add cases for MAC addresses in EVE-JSON

author Sascha Steinbiss <satta@debian.org>

Tue, 10 Mar 2020 20:10:48 +0000 (21:10 +0100)

committer Victor Julien <victor@inliniac.net>

Mon, 3 Aug 2020 08:59:45 +0000 (10:59 +0200)
author Sascha Steinbiss <satta@debian.org>
Tue, 10 Mar 2020 20:10:48 +0000 (21:10 +0100)
committer Victor Julien <victor@inliniac.net>
Mon, 3 Aug 2020 08:59:45 +0000 (10:59 +0200)
diff --git a/tests/mac-eve-multiple-disabled/multi_mac.pcap b/tests/mac-eve-multiple-disabled/multi_mac.pcap

new file mode 100644 (file)

index 0000000..d47e7b6

Binary files /dev/null and b/tests/mac-eve-multiple-disabled/multi_mac.pcap differ
diff --git a/tests/mac-eve-multiple-disabled/suricata.yaml b/tests/mac-eve-multiple-disabled/suricata.yaml

new file mode 100644 (file)

index 0000000..a3a5c71
--- /dev/null
+++ b/tests/mac-eve-multiple-disabled/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      ethernet: no
+      types:
+        - flow
diff --git a/tests/mac-eve-multiple-disabled/test.yaml b/tests/mac-eve-multiple-disabled/test.yaml

new file mode 100644 (file)

index 0000000..983adb6
--- /dev/null
+++ b/tests/mac-eve-multiple-disabled/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 6.0.0
+  files:
+    - src/util-macset.c
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        not-has-key: ether
diff --git a/tests/mac-eve-multiple/multi_mac.pcap b/tests/mac-eve-multiple/multi_mac.pcap

new file mode 100644 (file)

index 0000000..d47e7b6

Binary files /dev/null and b/tests/mac-eve-multiple/multi_mac.pcap differ
diff --git a/tests/mac-eve-multiple/suricata.yaml b/tests/mac-eve-multiple/suricata.yaml

new file mode 100644 (file)

index 0000000..cef8a0d
--- /dev/null
+++ b/tests/mac-eve-multiple/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      ethernet: yes
+      types:
+        - flow
diff --git a/tests/mac-eve-multiple/test.yaml b/tests/mac-eve-multiple/test.yaml

new file mode 100644 (file)

index 0000000..1fdcf34
--- /dev/null
+++ b/tests/mac-eve-multiple/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  min-version: 6.0.0
+  files:
+    - src/util-macset.c
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        ether.dest_macs: ["00:00:0c:01:01:14","00:00:0c:01:01:12"]
+        ether.src_macs: ["00:00:0c:01:01:13","00:00:0c:01:01:11"]
diff --git a/tests/mac-eve-single-disabled/suricata.yaml b/tests/mac-eve-single-disabled/suricata.yaml

new file mode 100644 (file)

index 0000000..edeaeef
--- /dev/null
+++ b/tests/mac-eve-single-disabled/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      ethernet: no
+      types:
+        - dns
+        - flow
diff --git a/tests/mac-eve-single-disabled/test.pcap b/tests/mac-eve-single-disabled/test.pcap

new file mode 100644 (file)

index 0000000..a4549a4

Binary files /dev/null and b/tests/mac-eve-single-disabled/test.pcap differ
diff --git a/tests/mac-eve-single-disabled/test.yaml b/tests/mac-eve-single-disabled/test.yaml

new file mode 100644 (file)

index 0000000..5b3642b
--- /dev/null
+++ b/tests/mac-eve-single-disabled/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  min-version: 6.0.0
+  files:
+    - src/util-macset.c
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        not-has-key: ether
+
+  - filter:
+      count: 1
+      match:
+        event_type: dns
+        not-has-key: ether
diff --git a/tests/mac-eve-single/suricata.yaml b/tests/mac-eve-single/suricata.yaml

new file mode 100644 (file)

index 0000000..ebc8d86
--- /dev/null
+++ b/tests/mac-eve-single/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      ethernet: yes
+      types:
+        - dns
+        - flow
diff --git a/tests/mac-eve-single/test.pcap b/tests/mac-eve-single/test.pcap

new file mode 100644 (file)

index 0000000..a4549a4

Binary files /dev/null and b/tests/mac-eve-single/test.pcap differ
diff --git a/tests/mac-eve-single/test.yaml b/tests/mac-eve-single/test.yaml

new file mode 100644 (file)

index 0000000..38f0540
--- /dev/null
+++ b/tests/mac-eve-single/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  min-version: 6.0.0
+  files:
+    - src/util-macset.c
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        ether.dest_macs: ["0c:c4:7a:ac:83:d7"]
+        ether.src_macs: ["f8:59:71:a9:05:60"]
+
+  - filter:
+      count: 1
+      match:
+        event_type: dns
+        ether.src_mac: f8:59:71:a9:05:60
+        ether.dest_mac: 0c:c4:7a:ac:83:d7
author	Sascha Steinbiss <satta@debian.org>
	Tue, 10 Mar 2020 20:10:48 +0000 (21:10 +0100)
committer	Victor Julien <victor@inliniac.net>
	Mon, 3 Aug 2020 08:59:45 +0000 (10:59 +0200)
tests/mac-eve-multiple-disabled/multi_mac.pcap	[new file with mode: 0644]	patch \| blob
tests/mac-eve-multiple-disabled/suricata.yaml	[new file with mode: 0644]	patch \| blob
tests/mac-eve-multiple-disabled/test.yaml	[new file with mode: 0644]	patch \| blob
tests/mac-eve-multiple/multi_mac.pcap	[new file with mode: 0644]	patch \| blob
tests/mac-eve-multiple/suricata.yaml	[new file with mode: 0644]	patch \| blob
tests/mac-eve-multiple/test.yaml	[new file with mode: 0644]	patch \| blob
tests/mac-eve-single-disabled/suricata.yaml	[new file with mode: 0644]	patch \| blob
tests/mac-eve-single-disabled/test.pcap	[new file with mode: 0644]	patch \| blob
tests/mac-eve-single-disabled/test.yaml	[new file with mode: 0644]	patch \| blob
tests/mac-eve-single/suricata.yaml	[new file with mode: 0644]	patch \| blob
tests/mac-eve-single/test.pcap	[new file with mode: 0644]	patch \| blob
tests/mac-eve-single/test.yaml	[new file with mode: 0644]	patch \| blob