From: Sascha Steinbiss <satta@debian.org>
Date: Tue, 10 Mar 2020 20:10:48 +0000 (+0100)
Subject: add cases for MAC addresses in EVE-JSON
X-Git-Tag: suricata-6.0.4~269
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1de3198934b7a5c8418e998857fadabb20734e30;p=thirdparty%2Fsuricata-verify.git

add cases for MAC addresses in EVE-JSON
---

diff --git a/tests/mac-eve-multiple-disabled/multi_mac.pcap b/tests/mac-eve-multiple-disabled/multi_mac.pcap
new file mode 100644
index 000000000..d47e7b670
Binary files /dev/null and b/tests/mac-eve-multiple-disabled/multi_mac.pcap differ
diff --git a/tests/mac-eve-multiple-disabled/suricata.yaml b/tests/mac-eve-multiple-disabled/suricata.yaml
new file mode 100644
index 000000000..a3a5c7199
--- /dev/null
+++ b/tests/mac-eve-multiple-disabled/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      ethernet: no
+      types:
+        - flow
diff --git a/tests/mac-eve-multiple-disabled/test.yaml b/tests/mac-eve-multiple-disabled/test.yaml
new file mode 100644
index 000000000..983adb64a
--- /dev/null
+++ b/tests/mac-eve-multiple-disabled/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 6.0.0
+  files:
+    - src/util-macset.c
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        not-has-key: ether
diff --git a/tests/mac-eve-multiple/multi_mac.pcap b/tests/mac-eve-multiple/multi_mac.pcap
new file mode 100644
index 000000000..d47e7b670
Binary files /dev/null and b/tests/mac-eve-multiple/multi_mac.pcap differ
diff --git a/tests/mac-eve-multiple/suricata.yaml b/tests/mac-eve-multiple/suricata.yaml
new file mode 100644
index 000000000..cef8a0da4
--- /dev/null
+++ b/tests/mac-eve-multiple/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      ethernet: yes
+      types:
+        - flow
diff --git a/tests/mac-eve-multiple/test.yaml b/tests/mac-eve-multiple/test.yaml
new file mode 100644
index 000000000..1fdcf34c0
--- /dev/null
+++ b/tests/mac-eve-multiple/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  min-version: 6.0.0
+  files:
+    - src/util-macset.c
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        ether.dest_macs: ["00:00:0c:01:01:14","00:00:0c:01:01:12"]
+        ether.src_macs: ["00:00:0c:01:01:13","00:00:0c:01:01:11"]
diff --git a/tests/mac-eve-single-disabled/suricata.yaml b/tests/mac-eve-single-disabled/suricata.yaml
new file mode 100644
index 000000000..edeaeef7f
--- /dev/null
+++ b/tests/mac-eve-single-disabled/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      ethernet: no
+      types:
+        - dns
+        - flow
diff --git a/tests/mac-eve-single-disabled/test.pcap b/tests/mac-eve-single-disabled/test.pcap
new file mode 100644
index 000000000..a4549a424
Binary files /dev/null and b/tests/mac-eve-single-disabled/test.pcap differ
diff --git a/tests/mac-eve-single-disabled/test.yaml b/tests/mac-eve-single-disabled/test.yaml
new file mode 100644
index 000000000..5b3642b20
--- /dev/null
+++ b/tests/mac-eve-single-disabled/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  min-version: 6.0.0
+  files:
+    - src/util-macset.c
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        not-has-key: ether
+
+  - filter:
+      count: 1
+      match:
+        event_type: dns
+        not-has-key: ether
diff --git a/tests/mac-eve-single/suricata.yaml b/tests/mac-eve-single/suricata.yaml
new file mode 100644
index 000000000..ebc8d86f0
--- /dev/null
+++ b/tests/mac-eve-single/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      ethernet: yes
+      types:
+        - dns
+        - flow
diff --git a/tests/mac-eve-single/test.pcap b/tests/mac-eve-single/test.pcap
new file mode 100644
index 000000000..a4549a424
Binary files /dev/null and b/tests/mac-eve-single/test.pcap differ
diff --git a/tests/mac-eve-single/test.yaml b/tests/mac-eve-single/test.yaml
new file mode 100644
index 000000000..38f054027
--- /dev/null
+++ b/tests/mac-eve-single/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  min-version: 6.0.0
+  files:
+    - src/util-macset.c
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        ether.dest_macs: ["0c:c4:7a:ac:83:d7"]
+        ether.src_macs: ["f8:59:71:a9:05:60"]
+
+  - filter:
+      count: 1
+      match:
+        event_type: dns
+        ether.src_mac: f8:59:71:a9:05:60
+        ether.dest_mac: 0c:c4:7a:ac:83:d7