detect: add test for vlan.layers

Ticket: #1065

diff --git a/tests/detect-vlan-layers/README.md b/tests/detect-vlan-layers/README.md
new file mode 100644 (file)
index 0000000..90598af
--- /dev/null
+++ b/tests/detect-vlan-layers/README.md
@@ -0,0 +1,6 @@
+Test for checking the working of vlan.layers keyword.
+The packet is an ICMP packet with 3 VLAN layers.
+
+PCAP created with scapy 2.5.0.
+
+redmine ticket: https://redmine.openinfosecfoundation.org/issues/1065
\ No newline at end of file

diff --git a/tests/detect-vlan-layers/test.rules b/tests/detect-vlan-layers/test.rules
new file mode 100644 (file)
index 0000000..e153291
--- /dev/null
+++ b/tests/detect-vlan-layers/test.rules
@@ -0,0 +1,4 @@
+alert ip any any -> any any (msg:"Packet has 3 VLAN layers"; vlan.layers:3; sid:1;)
+alert ip any any -> any any (msg:"Packet has more than 2 VLAN layers"; vlan.layers:>2; sid:2;)
+alert ip any any -> any any (msg:"The number of layers in the packet is not 1"; vlan.layers:!1; sid:3;)
+alert ip any any -> any any (msg:"Packet has 0 VLAN layers"; vlan.layers:0; sid:4;)
\ No newline at end of file

diff --git a/tests/detect-vlan-layers/test.yaml b/tests/detect-vlan-layers/test.yaml
new file mode 100644 (file)
index 0000000..a019cde
--- /dev/null
+++ b/tests/detect-vlan-layers/test.yaml
@@ -0,0 +1,33 @@
+requires:
+ min-version: 8
+
+pcap: ../detect-vlan-id/input.pcap
+
+args:
+- -k none
+
+checks:
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     pcap_cnt: 1
+     alert.signature_id: 1
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     pcap_cnt: 1
+     alert.signature_id: 2
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     pcap_cnt: 1
+     alert.signature_id: 3
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     pcap_cnt: 2
+     alert.signature_id: 4
\ No newline at end of file