Adds test case for JSON anomaly logging

author Jeff Lucovsky <jeff@lucovsky.org>

Wed, 17 Apr 2019 23:34:36 +0000 (16:34 -0700)

committer Jeff Lucovsky <jeff@lucovsky.org>

Sat, 27 Apr 2019 14:00:44 +0000 (07:00 -0700)
author Jeff Lucovsky <jeff@lucovsky.org>
Wed, 17 Apr 2019 23:34:36 +0000 (16:34 -0700)
committer Jeff Lucovsky <jeff@lucovsky.org>
Sat, 27 Apr 2019 14:00:44 +0000 (07:00 -0700)
diff --git a/tests/output-eve-anomaly-packethdr/anomaly.pcap b/tests/output-eve-anomaly-packethdr/anomaly.pcap

new file mode 100644 (file)

index 0000000..bf0f25b

Binary files /dev/null and b/tests/output-eve-anomaly-packethdr/anomaly.pcap differ
diff --git a/tests/output-eve-anomaly-packethdr/suricata.yaml b/tests/output-eve-anomaly-packethdr/suricata.yaml

new file mode 100644 (file)

index 0000000..dce7bb0
--- /dev/null
+++ b/tests/output-eve-anomaly-packethdr/suricata.yaml
@@ -0,0 +1,10 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - anomaly:
+            packethdr: yes            # enable dumping of packet header
diff --git a/tests/output-eve-anomaly-packethdr/test.yaml b/tests/output-eve-anomaly-packethdr/test.yaml

new file mode 100644 (file)

index 0000000..c268cfb
--- /dev/null
+++ b/tests/output-eve-anomaly-packethdr/test.yaml
@@ -0,0 +1,27 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+  files:
+    - src/output-json-anomaly.c
+
+checks:
+  - filter:
+      count: 48
+      match:
+        event_type: anomaly
+        anomaly.type: packet
+        packet_info.linktype: 1
+        has-key: packet
+  - filter:
+      count: 4
+      match:
+        anomaly.event: decoder.icmpv4.unknown_code
+  - filter:
+      count: 42
+      match:
+        anomaly.event: decoder.icmpv4.unknown_type
+  - filter:
+      count: 2
+      match:
+        anomaly.event: decoder.ipv4.trunc_pkt
diff --git a/tests/output-eve-anomaly/anomaly.pcap b/tests/output-eve-anomaly/anomaly.pcap

new file mode 100644 (file)

index 0000000..bf0f25b

Binary files /dev/null and b/tests/output-eve-anomaly/anomaly.pcap differ
diff --git a/tests/output-eve-anomaly/suricata.yaml b/tests/output-eve-anomaly/suricata.yaml

new file mode 100644 (file)

index 0000000..2844028
--- /dev/null
+++ b/tests/output-eve-anomaly/suricata.yaml
@@ -0,0 +1,9 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - anomaly:
diff --git a/tests/output-eve-anomaly/test.yaml b/tests/output-eve-anomaly/test.yaml

new file mode 100644 (file)

index 0000000..d079287
--- /dev/null
+++ b/tests/output-eve-anomaly/test.yaml
@@ -0,0 +1,25 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+  files:
+    - src/output-json-anomaly.c
+
+checks:
+  - filter:
+      count: 48
+      match:
+        event_type: anomaly
+        anomaly.type: packet
+  - filter:
+      count: 4
+      match:
+        anomaly.event: decoder.icmpv4.unknown_code
+  - filter:
+      count: 42
+      match:
+        anomaly.event: decoder.icmpv4.unknown_type
+  - filter:
+      count: 2
+      match:
+        anomaly.event: decoder.ipv4.trunc_pkt
author	Jeff Lucovsky <jeff@lucovsky.org>
	Wed, 17 Apr 2019 23:34:36 +0000 (16:34 -0700)
committer	Jeff Lucovsky <jeff@lucovsky.org>
	Sat, 27 Apr 2019 14:00:44 +0000 (07:00 -0700)
tests/output-eve-anomaly-packethdr/anomaly.pcap	[new file with mode: 0644]	patch \| blob
tests/output-eve-anomaly-packethdr/suricata.yaml	[new file with mode: 0644]	patch \| blob
tests/output-eve-anomaly-packethdr/test.yaml	[new file with mode: 0644]	patch \| blob
tests/output-eve-anomaly/anomaly.pcap	[new file with mode: 0644]	patch \| blob
tests/output-eve-anomaly/suricata.yaml	[new file with mode: 0644]	patch \| blob
tests/output-eve-anomaly/test.yaml	[new file with mode: 0644]	patch \| blob