arp: add tests

diff --git a/tests/decode-arp-2/README.md b/tests/decode-arp-2/README.md
new file mode 100644 (file)
index 0000000..aec1316
--- /dev/null
+++ b/tests/decode-arp-2/README.md
@@ -0,0 +1 @@
+PCAP from https://www.cloudshark.org/captures/e4d6ea732135/export

diff --git a/tests/decode-arp-2/arp.pcap b/tests/decode-arp-2/arp.pcap
new file mode 100644 (file)
index 0000000..c15ef60
Binary files /dev/null and b/tests/decode-arp-2/arp.pcap differ

diff --git a/tests/decode-arp-2/suricata.yaml b/tests/decode-arp-2/suricata.yaml
new file mode 100644 (file)
index 0000000..183f2e9
--- /dev/null
+++ b/tests/decode-arp-2/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - arp:
+            enabled: yes
+

diff --git a/tests/decode-arp-2/test.yaml b/tests/decode-arp-2/test.yaml
new file mode 100644 (file)
index 0000000..10a2c27
--- /dev/null
+++ b/tests/decode-arp-2/test.yaml
@@ -0,0 +1,35 @@
+requires:
+    min-version: 8
+
+pcap: arp.pcap
+
+checks:
+  - filter:
+      count: 4
+      match:
+        event_type: arp
+  - filter:
+      count: 1
+      match:
+        event_type: arp
+        pcap_cnt: 5
+        arp.hw_type: ethernet
+        arp.proto_type: ipv4
+        arp.opcode: request
+        arp.src_mac: 00:1d:09:f0:92:ab
+        arp.src_ip: 10.10.10.1
+        arp.dest_mac: 00:00:00:00:00:00
+        arp.dest_ip: 10.10.10.2
+  - filter:
+      count: 1
+      match:
+        event_type: arp
+        pcap_cnt: 6
+        arp.hw_type: ethernet
+        arp.proto_type: ipv4
+        arp.opcode: reply
+        arp.src_mac: 00:1a:6b:6c:0c:cc
+        arp.src_ip: 10.10.10.2
+        arp.dest_mac: 00:1d:09:f0:92:ab
+        arp.dest_ip: 10.10.10.1
+

diff --git a/tests/decode-arp-3/README.md b/tests/decode-arp-3/README.md
new file mode 100644 (file)
index 0000000..b3e4740
--- /dev/null
+++ b/tests/decode-arp-3/README.md
@@ -0,0 +1,14 @@
+Decode ARP packet over GRE.
+
+PCAP made with the following scapy script:
+
+```
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/GRE()/ARP()
+
+wrpcap('arp-encap.pcap', pkts)
+```

diff --git a/tests/decode-arp-3/arp-encap.pcap b/tests/decode-arp-3/arp-encap.pcap
new file mode 100644 (file)
index 0000000..2ec6dc9
Binary files /dev/null and b/tests/decode-arp-3/arp-encap.pcap differ

diff --git a/tests/decode-arp-3/suricata.yaml b/tests/decode-arp-3/suricata.yaml
new file mode 100644 (file)
index 0000000..183f2e9
--- /dev/null
+++ b/tests/decode-arp-3/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - arp:
+            enabled: yes
+

diff --git a/tests/decode-arp-3/test.yaml b/tests/decode-arp-3/test.yaml
new file mode 100644 (file)
index 0000000..c03b553
--- /dev/null
+++ b/tests/decode-arp-3/test.yaml
@@ -0,0 +1,18 @@
+pcap: arp-encap.pcap
+
+requires:
+    min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: arp
+        arp.hw_type: ethernet
+        arp.proto_type: ipv4
+        arp.opcode: request
+        arp.src_mac: bc:03:58:5a:d5:ca
+        arp.src_ip: 192.168.1.28
+        arp.dest_mac: 00:00:00:00:00:00
+        arp.dest_ip: 0.0.0.0
+