tests/anomaly: Verify metadata section

This commit verifies that the "metadata" element, if any, is in the
proper place within anomaly event records.

diff --git a/tests/output-eve-anomaly-05/input.pcap b/tests/output-eve-anomaly-05/input.pcap
new file mode 100644 (file)
index 0000000..d50be33
Binary files /dev/null and b/tests/output-eve-anomaly-05/input.pcap differ

diff --git a/tests/output-eve-anomaly-05/suricata.yaml b/tests/output-eve-anomaly-05/suricata.yaml
new file mode 100644 (file)
index 0000000..e63fb67
--- /dev/null
+++ b/tests/output-eve-anomaly-05/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      metadata: yes
+      filetype: regular
+      types:
+        - anomaly:
+            types:
+                stream: yes
+                applayer: no

diff --git a/tests/output-eve-anomaly-05/test.rules b/tests/output-eve-anomaly-05/test.rules
new file mode 100644 (file)
index 0000000..6956cf8
--- /dev/null
+++ b/tests/output-eve-anomaly-05/test.rules
@@ -0,0 +1 @@
+alert ip any any -> any any (msg:"ET CNC Shadowserver Reported CnC Server Port 80 Group 1"; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:1; rev:1;)

diff --git a/tests/output-eve-anomaly-05/test.yaml b/tests/output-eve-anomaly-05/test.yaml
new file mode 100644 (file)
index 0000000..66bb464
--- /dev/null
+++ b/tests/output-eve-anomaly-05/test.yaml
@@ -0,0 +1,26 @@
+requires:
+  min-version: 6
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: anomaly
+        anomaly.type: stream
+        anomaly.event: stream.pkt_invalid_timestamp
+        metadata.flowbits[0]: "ET.Evil"
+
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly
+        anomaly.type: decode
+
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly
+        anomaly.type: applayer