From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Mon, 29 Jun 2020 13:42:39 +0000 (-0400)
Subject: test: Community-id tests for dhcp, rdp, smb, tftp
X-Git-Tag: suricata-6.0.4~251
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9806c1dfc773e56f520864b320d0dcd3b3e53233;p=thirdparty%2Fsuricata-verify.git

test: Community-id tests for dhcp, rdp, smb, tftp

This commit adds test cases that verify the community id string is
included in dhcp, rdp, smb and tftp records when configured.
---

diff --git a/tests/output-eve-dhcp-01/input.pcap b/tests/output-eve-dhcp-01/input.pcap
new file mode 100644
index 000000000..93617129f
Binary files /dev/null and b/tests/output-eve-dhcp-01/input.pcap differ
diff --git a/tests/output-eve-dhcp-01/suricata.yaml b/tests/output-eve-dhcp-01/suricata.yaml
new file mode 100644
index 000000000..d754cd6e6
--- /dev/null
+++ b/tests/output-eve-dhcp-01/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: true
+      filename: eve.json
+      types:
+        - dhcp:
+            extended: true
+      community-id: true
diff --git a/tests/output-eve-dhcp-01/test.yaml b/tests/output-eve-dhcp-01/test.yaml
new file mode 100644
index 000000000..9027da0d0
--- /dev/null
+++ b/tests/output-eve-dhcp-01/test.yaml
@@ -0,0 +1,9 @@
+requires:
+  features:
+    - RUST
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: dhcp
+      has-key: community_id
diff --git a/tests/output-eve-rdp-01/input.pcap b/tests/output-eve-rdp-01/input.pcap
new file mode 100644
index 000000000..d7e8e8450
Binary files /dev/null and b/tests/output-eve-rdp-01/input.pcap differ
diff --git a/tests/output-eve-rdp-01/suricata.yaml b/tests/output-eve-rdp-01/suricata.yaml
new file mode 100644
index 000000000..1f316c07a
--- /dev/null
+++ b/tests/output-eve-rdp-01/suricata.yaml
@@ -0,0 +1,16 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - rdp
+      community-id: true
+
+app-layer:
+  protocols:
+    rdp:
+      enabled: yes
diff --git a/tests/output-eve-rdp-01/test.yaml b/tests/output-eve-rdp-01/test.yaml
new file mode 100644
index 000000000..f9c80d662
--- /dev/null
+++ b/tests/output-eve-rdp-01/test.yaml
@@ -0,0 +1,13 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - rust/src/rdp/parser.rs
+
+checks:
+
+  - filter:
+      count: 4
+      match:
+        event_type: rdp
+        has-key: community_id
diff --git a/tests/output-eve-smb-01/input.pcap b/tests/output-eve-smb-01/input.pcap
new file mode 100644
index 000000000..06ac59f68
Binary files /dev/null and b/tests/output-eve-smb-01/input.pcap differ
diff --git a/tests/output-eve-smb-01/suricata.yaml b/tests/output-eve-smb-01/suricata.yaml
new file mode 100644
index 000000000..41febec57
--- /dev/null
+++ b/tests/output-eve-smb-01/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - smb
+      community-id: true
diff --git a/tests/output-eve-smb-01/test.rules b/tests/output-eve-smb-01/test.rules
new file mode 100644
index 000000000..b8d6203dc
--- /dev/null
+++ b/tests/output-eve-smb-01/test.rules
@@ -0,0 +1 @@
+alert smb any any -> any any (msg:"Ascii named_pipe"; flow:established; smb_named_pipe; content:"IPC$"; sid:1; rev:1;)
diff --git a/tests/output-eve-smb-01/test.yaml b/tests/output-eve-smb-01/test.yaml
new file mode 100644
index 000000000..6081c968d
--- /dev/null
+++ b/tests/output-eve-smb-01/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - RUST
+
+# disables checksum verification
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 5
+      match:
+        event_type: smb
+        has-key: community_id
diff --git a/tests/output-eve-tftp-01/input.pcap b/tests/output-eve-tftp-01/input.pcap
new file mode 100644
index 000000000..6c5efa8ba
Binary files /dev/null and b/tests/output-eve-tftp-01/input.pcap differ
diff --git a/tests/output-eve-tftp-01/suricata.yaml b/tests/output-eve-tftp-01/suricata.yaml
new file mode 100644
index 000000000..cb84c7858
--- /dev/null
+++ b/tests/output-eve-tftp-01/suricata.yaml
@@ -0,0 +1,10 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: true
+      filename: eve.json
+      types:
+        - tftp:
+      community-id: true
diff --git a/tests/output-eve-tftp-01/test.yaml b/tests/output-eve-tftp-01/test.yaml
new file mode 100644
index 000000000..4d7c5a182
--- /dev/null
+++ b/tests/output-eve-tftp-01/test.yaml
@@ -0,0 +1,13 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - RUST
+
+args:
+ - -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      has-key: community_id