From: Victor Julien Date: Mon, 20 May 2024 20:28:14 +0000 (+0200) Subject: tests: lz4 pcap write tests X-Git-Tag: suricata-6.0.20~41 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1c3d560b89e6ec198d2f44a2a2eb17dac4c7066b;p=thirdparty%2Fsuricata-verify.git tests: lz4 pcap write tests --- diff --git a/tests/pcap-log-lz4-01/README.md b/tests/pcap-log-lz4-01/README.md new file mode 100644 index 000000000..ca400720e --- /dev/null +++ b/tests/pcap-log-lz4-01/README.md @@ -0,0 +1 @@ +Test that Suricata will write 2 lz4 compress pcap files. diff --git a/tests/pcap-log-lz4-01/suricata.yaml b/tests/pcap-log-lz4-01/suricata.yaml new file mode 100644 index 000000000..a6c1e1323 --- /dev/null +++ b/tests/pcap-log-lz4-01/suricata.yaml @@ -0,0 +1,22 @@ +%YAML 1.1 +--- + +outputs: + - pcap-log: + enabled: yes + filename: log.pcap + compression: lz4 + mode: normal + limit: 4mb + ts-format: usec + +# Enable enging logging to JSON so we can verify it. +logging: + outputs: + - console: + enabled: yes + - file: + enabled: yes + level: perf + filename: eve.json + type: json diff --git a/tests/pcap-log-lz4-01/test.yaml b/tests/pcap-log-lz4-01/test.yaml new file mode 100644 index 000000000..8d722f1aa --- /dev/null +++ b/tests/pcap-log-lz4-01/test.yaml @@ -0,0 +1,14 @@ +requires: + features: + - liblz4 + min-version: 8 + +pcap: ../bug-2482-01/proxyCONNECT_443.pcap + +args: + - --runmode=single + +checks: + - shell: + args: ls -l log.pcap.15233891*.lz4 | wc -l | xargs + expect: 2 diff --git a/tests/pcap-log-lz4-02-multi/README.md b/tests/pcap-log-lz4-02-multi/README.md new file mode 100644 index 000000000..f21dfe8e0 --- /dev/null +++ b/tests/pcap-log-lz4-02-multi/README.md @@ -0,0 +1 @@ +Test that Suricata will write 2 lz4 compress pcap files in multi mode. diff --git a/tests/pcap-log-lz4-02-multi/suricata.yaml b/tests/pcap-log-lz4-02-multi/suricata.yaml new file mode 100644 index 000000000..79dd2e859 --- /dev/null +++ b/tests/pcap-log-lz4-02-multi/suricata.yaml @@ -0,0 +1,22 @@ +%YAML 1.1 +--- + +outputs: + - pcap-log: + enabled: yes + filename: log.pcap.%n-%t + compression: lz4 + mode: multi + limit: 4mb + ts-format: usec + +# Enable enging logging to JSON so we can verify it. +logging: + outputs: + - console: + enabled: yes + - file: + enabled: yes + level: perf + filename: eve.json + type: json diff --git a/tests/pcap-log-lz4-02-multi/test.yaml b/tests/pcap-log-lz4-02-multi/test.yaml new file mode 100644 index 000000000..6f2502247 --- /dev/null +++ b/tests/pcap-log-lz4-02-multi/test.yaml @@ -0,0 +1,14 @@ +requires: + features: + - liblz4 + min-version: 8 + +pcap: ../bug-2482-01/proxyCONNECT_443.pcap + +args: + - --runmode=single + +checks: + - shell: + args: ls -l log.pcap.1-15233891*.lz4 | wc -l | xargs + expect: 2 diff --git a/tests/pcap-log-lz4-03-multi-ring/README.md b/tests/pcap-log-lz4-03-multi-ring/README.md new file mode 100644 index 000000000..4cd4e7b00 --- /dev/null +++ b/tests/pcap-log-lz4-03-multi-ring/README.md @@ -0,0 +1 @@ +Test that Suricata will write 1 lz4 compressed pcap files in multi mode, as ring setting (max-files) is 1. diff --git a/tests/pcap-log-lz4-03-multi-ring/suricata.yaml b/tests/pcap-log-lz4-03-multi-ring/suricata.yaml new file mode 100644 index 000000000..ac5b1b719 --- /dev/null +++ b/tests/pcap-log-lz4-03-multi-ring/suricata.yaml @@ -0,0 +1,25 @@ +%YAML 1.1 +--- + +outputs: + - pcap-log: + enabled: yes + filename: log.pcap.