From: Jeff Lucovsky Date: Thu, 17 Sep 2020 13:54:04 +0000 (-0400) Subject: tests/anomaly: Verify metadata section X-Git-Tag: suricata-6.0.4~213 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=42b9de1e6adce3bf9dedf2e6e2e18f0e58a6df6e;p=thirdparty%2Fsuricata-verify.git tests/anomaly: Verify metadata section This commit verifies that the "metadata" element, if any, is in the proper place within anomaly event records. --- diff --git a/tests/output-eve-anomaly-05/input.pcap b/tests/output-eve-anomaly-05/input.pcap new file mode 100644 index 000000000..d50be3325 Binary files /dev/null and b/tests/output-eve-anomaly-05/input.pcap differ diff --git a/tests/output-eve-anomaly-05/suricata.yaml b/tests/output-eve-anomaly-05/suricata.yaml new file mode 100644 index 000000000..e63fb677a --- /dev/null +++ b/tests/output-eve-anomaly-05/suricata.yaml @@ -0,0 +1,13 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + metadata: yes + filetype: regular + types: + - anomaly: + types: + stream: yes + applayer: no diff --git a/tests/output-eve-anomaly-05/test.rules b/tests/output-eve-anomaly-05/test.rules new file mode 100644 index 000000000..6956cf8d2 --- /dev/null +++ b/tests/output-eve-anomaly-05/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"ET CNC Shadowserver Reported CnC Server Port 80 Group 1"; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:1; rev:1;) diff --git a/tests/output-eve-anomaly-05/test.yaml b/tests/output-eve-anomaly-05/test.yaml new file mode 100644 index 000000000..66bb464e2 --- /dev/null +++ b/tests/output-eve-anomaly-05/test.yaml @@ -0,0 +1,26 @@ +requires: + min-version: 6 + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: anomaly + anomaly.type: stream + anomaly.event: stream.pkt_invalid_timestamp + metadata.flowbits[0]: "ET.Evil" + + - filter: + count: 0 + match: + event_type: anomaly + anomaly.type: decode + + - filter: + count: 0 + match: + event_type: anomaly + anomaly.type: applayer