From: Juliana Fajardini Date: Thu, 5 Jun 2025 15:43:12 +0000 (-0300) Subject: tests: add tests for decode encapsulation types X-Git-Tag: suricata-7.0.11~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c6d68da26c4a4e3136060801de395bfda664830c;p=thirdparty%2Fsuricata-verify.git tests: add tests for decode encapsulation types Add simple tests for alert to match on TCP traffic over: - IPv4 over IPv4 - bug-4571-01 - IPv6 - bug-4571-02 - IPv6 over IPv6 - bug-4571-03 - IPv6 over IPv4 - bug-4571-04 - IPv4 - bug-4571-05 - IPv4 over IPv6 - bug-4571-06 Related to Bug #4571 Bug #7725 Bug #7752 --- diff --git a/tests/bug-4571-01/README.md b/tests/bug-4571-01/README.md new file mode 100644 index 000000000..5ea1f1371 --- /dev/null +++ b/tests/bug-4571-01/README.md @@ -0,0 +1,12 @@ +# Test + +Check for proper engine behavior for IPv4 over IPv4 tunneling. + +## Pcap + +Shared by reporter on Redmine ticket. + +## Ticket + +https://redmine.openinfosecfoundation.org/issues/4571 +https://redmine.openinfosecfoundation.org/issues/7752 diff --git a/tests/bug-4571-01/ipv4_over_ipv4.pcap b/tests/bug-4571-01/ipv4_over_ipv4.pcap new file mode 100644 index 000000000..21697bc8f Binary files /dev/null and b/tests/bug-4571-01/ipv4_over_ipv4.pcap differ diff --git a/tests/bug-4571-01/suricata.yaml b/tests/bug-4571-01/suricata.yaml new file mode 100644 index 000000000..1099e1a86 --- /dev/null +++ b/tests/bug-4571-01/suricata.yaml @@ -0,0 +1,25 @@ +%YAML 1.1 +--- + +stats: + enabled: yes + interval: 8 + +logging: + default-log-level: notice + default-output-filter: + outputs: + - console: + enabled: yes + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert + - drop: + alerts: yes + - flow + - stats diff --git a/tests/bug-4571-01/test.rules b/tests/bug-4571-01/test.rules new file mode 100644 index 000000000..859286df2 --- /dev/null +++ b/tests/bug-4571-01/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg:"found"; content: "hello"; sid:1;) diff --git a/tests/bug-4571-01/test.yaml b/tests/bug-4571-01/test.yaml new file mode 100644 index 000000000..15d0ef44a --- /dev/null +++ b/tests/bug-4571-01/test.yaml @@ -0,0 +1,43 @@ +requires: + min-version: 8 + +args: +- -k none +- --simulate-ips +- --set stream.midstream=true + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pkt_src: wire/pcap + proto: TCP + pkt_src: ipv4 tunnel + src_ip: 10.1.0.3 + dest_ip: 10.1.0.4 + tunnel.src_ip: 10.1.0.1 + tunnel.dest_ip: 10.1.0.2 + tunnel.proto: IP-in-IP + - filter: + count: 1 + match: + event_type: flow + proto: IP-in-IP + src_ip: 10.1.0.1 + dest_ip: 10.1.0.2 + flow.alerted: false + - filter: + count: 1 + match: + event_type: flow + proto: TCP + src_ip: 10.1.0.3 + dest_ip: 10.1.0.4 + flow.alerted: true + - filter: + count: 1 + match: + event_type: stats + stats.decoder.ipv4_in_ipv4: 1 diff --git a/tests/bug-4571-02/README.md b/tests/bug-4571-02/README.md new file mode 100644 index 000000000..a622a7110 --- /dev/null +++ b/tests/bug-4571-02/README.md @@ -0,0 +1,12 @@ +# Test + +Check for proper engine behavior for IPv6 decoding. + +## Pcap + +Shared by reporter on Redmine ticket. + +## Ticket + +https://redmine.openinfosecfoundation.org/issues/4571 + diff --git a/tests/bug-4571-02/ipv6.pcap b/tests/bug-4571-02/ipv6.pcap new file mode 100644 index 000000000..f5ea84149 Binary files /dev/null and b/tests/bug-4571-02/ipv6.pcap differ diff --git a/tests/bug-4571-02/suricata.yaml