detect: add test for vlan.id

Ticket: #1065

diff --git a/tests/detect-vlan-id/README.md b/tests/detect-vlan-id/README.md
new file mode 100644 (file)
index 0000000..fb1b4f4
--- /dev/null
+++ b/tests/detect-vlan-id/README.md
@@ -0,0 +1,6 @@
+Test for checking the working of vlan.id keyword.
+The packet is an ICMP packet with 3 different VLAN ids [200,300,400].
+
+PCAP created with scapy 2.5.0.
+
+redmine ticket: https://redmine.openinfosecfoundation.org/issues/1065
\ No newline at end of file

diff --git a/tests/detect-vlan-id/input.pcap b/tests/detect-vlan-id/input.pcap
new file mode 100644 (file)
index 0000000..f43fd96
Binary files /dev/null and b/tests/detect-vlan-id/input.pcap differ

diff --git a/tests/detect-vlan-id/test.rules b/tests/detect-vlan-id/test.rules
new file mode 100644 (file)
index 0000000..eca703e
--- /dev/null
+++ b/tests/detect-vlan-id/test.rules
@@ -0,0 +1,11 @@
+alert ip any any -> any any (msg:"Vlan ID is equal to 200 with specific layer"; vlan.id:200,0; sid:1;)
+alert ip any any -> any any (msg:"One Vlan ID is equal to 300"; vlan.id:300; sid:2;)
+alert ip any any -> any any (msg:"Last Vlan ID is equal to 400"; vlan.id:400,-1; sid:3;)
+alert ip any any -> any any (msg:"Vlan ID is equal to 300 with specific layer"; vlan.id:0x12C,1; sid:4;)
+alert ip any any -> any any (msg:"Vlan ID at layer 1 is not equal to 200"; vlan.id:!200,1; sid:5;)
+alert ip any any -> any any (msg:"There is no VLAN ID equal to 500"; vlan.id:!500,all; sid:6;)
+alert ip any any -> any any (msg:"VLAN ID at layer 2 is between 100 and 600"; vlan.id:100-600,2; sid:7;)
+alert ip any any -> any any (msg:"VLAN ID at layer 1 is less than 400"; vlan.id:<400,1; sid:8;)
+alert ip any any -> any any (msg:"One Vlan ID is greater than or equal to 200"; vlan.id:>=0xC8; sid:9;)
+alert ip any any -> any any (msg:"All the Vlan IDs are greater than 100"; vlan.id:>100,all; sid:10;)
+alert ip any any -> any any (msg:"Vlan ID is equal to 200 - prefilter"; vlan.id:200,0; prefilter; sid:11;)
\ No newline at end of file

diff --git a/tests/detect-vlan-id/test.yaml b/tests/detect-vlan-id/test.yaml
new file mode 100644 (file)
index 0000000..fc2997a
--- /dev/null
+++ b/tests/detect-vlan-id/test.yaml
@@ -0,0 +1,66 @@
+requires:
+ min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     vlan[0]: 200
+     alert.signature_id: 1
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     vlan[1]: 300
+     alert.signature_id: 2
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     vlan[2]: 400
+     alert.signature_id: 3
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     vlan[1]: 300
+     alert.signature_id: 4
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     alert.signature_id: 5
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     alert.signature_id: 6
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     alert.signature_id: 7
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     alert.signature_id: 8
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     alert.signature_id: 9
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     alert.signature_id: 10
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     alert.signature_id: 11
\ No newline at end of file

diff --git a/tests/detect-vlan-id/writepcap.py b/tests/detect-vlan-id/writepcap.py
new file mode 100644 (file)
index 0000000..79068c7
--- /dev/null
+++ b/tests/detect-vlan-id/writepcap.py
@@ -0,0 +1,20 @@
+#! /usr/bin/env python3
+#scapy version 2.5.0
+from scapy.all import *
+
+CLIENT_MAC = "11:11:11:11:11:11"
+SERVER_MAC = "22:22:22:22:22:22"
+
+CLIENT_IP = "1.1.1.1"
+SERVER_IP = "2.2.2.2"
+
+request = (Ether(src=CLIENT_MAC, dst=SERVER_MAC) /
+               Dot1Q(vlan=200) /
+               Dot1Q(vlan=300) /
+               Dot1Q(vlan=400) /
+               IP(src=CLIENT_IP, dst=SERVER_IP) /
+               ICMP(type=8))
+
+response = Ether(src=SERVER_MAC, dst=CLIENT_MAC)/IP(src=SERVER_IP, dst=CLIENT_IP)/ICMP(type=0)
+
+wrpcap("input.pcap", [request, response], append=False)
\ No newline at end of file