From: Jason Ish <jason.ish@oisf.net>
Date: Wed, 20 Nov 2019 21:49:18 +0000 (-0600)
Subject: test: dhcp request flood test
X-Git-Tag: suricata-6.0.4~364
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4f5bb129fff28fbc1b8d1faafaef369112041b93;p=thirdparty%2Fsuricata-verify.git

test: dhcp request flood test

Tests that a DHCP request flood doesn't take an excessive amount
of time.

Skipped by default.

Related ticket #3345:
https://redmine.openinfosecfoundation.org/issues/3345
---

diff --git a/tests/dhcp-request-flood/README.md b/tests/dhcp-request-flood/README.md
new file mode 100644
index 000000000..f7f2fda72
--- /dev/null
+++ b/tests/dhcp-request-flood/README.md
@@ -0,0 +1,7 @@
+Test that Suricata can process this DHCP request flood without
+significant slowdown.
+
+DHCP rules are required to trigger this condition.
+
+Related ticket:
+https://redmine.openinfosecfoundation.org/issues/3345
diff --git a/tests/dhcp-request-flood/suricata.yaml b/tests/dhcp-request-flood/suricata.yaml
new file mode 100644
index 000000000..1e74510a2
--- /dev/null
+++ b/tests/dhcp-request-flood/suricata.yaml
@@ -0,0 +1,10 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - dhcp:
+            enabled: yes
+            extended: yes
diff --git a/tests/dhcp-request-flood/test.pcap b/tests/dhcp-request-flood/test.pcap
new file mode 100644
index 000000000..1a99dccd9
Binary files /dev/null and b/tests/dhcp-request-flood/test.pcap differ
diff --git a/tests/dhcp-request-flood/test.rules b/tests/dhcp-request-flood/test.rules
new file mode 100644
index 000000000..c99d9816e
--- /dev/null
+++ b/tests/dhcp-request-flood/test.rules
@@ -0,0 +1,7 @@
+# DHCP app-layer event rules.  See
+#
+# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayer
+# for SID allocation.
+
+alert dhcp any any -> any any (msg:"SURICATA DHCP malformed options"; app-layer-event:dhcp.malformed_options; classtype:protocol-command-decode; sid:2227000; rev:1;)
+alert dhcp any any -> any any (msg:"SURICATA DHCP truncated options"; app-layer-event:dhcp.truncated_options; classtype:protocol-command-decode; sid:2227001; rev:1;)
diff --git a/tests/dhcp-request-flood/test.yaml b/tests/dhcp-request-flood/test.yaml
new file mode 100644
index 000000000..c568ffbdc
--- /dev/null
+++ b/tests/dhcp-request-flood/test.yaml
@@ -0,0 +1,9 @@
+# Skip by default, can take a long time to run until Suricata is fixed
+# for this case.
+skip: true
+
+checks:
+  - filter:
+      count: 10000
+      match:
+        event_type: dhcp