test: test pcap filter on pcap-log

author Jason Ish <jason.ish@oisf.net>

Tue, 1 Apr 2025 22:16:14 +0000 (16:16 -0600)

committer Victor Julien <victor@inliniac.net>

Mon, 7 Apr 2025 12:21:37 +0000 (14:21 +0200)
author Jason Ish <jason.ish@oisf.net>
Tue, 1 Apr 2025 22:16:14 +0000 (16:16 -0600)
committer Victor Julien <victor@inliniac.net>
Mon, 7 Apr 2025 12:21:37 +0000 (14:21 +0200)
diff --git a/tests/output-pcap-log-filter/README.md b/tests/output-pcap-log-filter/README.md

new file mode 100644 (file)

index 0000000..08740eb
--- /dev/null
+++ b/tests/output-pcap-log-filter/README.md
@@ -0,0 +1,4 @@
+Simple test to check that the BPF filter on pcap-log is applied.
+
+To check, we verify against an expected output file that only has the UDP DNS
+traffic in it.
diff --git a/tests/output-pcap-log-filter/expected/log.pcap.1444144603 b/tests/output-pcap-log-filter/expected/log.pcap.1444144603

new file mode 100644 (file)

index 0000000..5c9ee35

Binary files /dev/null and b/tests/output-pcap-log-filter/expected/log.pcap.1444144603 differ
diff --git a/tests/output-pcap-log-filter/input.pcap b/tests/output-pcap-log-filter/input.pcap

new file mode 100644 (file)

index 0000000..0f33aa1

Binary files /dev/null and b/tests/output-pcap-log-filter/input.pcap differ
diff --git a/tests/output-pcap-log-filter/suricata.yaml b/tests/output-pcap-log-filter/suricata.yaml

new file mode 100644 (file)

index 0000000..c99b101
--- /dev/null
+++ b/tests/output-pcap-log-filter/suricata.yaml
@@ -0,0 +1,17 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - stats:
+  - pcap-log:
+      enabled: yes
+      filename: log.pcap
+      limit: 1gb
+      max-files: 1000
+      mode: normal
+      use-stream-depth: no
+      honor-pass-rules: no
+      bpf-filter: udp and port 53
diff --git a/tests/output-pcap-log-filter/test.yaml b/tests/output-pcap-log-filter/test.yaml

new file mode 100644 (file)

index 0000000..9c64995
--- /dev/null
+++ b/tests/output-pcap-log-filter/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  min-version: 8
+
+args:
+  - --runmode single
+
+checks:
+  - file-compare:
+      filename: log.pcap.1444144603
+      expected: expected/log.pcap.1444144603
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.pcap_log.written: 8
+        stats.pcap_log.filtered_bpf: 10
author	Jason Ish <jason.ish@oisf.net>
	Tue, 1 Apr 2025 22:16:14 +0000 (16:16 -0600)
committer	Victor Julien <victor@inliniac.net>
	Mon, 7 Apr 2025 12:21:37 +0000 (14:21 +0200)
tests/output-pcap-log-filter/README.md	[new file with mode: 0644]	patch \| blob
tests/output-pcap-log-filter/expected/log.pcap.1444144603	[new file with mode: 0644]	patch \| blob
tests/output-pcap-log-filter/input.pcap	[new file with mode: 0644]	patch \| blob
tests/output-pcap-log-filter/suricata.yaml	[new file with mode: 0644]	patch \| blob
tests/output-pcap-log-filter/test.yaml	[new file with mode: 0644]	patch \| blob