%n-%t + compression: lz4 + mode: multi + limit: 4mb + ts-format: usec + max-files: 1 + lz4-checksum: yes + lz4-level: 16 + +# Enable enging logging to JSON so we can verify it. +logging: + outputs: + - console: + enabled: yes + - file: + enabled: yes + level: perf + filename: eve.json + type: json diff --git a/tests/pcap-log-lz4-03-multi-ring/test.yaml b/tests/pcap-log-lz4-03-multi-ring/test.yaml new file mode 100644 index 000000000..9944a3a6e --- /dev/null +++ b/tests/pcap-log-lz4-03-multi-ring/test.yaml @@ -0,0 +1,14 @@ +requires: + features: + - liblz4 + min-version: 8 + +pcap: ../bug-2482-01/proxyCONNECT_443.pcap + +args: + - --runmode=single + +checks: + - shell: + args: ls -l log.pcap.1-15233891*.lz4 | wc -l | xargs + expect: 1 diff --git a/tests/pcap-log-lz4-04-multi-ring-profile/README.md b/tests/pcap-log-lz4-04-multi-ring-profile/README.md new file mode 100644 index 000000000..ff24676e6 --- /dev/null +++ b/tests/pcap-log-lz4-04-multi-ring-profile/README.md @@ -0,0 +1,3 @@ +Test that Suricata will write 1 lz4 compressed pcap files in multi mode, as ring setting (max-files) is 1. + +Enable pcap logging profiling. diff --git a/tests/pcap-log-lz4-04-multi-ring-profile/suricata.yaml b/tests/pcap-log-lz4-04-multi-ring-profile/suricata.yaml new file mode 100644 index 000000000..82fbdf2af --- /dev/null +++ b/tests/pcap-log-lz4-04-multi-ring-profile/suricata.yaml @@ -0,0 +1,30 @@ +%YAML 1.1 +--- + +outputs: + - pcap-log: + enabled: yes + filename: log.pcap.%n-%t + compression: lz4 + mode: multi + limit: 4mb + ts-format: usec + max-files: 1 + lz4-checksum: yes + lz4-level: 16 + +# Enable enging logging to JSON so we can verify it. +logging: + outputs: + - console: + enabled: yes + - file: + enabled: yes + level: perf + filename: eve.json + type: json + +profiling: + pcap-log: + enabled: yes + filename: pcap-stats.log diff --git a/tests/pcap-log-lz4-04-multi-ring-profile/test.yaml b/tests/pcap-log-lz4-04-multi-ring-profile/test.yaml new file mode 100644 index 000000000..007ee98bb --- /dev/null +++ b/tests/pcap-log-lz4-04-multi-ring-profile/test.yaml @@ -0,0 +1,17 @@ +requires: + features: + - liblz4 + min-version: 8 + +pcap: ../bug-2482-01/proxyCONNECT_443.pcap + +args: + - --runmode=single + +checks: + - shell: + args: ls -l log.pcap.1-15233891*.lz4 | wc -l | xargs + expect: 1 + - shell: + args: cat pcap-stats.log | grep -E 'open[[:space:]]+2' | wc -l | xargs + expect: 1 diff --git a/tests/pcap-log-lz4-05-tunnel/README.md b/tests/pcap-log-lz4-05-tunnel/README.md new file mode 100644 index 000000000..deaeb23ee --- /dev/null +++ b/tests/pcap-log-lz4-05-tunnel/README.md @@ -0,0 +1 @@ +Test that Suricata will write 1 compress pcap file for tunnel packets. diff --git a/tests/pcap-log-lz4-05-tunnel/suricata.yaml b/tests/pcap-log-lz4-05-tunnel/suricata.yaml new file mode 100644 index 000000000..a6c1e1323 --- /dev/null +++ b/tests/pcap-log-lz4-05-tunnel/suricata.yaml @@ -0,0 +1,22 @@ +%YAML 1.1 +--- + +outputs: + - pcap-log: + enabled: yes + filename: log.pcap + compression: lz4 + mode: normal + limit: 4mb + ts-format: usec + +# Enable enging logging to JSON so we can verify it. +logging: + outputs: + - console: + enabled: yes + - file: + enabled: yes + level: perf + filename: eve.json + type: json diff --git a/tests/pcap-log-lz4-05-tunnel/test.yaml b/tests/pcap-log-lz4-05-tunnel/test.yaml new file mode 100644 index 000000000..e8ff00a60 --- /dev/null +++ b/tests/pcap-log-lz4-05-tunnel/test.yaml @@ -0,0 +1,14 @@ +requires: + features: + - liblz4 + min-version: 8 + +pcap: ../vxlan-decoder-01/input.pcap + +args: + - --runmode=single + +checks: + - shell: + args: ls -l log.pcap.1525778007.671337.lz4 | wc -l | xargs + expect: 1