From: Emmanuel Thompson Date: Wed, 6 May 2020 14:05:23 +0000 (-0400) Subject: tests/esp: Add test for logging ESP flow/netflow X-Git-Tag: suricata-6.0.4~172 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=05532a55b66140c54d1d8424d41e27f34739388d;p=thirdparty%2Fsuricata-verify.git tests/esp: Add test for logging ESP flow/netflow --- diff --git a/tests/eve-flow-esp/input.pcap b/tests/eve-flow-esp/input.pcap new file mode 100644 index 000000000..c3208061f Binary files /dev/null and b/tests/eve-flow-esp/input.pcap differ diff --git a/tests/eve-flow-esp/suricata.yaml b/tests/eve-flow-esp/suricata.yaml new file mode 100644 index 000000000..969d222be --- /dev/null +++ b/tests/eve-flow-esp/suricata.yaml @@ -0,0 +1,11 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - flow + - netflow diff --git a/tests/eve-flow-esp/test.yaml b/tests/eve-flow-esp/test.yaml new file mode 100644 index 000000000..253546b23 --- /dev/null +++ b/tests/eve-flow-esp/test.yaml @@ -0,0 +1,74 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 7 + +checks: + - filter: + count: 1 + match: + event_type: flow + spi: 123 + src_ip: 190.0.0.1 + dest_ip: 190.0.0.2 + flow.pkts_toserver: 2 + flow.pkts_toclient: 0 + - filter: + count: 1 + match: + event_type: netflow + spi: 123 + src_ip: 190.0.0.1 + dest_ip: 190.0.0.2 + netflow.pkts: 2 + - filter: + count: 1 + match: + event_type: flow + spi: 321 + src_ip: 190.0.0.1 + dest_ip: 190.0.0.2 + flow.pkts_toserver: 2 + flow.pkts_toclient: 0 + - filter: + count: 1 + match: + event_type: netflow + spi: 321 + src_ip: 190.0.0.1 + dest_ip: 190.0.0.2 + netflow.pkts: 2 + - filter: + count: 1 + match: + event_type: flow + spi: 123 + src_ip: 190.0.0.1 + dest_ip: 190.0.0.3 + flow.pkts_toserver: 2 + flow.pkts_toclient: 0 + - filter: + count: 1 + match: + event_type: netflow + spi: 123 + src_ip: 190.0.0.1 + dest_ip: 190.0.0.3 + netflow.pkts: 2 + - filter: + count: 1 + match: + event_type: flow + spi: 123 + src_ip: 0000:0000:0000:0000:0000:0000:0000:0001 + dest_ip: 0000:0000:0000:0000:0000:0000:0000:0002 + flow.pkts_toserver: 2 + flow.pkts_toclient: 0 + - filter: + count: 1 + match: + event_type: netflow + spi: 123 + src_ip: 0000:0000:0000:0000:0000:0000:0000:0001 + dest_ip: 0000:0000:0000:0000:0000:0000:0000:0002 + netflow.pkts: 2 diff --git a/tests/eve-flow-esp/writepcap.py b/tests/eve-flow-esp/writepcap.py new file mode 100755 index 000000000..1173d4c8a --- /dev/null +++ b/tests/eve-flow-esp/writepcap.py @@ -0,0 +1,42 @@ +#!/usr/bin/env python +from scapy.all import * +import struct + +pkts = [] + +# First flow +pkts += Ether()/ \ + IP(src='190.0.0.1', dst='190.0.0.2')/ \ + ESP(spi=123, seq=1) +pkts += Ether()/ \ + IP(src='190.0.0.1', dst='190.0.0.2')/ \ + ESP(spi=123, seq=2) + +# Second flow +# Same src/dst, diffrent SPI +pkts += Ether()/ \ + IP(src='190.0.0.1', dst='190.0.0.2')/ \ + ESP(spi=321, seq=1) +pkts += Ether()/ \ + IP(src='190.0.0.1', dst='190.0.0.2')/ \ + ESP(spi=321, seq=2) + +# Third flow +# Same SPI, different dst +pkts += Ether()/ \ + IP(src='190.0.0.1', dst='190.0.0.3')/ \ + ESP(spi=123, seq=1) +pkts += Ether()/ \ + IP(src='190.0.0.1', dst='190.0.0.3')/ \ + ESP(spi=123, seq=2) + +# Fourth flow +# IPv6 +pkts += Ether()/ \ + IPv6(src='::1', dst='::2')/ \ + ESP(spi=123, seq=1) +pkts += Ether()/ \ + IPv6(src='::1', dst='::2')/ \ + ESP(spi=123, seq=2) + +wrpcap('input.pcap', pkts)