test: unified2 xff

diff --git a/tests/http-xff-unified2/README.md b/tests/http-xff-unified2/README.md
new file mode 100644 (file)
index 0000000..b195988
--- /dev/null
+++ b/tests/http-xff-unified2/README.md
@@ -0,0 +1,32 @@
+Test output of XFF in unified2 alert logging.
+
+## Related Issues and Pull Requests
+- https://redmine.openinfosecfoundation.org/issues/2305
+- https://github.com/OISF/suricata/pull/3119
+
+## PCAP origin
+
+https://redmine.openinfosecfoundation.org/attachments/1424/xff-extradata.pcap
+
+### Request Headers
+
+GET /~sgtatham/putty/0.60/x86/pscp.exe HTTP/1.1
+User-Agent: Wget/1.17.1 (linux-gnu)
+Accept: */*
+Accept-Encoding: identity
+Host: the.earth.li
+Connection: Keep-Alive
+X-Forwarded-For: 10.1.23.250, 10.1.23.250
+
+### Response Headers
+
+HTTP/1.1 200 OK
+Date: Wed, 27 Sep 2017 18:58:30 GMT
+Server: Apache
+Last-Modified: Sun, 29 Apr 2007 13:02:37 GMT
+ETag: "48000-42f3ffb92f540"
+Accept-Ranges: bytes
+Content-Length: 294912
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: application/x-msdos-program

diff --git a/tests/http-xff-unified2/suricata.yaml b/tests/http-xff-unified2/suricata.yaml
new file mode 100644 (file)
index 0000000..c6f1612
--- /dev/null
+++ b/tests/http-xff-unified2/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+include: ../../etc/suricata-4.0.3.yaml
+
+outputs:
+  - unified2-alert:
+      enabled: yes
+      nostamp: yes
+      xff:
+        enabled: yes
+      payload: no

diff --git a/tests/http-xff-unified2/test.rules b/tests/http-xff-unified2/test.rules
new file mode 100644 (file)
index 0000000..78624d9
--- /dev/null
+++ b/tests/http-xff-unified2/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"TEST RULE"; content:"DOS mode"; http_server_body; sid:1; rev:1;)

diff --git a/tests/http-xff-unified2/test.yaml b/tests/http-xff-unified2/test.yaml
new file mode 100644 (file)
index 0000000..4ce902b
--- /dev/null
+++ b/tests/http-xff-unified2/test.yaml
@@ -0,0 +1,25 @@
+requires:
+  script:
+    - grep Unified2XFFTypeAlert src/alert-unified2-alert.c > /dev/null
+    # Require the idstools-u2json tool.
+    - which idstools-u2json > /dev/null 2>&1
+
+args:
+  - -k none
+
+pre-check: |
+  # Convert the unified2 to json.
+  idstools-u2json --output unified2.json unified2.alert 2> /dev/null
+
+checks:
+  - filter:
+      filename: unified2.json
+      count: 1
+      match:
+        type: event
+  - filter:
+      filename: unified2.json
+      count: 1
+      match:
+        type: extra-data
+        extra-data.extra-data-type: xff_ip4

diff --git a/tests/http-xff-unified2/xff-extradata.pcap b/tests/http-xff-unified2/xff-extradata.pcap
new file mode 100644 (file)
index 0000000..fcea739
Binary files /dev/null and b/tests/http-xff-unified2/xff-extradata.pcap differ