From: Juliana Fajardini <jufajardini@gmail.com>
Date: Wed, 16 Oct 2024 19:26:44 +0000 (-0700)
Subject: tls: check for custom fields logging
X-Git-Tag: suricata-7.0.8~42
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=839f01952ebc62d6a17c1993369f447f90b6eae5;p=thirdparty%2Fsuricata-verify.git

tls: check for custom fields logging

Related to
Bug https://redmine.openinfosecfoundation.org/issues/7287
---

diff --git a/tests/tls/tls-eve-custom-fields/README.md b/tests/tls/tls-eve-custom-fields/README.md
new file mode 100644
index 000000000..133fabd22
--- /dev/null
+++ b/tests/tls/tls-eve-custom-fields/README.md
@@ -0,0 +1,12 @@
+### Test
+
+Check that missing TLS custom fields are checked in test -- to test for
+JSON schema completion.
+
+### Pcap
+
+Reused from test `tls-store-02`.
+
+### Ticket
+
+https://redmine.openinfosecfoundation.org/issues/7287
diff --git a/tests/tls/tls-eve-custom-fields/suricata.yaml b/tests/tls/tls-eve-custom-fields/suricata.yaml
new file mode 100644
index 000000000..18ca8538e
--- /dev/null
+++ b/tests/tls/tls-eve-custom-fields/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - tls:
+            ja4: on
+            custom: [subject, issuer, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, subjectaltname, client, client_certificate, client_chain]
diff --git a/tests/tls/tls-eve-custom-fields/test.yaml b/tests/tls/tls-eve-custom-fields/test.yaml
new file mode 100644
index 000000000..84c5187ee
--- /dev/null
+++ b/tests/tls/tls-eve-custom-fields/test.yaml
@@ -0,0 +1,36 @@
+requires:
+    min-version: 8
+
+args:
+- -k none
+
+pcap: ../tls-store-02/tls-client-auth.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: tls
+        tls.subject: C=HU, ST=Budapest, L=Budapest, O=TLSClientAuthSampleServer, CN=SampleServer
+        tls.issuerdn: C=HU, ST=Budapest, L=Budapest, O=TLSClientAuthSampleCA, CN=SampleRoot
+        tls.subjectaltname[0]: localhost
+        tls.serial: 00:C7:D4:28:8B:80:E0:1E:25
+        tls.fingerprint: 06:39:f9:5d:fe:81:53:c4:9d:f0:ac:80:3e:2d:42:07:e8:96:de:09
+        tls.sni: localhost
+        tls.version: TLS 1.2
+        tls.notbefore: '2018-04-14T20:55:27'
+        tls.notafter: '2018-05-14T20:55:27'
+        tls.client.serial: 00:C7:D4:28:8B:80:E0:1E:27
+        tls.client.notbefore: '2018-04-14T20:55:27'
+        tls.client.notafter: '2018-05-14T20:55:27'
+  - filter:
+      count: 1
+      match:
+        event_type: tls
+        has-key: tls.certificate
+        has-key: tls.chain
+        has-key: tls.client.subject
+        has-key: tls.client.issuerdn
+        has-key: tls.client.fingerprint
+        has-key: tls.client.chain
+        has-key: tls.client.certificate