test/linktype: Expand linktype_name coverage

Issue: 4974

This commit extends the linktype_name validation across the existing
tests so that more linktype name values are checked:
    - C_HDLC
    - PPP
    - IPV4
    - IPV6
    - RAW
    - EN10B
    - LINUX_SLL

Some existing tests required suricata.yaml configuration to enable the
packet values to be in the alerts.

diff --git a/tests/decode-chdlc-02/README.md b/tests/decode-chdlc-02/README.md
new file mode 100644 (file)
index 0000000..3f08bf4
--- /dev/null
+++ b/tests/decode-chdlc-02/README.md
@@ -0,0 +1,3 @@
+Ensure Cisco HDLC packets are decoded and the linktype name is correct
+
+

diff --git a/tests/decode-chdlc-02/suricata.yaml b/tests/decode-chdlc-02/suricata.yaml
new file mode 100644 (file)
index 0000000..5ccb71d
--- /dev/null
+++ b/tests/decode-chdlc-02/suricata.yaml
@@ -0,0 +1,24 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            packet: yes              # enable dumping of packet (without stream segments)
+        - http:
+            extended: true
+        - files:
+            force-magic: no
+        - flow
+        - stats
+app-layer:
+  protocols:
+    http:
+      enabled: yes
+      libhtp:
+         default-config:
+           response-body-limit: 100kb

diff --git a/tests/decode-chdlc-02/test.rules b/tests/decode-chdlc-02/test.rules
new file mode 100644 (file)
index 0000000..90536fb
--- /dev/null
+++ b/tests/decode-chdlc-02/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (http.method; content:"GET"; sid:666;)

diff --git a/tests/decode-chdlc-02/test.yaml b/tests/decode-chdlc-02/test.yaml
new file mode 100644 (file)
index 0000000..dc6971b
--- /dev/null
+++ b/tests/decode-chdlc-02/test.yaml
@@ -0,0 +1,38 @@
+requires:
+
+  min-version: 8
+
+pcap: ../decode-chdlc-01/hdlc-http_1tx.pcap
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.hostname: "view.atdmt.com"
+        http.status: 200
+        http.length: 8079
+
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.state: CLOSED
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 666
+        packet_info.linktype_name: C_HDLC
+
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        proto: TCP
+
+  - stats:
+      decoder.ipv4: 17
+      decoder.chdlc: 17

diff --git a/tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml b/tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml
index 91d4f4e2980a27de9b1f459ca8f6dfb404481e6c..429f8db2764e36371ed30bc56016a188f1e4965c 100644 (file)
--- a/tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml
+++ b/tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml
@@ -9,3 +9,13 @@ checks:
       alert.signature_id: 1
       packet: "YAAAAAP8BkAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAATA5H5AAAAABAAAAAFAQIADIrQAAQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQ=="
       packet_info.linktype: 229
+
+- filter:
+    count: 1
+    min-version: 8
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      packet: "YAAAAAP8BkAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAATA5H5AAAAABAAAAAFAQIADIrQAAQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQ=="
+      packet_info.linktype: 229
+      packet_info.linktype_name: IPv6

diff --git a/tests/detect-ipopts-02/README b/tests/detect-ipopts-02/README
new file mode 100644 (file)
index 0000000..9a608fb
--- /dev/null
+++ b/tests/detect-ipopts-02/README
@@ -0,0 +1,13 @@
+Test the IP options and verify the linktype name value.
+
+There's already a test for the extended security option; the following IP options are tested:
+- Record Route "rr"
+- Loose source route "lsrr"
+- EOL "eol"
+- NOP "nop"
+- Timestamp "ts"
+- Security "sec"
+- Strict source route "ssrr"
+- Stream id "satid"
+
+The pcap was generated using detect-ipopts/ipopt.py

diff --git a/tests/detect-ipopts-02/suricata.yaml b/tests/detect-ipopts-02/suricata.yaml
new file mode 100644 (file)
index 0000000..159d885
--- /dev/null
+++ b/tests/detect-ipopts-02/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            packet: yes              # enable dumping of packet (without stream segments)

diff --git a/tests/detect-ipopts-02/test.rules b/tests/detect-ipopts-02/test.rules
new file mode 100644 (file)
index 0000000..9d2215a
--- /dev/null
+++ b/tests/detect-ipopts-02/test.rules
@@ -0,0 +1,10 @@
+alert ip any any -> any any (msg:"RR option set"; ipopts:rr; sid: 1;)
+alert ip any any -> any any (msg:"LSRR option set"; ipopts:lsrr; sid: 2;)
+alert ip any any -> any any (msg:"EOL option set"; ipopts:eol; sid: 3;)
+alert ip any any -> any any (msg:"NOP option set"; ipopts:nop; sid: 4;)
+alert ip any any -> any any (msg:"TS option set"; ipopts:ts; sid: 5;)
+alert ip any any -> any any (msg:"SEC option set"; ipopts:sec; sid: 6;)
+alert ip any any -> any any (msg:"SSRR option set"; ipopts:ssrr; sid: 7;)
+alert ip any any -> any any (msg:"SID option set"; ipopts:satid; sid: 8;)
+# covered in ipopts-sec
+#alert ip any any <> any any (msg:"ESEC option set"; ipopts:esec; sid: 42;)

