-01/proxyCONNECT_443.pcap
+
+args:
+  - --runmode=single
+
+checks:
+    - shell:
+        args: ls -l log.pcap.1-15233891*.lz4 | wc -l | xargs
+        expect: 1

diff --git a/tests/pcap-log-lz4-04-multi-ring-profile/README.md b/tests/pcap-log-lz4-04-multi-ring-profile/README.md
new file mode 100644 (file)
index 0000000..ff24676
--- /dev/null
+++ b/tests/pcap-log-lz4-04-multi-ring-profile/README.md
@@ -0,0 +1,3 @@
+Test that Suricata will write 1 lz4 compressed pcap files in multi mode, as ring setting (max-files) is 1.
+
+Enable pcap logging profiling.

diff --git a/tests/pcap-log-lz4-04-multi-ring-profile/suricata.yaml b/tests/pcap-log-lz4-04-multi-ring-profile/suricata.yaml
new file mode 100644 (file)
index 0000000..82fbdf2
--- /dev/null
+++ b/tests/pcap-log-lz4-04-multi-ring-profile/suricata.yaml
@@ -0,0 +1,30 @@
+%YAML 1.1
+---
+
+outputs:
+  - pcap-log:
+      enabled: yes
+      filename: log.pcap.%n-%t
+      compression: lz4
+      mode: multi
+      limit: 4mb
+      ts-format: usec
+      max-files: 1
+      lz4-checksum: yes
+      lz4-level: 16
+
+# Enable enging logging to JSON so we can verify it.
+logging:
+  outputs:
+    - console:
+        enabled: yes
+    - file:
+        enabled: yes
+        level: perf
+        filename: eve.json
+        type: json
+
+profiling:
+  pcap-log:
+    enabled: yes
+    filename: pcap-stats.log

diff --git a/tests/pcap-log-lz4-04-multi-ring-profile/test.yaml b/tests/pcap-log-lz4-04-multi-ring-profile/test.yaml
new file mode 100644 (file)
index 0000000..007ee98
--- /dev/null
+++ b/tests/pcap-log-lz4-04-multi-ring-profile/test.yaml
@@ -0,0 +1,17 @@
+requires:
+  features:
+    - liblz4
+  min-version: 8
+      
+pcap: ../bug-2482-01/proxyCONNECT_443.pcap
+
+args:
+  - --runmode=single
+
+checks:
+    - shell:
+        args: ls -l log.pcap.1-15233891*.lz4 | wc -l | xargs
+        expect: 1
+    - shell:
+        args: cat pcap-stats.log | grep -E 'open[[:space:]]+2' | wc -l | xargs
+        expect: 1

diff --git a/tests/pcap-log-lz4-05-tunnel/README.md b/tests/pcap-log-lz4-05-tunnel/README.md
new file mode 100644 (file)
index 0000000..deaeb23
--- /dev/null
+++ b/tests/pcap-log-lz4-05-tunnel/README.md
@@ -0,0 +1 @@
+Test that Suricata will write 1 compress pcap file for tunnel packets.

diff --git a/tests/pcap-log-lz4-05-tunnel/suricata.yaml b/tests/pcap-log-lz4-05-tunnel/suricata.yaml
new file mode 100644 (file)
index 0000000..a6c1e13
--- /dev/null
+++ b/tests/pcap-log-lz4-05-tunnel/suricata.yaml
@@ -0,0 +1,22 @@
+%YAML 1.1
+---
+
+outputs:
+  - pcap-log:
+      enabled: yes
+      filename: log.pcap
+      compression: lz4
+      mode: normal
+      limit: 4mb
+      ts-format: usec
+
+# Enable enging logging to JSON so we can verify it.
+logging:
+  outputs:
+    - console:
+        enabled: yes
+    - file:
+        enabled: yes
+        level: perf
+        filename: eve.json
+        type: json

diff --git a/tests/pcap-log-lz4-05-tunnel/test.yaml b/tests/pcap-log-lz4-05-tunnel/test.yaml
new file mode 100644 (file)
index 0000000..e8ff00a
--- /dev/null
+++ b/tests/pcap-log-lz4-05-tunnel/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  features:
+    - liblz4
+  min-version: 8
+      
+pcap: ../vxlan-decoder-01/input.pcap
+
+args:
+  - --runmode=single
+
+checks:
+    - shell:
+        args: ls -l log.pcap.1525778007.671337.lz4 | wc -l | xargs
+        expect: 1