From: Jeff Lucovsky Date: Sat, 24 May 2025 15:26:40 +0000 (-0400) Subject: test/decode: Test SLL2 decode X-Git-Tag: suricata-7.0.11~52 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=95ab4bf3e91330bf2e004645e1756b8972dabc2e;p=thirdparty%2Fsuricata-verify.git test/decode: Test SLL2 decode This test checks SLL2 decode operation. --- diff --git a/tests/decode-sll2-01/README.md b/tests/decode-sll2-01/README.md new file mode 100644 index 000000000..42f25467d --- /dev/null +++ b/tests/decode-sll2-01/README.md @@ -0,0 +1 @@ +Suricata 8+ Ensure SLL2 packets are decoded diff --git a/tests/decode-sll2-01/input.pcap b/tests/decode-sll2-01/input.pcap new file mode 100644 index 000000000..de400d678 Binary files /dev/null and b/tests/decode-sll2-01/input.pcap differ diff --git a/tests/decode-sll2-01/test.yaml b/tests/decode-sll2-01/test.yaml new file mode 100644 index 000000000..9ef168db3 --- /dev/null +++ b/tests/decode-sll2-01/test.yaml @@ -0,0 +1,10 @@ +requires: + + min-version: 8 + +checks: + +- stats: + decoder.ipv4: 5 + decoder.tcp: 5 + decoder.sll2: 5 diff --git a/tests/decode-sll2-02/README.md b/tests/decode-sll2-02/README.md new file mode 100644 index 000000000..9a7fc38f7 --- /dev/null +++ b/tests/decode-sll2-02/README.md @@ -0,0 +1 @@ +Suricata 8+ Ensure SLL2 packets are decoded and HTTP alerts validated. diff --git a/tests/decode-sll2-02/input.pcap b/tests/decode-sll2-02/input.pcap new file mode 100644 index 000000000..c4d858858 Binary files /dev/null and b/tests/decode-sll2-02/input.pcap differ diff --git a/tests/decode-sll2-02/input.rules b/tests/decode-sll2-02/input.rules new file mode 100644 index 000000000..1a680577e --- /dev/null +++ b/tests/decode-sll2-02/input.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"SLL2/HTTP test"; flow:established, to_server; http.uri; content: "/testing"; sid: 1;) diff --git a/tests/decode-sll2-02/suricata.yaml b/tests/decode-sll2-02/suricata.yaml new file mode 100644 index 000000000..29d9fdde9 --- /dev/null +++ b/tests/decode-sll2-02/suricata.yaml @@ -0,0 +1,19 @@ +%YAML 1.1 +--- + +outputs: + - fast: + enabled: yes + + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert: + packet: yes # enable dumping of packet (without stream segments) + - http: + extended: yes # enable this for extended logging information + - stats: + enabled: yes + filename: stats.log diff --git a/tests/decode-sll2-02/test.yaml b/tests/decode-sll2-02/test.yaml new file mode 100644 index 000000000..5ef15da3f --- /dev/null +++ b/tests/decode-sll2-02/test.yaml @@ -0,0 +1,24 @@ +requires: + + min-version: 8 + +args: + - -k none +checks: + +- stats: + decoder.sll2: 159 + decoder.tcp: 159 + decoder.ipv4: 159 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + packet_info.linktype_name: LINUX_SLL2 +- filter: + count: 1 + match: + event_type: http + http.hostname: 192.168.1.21 + http.http_method: GET