]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3a69316)
test/ipv4: Test case for IPv4 unknown proto
authorJeff Lucovsky <jlucovsky@oisf.net>
Mon, 8 Dec 2025 13:52:46 +0000 (08:52 -0500)
committerVictor Julien <vjulien@oisf.net>
Thu, 22 Jan 2026 09:13:27 +0000 (09:13 +0000)
Test case to ensure IPv4 unknown proto event fires.

Issue: 7146

tests/bug-7146/README.md [new file with mode: 0644] patch | blob
tests/bug-7146/create_pcap.py [new file with mode: 0644] patch | blob
tests/bug-7146/input.pcap [new file with mode: 0644] patch | blob
tests/bug-7146/test.rules [new file with mode: 0644] patch | blob
tests/bug-7146/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/bug-7146/README.md b/tests/bug-7146/README.md
new file mode 100644 (file)
index 0000000..76bf09b
--- /dev/null
+++ b/tests/bug-7146/README.md
@@ -0,0 +1,11 @@
+Test case for handling unknown IP protocol in IPv4 header.
+
+PCAP
+----
+
+Created with create_pcap.py
+
+Ticket
+------
+
+https://redmine.openinfosecfoundation.org/issues/7146
diff --git a/tests/bug-7146/create_pcap.py b/tests/bug-7146/create_pcap.py
new file mode 100644 (file)
index 0000000..4bd2701
--- /dev/null
+++ b/tests/bug-7146/create_pcap.py
@@ -0,0 +1,16 @@
+from scapy.all import Ether, IP, Raw, wrpcap
+
+# 253 and 254 are "experimental / unused" protocol numbers
+UNKNOWN_PROTO = 253
+
+# Build Ethernet + IPv4 header with unknown protocol
+pkt = (
+    Ether(src="00:11:22:33:44:55", dst="66:77:88:99:aa:bb") /
+    IP(src="192.168.1.10", dst="192.168.1.20", proto=UNKNOWN_PROTO) /
+    Raw(b"hello-unknown-proto")
+)
+
+# Write to pcap file
+wrpcap("input.pcap", pkt)
+
+print("Wrote input.pcap")
diff --git a/tests/bug-7146/input.pcap b/tests/bug-7146/input.pcap
new file mode 100644 (file)
index 0000000..aae0b20
Binary files /dev/null and b/tests/bug-7146/input.pcap differ
diff --git a/tests/bug-7146/test.rules b/tests/bug-7146/test.rules
new file mode 100644 (file)
index 0000000..1267108
--- /dev/null
+++ b/tests/bug-7146/test.rules
@@ -0,0 +1 @@
+alert ipv4 any any -> any any (msg:"SURICATA IPv4 invalid protocol"; decode-event:ipv4.unknown_protocol; classtype:protocol-command-decode; sid:1;)
diff --git a/tests/bug-7146/test.yaml b/tests/bug-7146/test.yaml
new file mode 100644 (file)
index 0000000..8c377c2
--- /dev/null
+++ b/tests/bug-7146/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  min-version: 9
+
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        proto: "253"
+        ip_v: 4
+
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.decoder.pkts: 1
+        stats.decoder.ipv4: 1
+        stats.decoder.event.ipv4.unknown_protocol: 1
Mirror of https://github.com/OISF/suricata-verify.git