tests: basic geoip test

The tests are done by using a local database generated via the
geoip.pl Perl script. The obtained maxmindb test.mmdb and it only
contains 2 entries.

diff --git a/tests/geoip/geoip.pl b/tests/geoip/geoip.pl
new file mode 100644 (file)
index 0000000..39fe33a
--- /dev/null
+++ b/tests/geoip/geoip.pl
@@ -0,0 +1,60 @@
+#!/usr/bin/env perl
+
+use strict;
+use warnings;
+use feature qw( say );
+
+use MaxMind::DB::Writer::Tree;
+
+my $filename = 'test.mmdb';
+
+# Your top level data structure will always be a map (hash).  The MMDB format
+# is strongly typed.  Describe your data types here.
+# See https://metacpan.org/pod/MaxMind::DB::Writer::Tree#DATA-TYPES
+
+my %types = (
+    country    => 'map',
+    iso_code   => 'utf8_string',
+    name       => 'utf8_string',
+);
+
+my $tree = MaxMind::DB::Writer::Tree->new(
+
+    # "database_type" is some arbitrary string describing the database.  At
+    # MaxMind we use strings like 'GeoIP2-City', 'GeoIP2-Country', etc.
+    database_type => 'GeoIP2-Country',
+
+    # "description" is a hashref where the keys are language names and the
+    # values are descriptions of the database in that language.
+    description =>
+        { en => 'Test IP data', },
+
+    # "ip_version" can be either 4 or 6
+    ip_version => 4,
+
+    # add a callback to validate data going in to the database
+    map_key_type_callback => sub { $types{ $_[0] } },
+
+    # "record_size" is the record size in bits.  Either 24, 28 or 32.
+    record_size => 24,
+);
+
+my %ips_list = (
+    '123.125.71.29/32' => {
+        country => { name => 'France', iso_code => 'FR' }
+    },
+    '82.165.177.154/32' => {
+        country => { name => 'Germany', iso_code => 'DE' }
+    },
+);
+
+for my $network ( keys %ips_list ) {
+    $tree->insert_network( $network, $ips_list{$network} );
+}
+
+# Write the database to disk.
+open my $fh, '>:raw', $filename;
+$tree->write_tree( $fh );
+close $fh;
+
+say "$filename has now been created";

diff --git a/tests/geoip/input.pcap b/tests/geoip/input.pcap
new file mode 120000 (symlink)
index 0000000..39fbe32
--- /dev/null
+++ b/tests/geoip/input.pcap
@@ -0,0 +1 @@
+../alert-testmyids/input.pcap
\ No newline at end of file

diff --git a/tests/geoip/suricata.yaml b/tests/geoip/suricata.yaml
new file mode 100644 (file)
index 0000000..bb69001
--- /dev/null
+++ b/tests/geoip/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+geoip-database: ./test.mmdb
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+

diff --git a/tests/geoip/test.mmdb b/tests/geoip/test.mmdb
new file mode 100644 (file)
index 0000000..02ad869
Binary files /dev/null and b/tests/geoip/test.mmdb differ

diff --git a/tests/geoip/test.rules b/tests/geoip/test.rules
new file mode 100644 (file)
index 0000000..213a091
--- /dev/null
+++ b/tests/geoip/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (msg:"French IP"; flow:established,to_server; geoip:dst,FR; sid:1; rev:1; flowbits:isnotset,french; flowbits:set,french;)
+alert tcp any any -> any any (msg:"German IP"; flow:established,to_server; geoip: dst,DE; sid:2; rev:1; flowbits:isnotset,german; flowbits:set,german;)

diff --git a/tests/geoip/test.yaml b/tests/geoip/test.yaml
new file mode 100644 (file)
index 0000000..08bc83c
--- /dev/null
+++ b/tests/geoip/test.yaml
@@ -0,0 +1,19 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - GeoIP2
+
+checks:
+
+  # Check that we only have one alert event type in eve.
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+
+  # Check alert is the good one
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2