tests: showcase bug 7286 (tls)

Related to
Bug https://redmine.openinfosecfoundation.org/issues/7286

diff --git a/tests/tls/bug-7286-tls-metadata-01/README.md b/tests/tls/bug-7286-tls-metadata-01/README.md
new file mode 100644 (file)
index 0000000..ed4ae39
--- /dev/null
+++ b/tests/tls/bug-7286-tls-metadata-01/README.md
@@ -0,0 +1,11 @@
+### Test
+
+Showcase how TLS metadata is logged when JA4 is disabled.
+
+### Pcap
+
+Reused from test ja4-tls.
+
+### Ticket
+
+https://redmine.openinfosecfoundation.org/issues/7286

diff --git a/tests/tls/bug-7286-tls-metadata-01/suricata.yaml b/tests/tls/bug-7286-tls-metadata-01/suricata.yaml
new file mode 100644 (file)
index 0000000..5bc22c9
--- /dev/null
+++ b/tests/tls/bug-7286-tls-metadata-01/suricata.yaml
@@ -0,0 +1,14 @@
+%YAML 1.1
+---
+
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - tls:
+            extended: yes     # enable this for extended logging information
+            custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, ja3, ja3s, ja4]
+            ja4: off

diff --git a/tests/tls/bug-7286-tls-metadata-01/test.yaml b/tests/tls/bug-7286-tls-metadata-01/test.yaml
new file mode 100644 (file)
index 0000000..6a6e662
--- /dev/null
+++ b/tests/tls/bug-7286-tls-metadata-01/test.yaml
@@ -0,0 +1,14 @@
+pcap: ../../ja4-tls/input.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: tls
+        tls.subject: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS
+        tls.issuerdn: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS
+        tls.serial: 00:97:E6:47:09:8E:EA:C9:B4
+        tls.fingerprint: 3a:0b:3b:23:15:2c:44:5c:27:ac:6a:0c:41:d6:fa:74:af:b4:09:5b
+        tls.version: TLS 1.2
+        tls.notbefore: '2015-02-12T18:07:27'
+        tls.notafter: '2025-02-09T18:07:27'

diff --git a/tests/tls/bug-7286-tls-metadata-02/README.md b/tests/tls/bug-7286-tls-metadata-02/README.md
new file mode 100644 (file)
index 0000000..3bed5d6
--- /dev/null
+++ b/tests/tls/bug-7286-tls-metadata-02/README.md
@@ -0,0 +1,11 @@
+### Test
+
+Showcase how TLS metadata is logged when JA4 is enabled.
+
+### Pcap
+
+Reused from test ja4-tls.
+
+### Ticket
+
+https://redmine.openinfosecfoundation.org/issues/7286

diff --git a/tests/tls/bug-7286-tls-metadata-02/suricata.yaml b/tests/tls/bug-7286-tls-metadata-02/suricata.yaml
new file mode 100644 (file)
index 0000000..76194e8
--- /dev/null
+++ b/tests/tls/bug-7286-tls-metadata-02/suricata.yaml
@@ -0,0 +1,14 @@
+%YAML 1.1
+---
+
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - tls:
+            extended: yes     # enable this for extended logging information
+            custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, ja3, ja3s, ja4]
+            ja4: on

diff --git a/tests/tls/bug-7286-tls-metadata-02/test.yaml b/tests/tls/bug-7286-tls-metadata-02/test.yaml
new file mode 100644 (file)
index 0000000..666dd39
--- /dev/null
+++ b/tests/tls/bug-7286-tls-metadata-02/test.yaml
@@ -0,0 +1,15 @@
+pcap: ../../ja4-tls/input.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: tls
+        tls.subject: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS
+        tls.issuerdn: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS
+        tls.serial: 00:97:E6:47:09:8E:EA:C9:B4
+        tls.fingerprint: 3a:0b:3b:23:15:2c:44:5c:27:ac:6a:0c:41:d6:fa:74:af:b4:09:5b
+        tls.version: TLS 1.2
+        tls.notbefore: '2015-02-12T18:07:27'
+        tls.notafter: '2025-02-09T18:07:27'
+