diff --git a/tests/detect-ipopts-02/test.yaml b/tests/detect-ipopts-02/test.yaml
new file mode 100644 (file)
index 0000000..91e50d3
--- /dev/null
+++ b/tests/detect-ipopts-02/test.yaml
@@ -0,0 +1,64 @@
+requires:
+  min-version: 8
+
+args:
+  - --set stream.midstream=true -k none
+
+pcap: ../detect-ipopts/input.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 1
+        alert.signature_id: 1
+        packet_info.linktype_name: IPv4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 2
+        alert.signature_id: 2
+        packet_info.linktype_name: IPv4
+  - filter:
+      count: 6
+      match:
+        event_type: alert
+        alert.signature_id: 3
+        packet_info.linktype_name: IPv4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 4
+        alert.signature_id: 4
+        packet_info.linktype_name: IPv4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 5
+        alert.signature_id: 5
+        packet_info.linktype_name: IPv4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 6
+        alert.signature_id: 6
+        packet_info.linktype_name: IPv4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 7
+        alert.signature_id: 7
+        packet_info.linktype_name: IPv4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 8
+        alert.signature_id: 8
+        packet_info.linktype_name: IPv4

diff --git a/tests/dnp3/dnp3-dnp3_obj-alert/test.yaml b/tests/dnp3/dnp3-dnp3_obj-alert/test.yaml
index d24b6374e87fa7d92fa12e975c4da2a0d89ee628..c5d69f0609c33bb68cc392e3c9fadbfb10b9674d 100644 (file)
--- a/tests/dnp3/dnp3-dnp3_obj-alert/test.yaml
+++ b/tests/dnp3/dnp3-dnp3_obj-alert/test.yaml
@@ -11,3 +11,11 @@ checks:
       match:
         event_type: alert
         alert.signature_id: 2
+
+  - filter:
+      count: 4
+      min-version: 8
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        packet_info.linktype_name: EN10MB

diff --git a/tests/tcp-fastopen-12/suricata.yaml b/tests/tcp-fastopen-12/suricata.yaml
new file mode 100644 (file)
index 0000000..100bcbe
--- /dev/null
+++ b/tests/tcp-fastopen-12/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            packet: yes              # enable dumping of packet (without stream segments)
+        - flow

diff --git a/tests/tcp-fastopen-12/test.rules b/tests/tcp-fastopen-12/test.rules
new file mode 100644 (file)
index 0000000..28347d0
--- /dev/null
+++ b/tests/tcp-fastopen-12/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (content:"Hello!"; sid:1;)

diff --git a/tests/tcp-fastopen-12/test.yaml b/tests/tcp-fastopen-12/test.yaml
new file mode 100644 (file)
index 0000000..693753c
--- /dev/null
+++ b/tests/tcp-fastopen-12/test.yaml
@@ -0,0 +1,20 @@
+pcap: ../tcp-fastopen-05/tfo.pcap
+
+requires:
+  min-version: 8
+
+args:
+    - -k none
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        packet_info.linktype_name: LINUX_SLL
+  - filter:
+      count: 2
+      match:
+        event_type: flow
+        proto: TCP

diff --git a/tests/vxlan-decoder-04/README.md b/tests/vxlan-decoder-04/README.md
new file mode 100644 (file)
index 0000000..342ca79
--- /dev/null
+++ b/tests/vxlan-decoder-04/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test basic VXLAN decoding
+
+# PCAP
+
+https://github.com/the-tcpdump-group/tcpdump/blob/master/tests/vxlan.pcap

diff --git a/tests/vxlan-decoder-04/suricata.yaml b/tests/vxlan-decoder-04/suricata.yaml
new file mode 100644 (file)
index 0000000..100bcbe
--- /dev/null
+++ b/tests/vxlan-decoder-04/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            packet: yes              # enable dumping of packet (without stream segments)
+        - flow

diff --git a/tests/vxlan-decoder-04/test.rules b/tests/vxlan-decoder-04/test.rules
new file mode 100644 (file)
index 0000000..c0f94ab
--- /dev/null
+++ b/tests/vxlan-decoder-04/test.rules
@@ -0,0 +1 @@
+alert icmp any any -> any any (itype:8; sid:1;)

diff --git a/tests/vxlan-decoder-04/test.yaml b/tests/vxlan-decoder-04/test.yaml
new file mode 100644 (file)
index 0000000..9bcce7b
--- /dev/null
+++ b/tests/vxlan-decoder-04/test.yaml
@@ -0,0 +1,27 @@
+requires:
+  min-version: 8
+
+args:
+  - --set decoder.vxlan.enabled=true
+
+pcap: ../vxlan-decoder-02/vxlan.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        proto: "ICMP"
+        flow.pkts_toserver: 4
+        flow.pkts_toclient: 4
+  - filter:
+      count: 4
+      match:
+        event_type: flow
+        dest_port: 4789
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        tunnel.dest_port: 4789
+        packet_info.linktype_name: RAW