b/tests/bug-4571-02/suricata.yaml new file mode 100644 index 000000000..b9297ca70 --- /dev/null +++ b/tests/bug-4571-02/suricata.yaml @@ -0,0 +1,24 @@ +%YAML 1.1 +--- + +stats: + enabled: yes + interval: 8 + +logging: + default-log-level: notice + default-output-filter: + outputs: + - console: + enabled: yes + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert + - drop: + alerts: yes + - flow diff --git a/tests/bug-4571-02/test.rules b/tests/bug-4571-02/test.rules new file mode 100644 index 000000000..859286df2 --- /dev/null +++ b/tests/bug-4571-02/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg:"found"; content: "hello"; sid:1;) diff --git a/tests/bug-4571-02/test.yaml b/tests/bug-4571-02/test.yaml new file mode 100644 index 000000000..755babec1 --- /dev/null +++ b/tests/bug-4571-02/test.yaml @@ -0,0 +1,28 @@ +requires: + min-version: 8 + +args: +- -k none +- --simulate-ips +- --set stream.midstream=true + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pkt_src: wire/pcap + proto: TCP + ip_v: 6 + pkt_src: wire/pcap + src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 + dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7335 + - filter: + count: 1 + match: + event_type: flow + proto: TCP + src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 + dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7335 + flow.alerted: true diff --git a/tests/bug-4571-03/README.md b/tests/bug-4571-03/README.md new file mode 100644 index 000000000..ab920cb6a --- /dev/null +++ b/tests/bug-4571-03/README.md @@ -0,0 +1,11 @@ +# Test + +Check for proper engine behavior for IPv6 over IPv6 tunneling. + +## Pcap + +Shared by reporter on Redmine ticket. + +## Ticket + +https://redmine.openinfosecfoundation.org/issues/4571 diff --git a/tests/bug-4571-03/ipv6_over_ipv6.pcap b/tests/bug-4571-03/ipv6_over_ipv6.pcap new file mode 100644 index 000000000..9a5471619 Binary files /dev/null and b/tests/bug-4571-03/ipv6_over_ipv6.pcap differ diff --git a/tests/bug-4571-03/suricata.yaml b/tests/bug-4571-03/suricata.yaml new file mode 100644 index 000000000..b9297ca70 --- /dev/null +++ b/tests/bug-4571-03/suricata.yaml @@ -0,0 +1,24 @@ +%YAML 1.1 +--- + +stats: + enabled: yes + interval: 8 + +logging: + default-log-level: notice + default-output-filter: + outputs: + - console: + enabled: yes + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert + - drop: + alerts: yes + - flow diff --git a/tests/bug-4571-03/test.rules b/tests/bug-4571-03/test.rules new file mode 100644 index 000000000..859286df2 --- /dev/null +++ b/tests/bug-4571-03/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg:"found"; content: "hello"; sid:1;) diff --git a/tests/bug-4571-03/test.yaml b/tests/bug-4571-03/test.yaml new file mode 100644 index 000000000..034d6e772 --- /dev/null +++ b/tests/bug-4571-03/test.yaml @@ -0,0 +1,42 @@ +requires: + min-version: 8 + +args: +- -k none +- --simulate-ips +- --set stream.midstream=true + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pkt_src: ipv6 tunnel + proto: TCP + ip_v: 6 + src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:8334 + dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:8335 + tunnel.src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 + tunnel.dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7335 + tunnel.proto: IPv6 + - filter: + count: 1 + match: + event_type: flow + proto: TCP + ip_v: 6 + src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:8334 + dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:8335 + flow.alerted: true + - filter: + count: 1 + match: + proto: IPv6 + ip_v: 6 + src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 + dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7335 + - filter: + count: 2 + match: + event_type: flow diff --git a/tests/bug-4571-04/README.md b/tests/bug-4571-04/README.md new file mode 100644 index 000000000..6f114b44b --- /dev/null +++ b/tests/bug-4571-04/README.md @@ -0,0 +1,13 @@ +# Test + +Check for proper engine behavior for IPv6 over IPv4 tunneling. + +## Pcap + +Shared by reporter on Redmine ticket. + +## Ticket + +https://redmine.openinfosecfoundation.org/issues/4571 +https://redmine.openinfosecfoundation.org/issues/7752 + diff --git a/tests/bug-4571-04/ipv6_over_ipv4.pcap b/tests/bug-4571-04/ipv6_over_ipv4.pcap new file mode 100644 index 000000000..c3a961f9f Binary files /dev/null and b/tests/bug-4571-04/ipv6_over_ipv4.pcap differ diff --git a/tests/bug-4571-04/suricata.yaml b/tests/bug-4571-04/suricata.yaml new file mode 100644 index 000000000..1099e1a86 --- /dev/null +++ b/tests/bug-4571-04/suricata.yaml @@ -0,0 +1,25 @@ +%YAML 1.1 +--- + +stats: + enabled: yes + interval: 8 + +logging: + default-log-level: notice + default-output-filter: + outputs: + - console: + enabled: yes + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert + - drop: + alerts: yes + - flow + - stats diff --git a/tests/bug-4571-04/test.rules b/tests/bug-4571-04/test.rules new file mode 100644 index 000000000..859286df2 --- /dev/null +++ b/tests/bug-4571-04/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg:"found"; content: "hello"; sid:1;) diff --git a/tests/bug-4571-04/test.yaml b/tests/bug-4571-04/test.yaml new file mode 100644 index 000000000..25319c734 --- /dev/null +++ b/tests/bug-4571-04/test.yaml @@ -0,0 +1,45 @@ +requires: + min-version: 8 + +args: +- -k none +- --simulate-ips +- --set stream.midstream=true + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pkt_src: wire/pcap + proto: TCP + pkt_src: ipv4 tunnel + src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 + dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7335 + tunnel.src_ip: 10.1.0.1 + tunnel.dest_ip: 10.1.0.2 + tunnel.proto: IPv6 + - filter: + count: 1 + match: + event_type: flow + proto: IPv6 + src_ip: 10.1.0.1 + dest_ip: 10.1.0.2 + ip_v: 4 + flow.alerted: false + - filter: + count: 1 + match: + event_type: flow + proto: TCP + ip_v: 6 + src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 + dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7335 + flow.alerted: true + - filter: + count: 1 + match: + event_type: stats + stats.decoder.ipv6_in_ipv4: 1 diff --git a/tests/bug-4571-05/README.md b/tests/bug-4571-05/README.md new file mode 100644 index 000000000..824aaa593 --- /dev/null +++ b/tests/bug-4571-05/README.md @@ -0,0 +1,12 @@ +# Test + +Check for proper engine behavior for IPv4 decoding. + +## Pcap + +Shared by reporter on Redmine ticket. + +## Ticket + +https://redmine.openinfosecfoundation.org/issues/4571 + diff --git a/tests/bug-4571-05/ipv4.pcap b/tests/bug-4571-05/ipv4.pcap new file mode 100644 index 000000000..23befb351 Binary files /dev/null and b/tests/bug-4571-05/ipv4.pcap differ diff --git a/tests/bug-4571-05/suricata.yaml b/tests/bug-4571-05/suricata.yaml new file mode 100644 index 000000000..b9297ca70 --- /dev/null +++ b/tests/bug-4571-05/suricata.yaml @@ -0,0 +1,24 @@ +%YAML 1.1 +--- + +stats: + enabled: yes + interval: 8 + +logging: + default-log-level: notice + default-output-filter: + outputs: + - console: + enabled: yes + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert + - drop: + alerts: yes + - flow diff --git a/tests/bug-4571-05/test.rules b/tests/bug-4571-05/test.rules new file mode 100644 index 000000000..859286df2 --- /dev/null +++ b/tests/bug-4571-05/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg:"found"; content: "hello"; sid:1;) diff --git a/tests/bug-4571-05/test.yaml b/tests/bug-4571-05/test.yaml new file mode 100644 index 000000000..ae6b0e525 --- /dev/null +++ b/tests/bug-4571-05/test.yaml @@ -0,0 +1,29 @@ +requires: + min-version: 8 + +args: +- -k none +- --simulate-ips +- --set stream.midstream=true + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pkt_src: wire/pcap + proto: TCP + ip_v: 4 + pkt_src: wire/pcap + src_ip: 10.1.0.1 + dest_ip: 10.1.0.2 + - filter: + count: 1 + match: + event_type: flow + proto: TCP + src_ip: 10.1.0.1 + dest_ip: 10.1.0.2 + ip_v: 4 + flow.alerted: true diff --git a/tests/bug-4571-06/README.md b/tests/bug-4571-06/README.md new file mode 100644 index 000000000..01e22d6a4 --- /dev/null +++ b/tests/bug-4571-06/README.md @@ -0,0 +1,11 @@ +# Test + +Check for proper engine behavior for IPv4 over IPv6 tunneling. + +## Pcap + +Shared by reporter on Redmine ticket. + +## Ticket + +https://redmine.openinfosecfoundation.org/issues/4571 diff --git a/tests/bug-4571-06/ipv4_over_ipv6.pcap b/tests/bug-4571-06/ipv4_over_ipv6.pcap new file mode 100644 index 000000000..9c1f7d615 Binary files /dev/null and b/tests/bug-4571-06/ipv4_over_ipv6.pcap differ diff --git a/tests/bug-4571-06/suricata.yaml b/tests/bug-4571-06/suricata.yaml new file mode 100644 index 000000000..b9297ca70 --- /dev/null +++ b/tests/bug-4571-06/suricata.yaml @@ -0,0 +1,24 @@ +%YAML 1.1 +--- + +stats: + enabled: yes + interval: 8 + +logging: + default-log-level: notice + default-output-filter: + outputs: + - console: + enabled: yes + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert + - drop: + alerts: yes + - flow diff --git a/tests/bug-4571-06/test.rules b/tests/bug-4571-06/test.rules new file mode 100644 index 000000000..859286df2 --- /dev/null +++ b/tests/bug-4571-06/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg:"found"; content: "hello"; sid:1;) diff --git a/tests/bug-4571-06/test.yaml b/tests/bug-4571-06/test.yaml new file mode 100644 index 000000000..1ff608d4e --- /dev/null +++ b/tests/bug-4571-06/test.yaml @@ -0,0 +1,44 @@ +requires: + min-version: 8 + +args: +- -k none +- --simulate-ips +- --set stream.midstream=true + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + proto: TCP + ip_v: 4 + pkt_src: ipv6 tunnel + src_ip: 10.1.0.1 + dest_ip: 10.1.0.2 + tunnel.src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 + tunnel.dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7335 + tunnel.proto: IP-in-IP + - filter: + count: 1 + match: + event_type: flow + proto: TCP + ip_v: 4 + src_ip: 10.1.0.1 + dest_ip: 10.1.0.2 + flow.alerted: true + - filter: + count: 1 + match: + event_type: flow + proto: IP-in-IP + ip_v: 6 + src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 + dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7335 + flow.alerted: false + - filter: + count: 2 + match: + event_type: flow