From: Jason Ish <ish@unx.ca>
Date: Tue, 30 Jan 2018 22:28:14 +0000 (-0600)
Subject: test: eve/alert/metadata
X-Git-Tag: suricata-6.0.4~504
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cb0204fd8352c6de793ecf015463ca7068b29dc1;p=thirdparty%2Fsuricata-verify.git

test: eve/alert/metadata
---

diff --git a/tests/eve-alert-metadata-defaults/suricata.yaml b/tests/eve-alert-metadata-defaults/suricata.yaml
new file mode 100644
index 000000000..cc0fcad34
--- /dev/null
+++ b/tests/eve-alert-metadata-defaults/suricata.yaml
@@ -0,0 +1,35 @@
+%YAML 1.1
+---
+
+include: ../../etc/suricata-4.0.3.yaml
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+
+      # Enable to disable top-level metadata logging. Default: yes.
+      #metadata: no
+
+      types:
+        - alert
+        - http:
+            extended: yes
+        - dns:
+            query: yes     # enable logging of DNS queries
+            answer: yes    # enable logging of DNS answers
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - files:
+            force-magic: no   # force logging magic on all logged files
+        - smtp:
+        - ssh
+        - stats:
+            totals: yes       # stats for all threads merged together
+            threads: no       # per thread stats
+            deltas: no        # include delta values
+        - flow
+        - netflow
+        - metadata
diff --git a/tests/eve-alert-metadata-defaults/test.rules b/tests/eve-alert-metadata-defaults/test.rules
new file mode 100644
index 000000000..56b4ee23a
--- /dev/null
+++ b/tests/eve-alert-metadata-defaults/test.rules
@@ -0,0 +1,7 @@
+# Silly rule to set the flowbit "traffic/label/cli-http" on
+# the curl user-agent.
+alert http any any -> any any (msg:"TEST"; \
+      content:"curl"; \
+      http_user_agent; \
+      metadata:tag tag1, created_at 2018-01-30; \
+      sid:1; rev:1;)
diff --git a/tests/eve-alert-metadata-defaults/test.yaml b/tests/eve-alert-metadata-defaults/test.yaml
new file mode 100644
index 000000000..be9aebb5b
--- /dev/null
+++ b/tests/eve-alert-metadata-defaults/test.yaml
@@ -0,0 +1,16 @@
+requires:
+
+  script:
+    - grep METADATA_DEFAULTS src/output-json-alert.c > /dev/null
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.metadata.created_at[0]: "2018-01-30"
+        alert.metadata.tag[0]: "tag1"
+        has-key: flow
+        has-key: http
+        not-has-key: alert.rule
diff --git a/tests/eve-alert-metadata-defaults/testmyids.pcap b/tests/eve-alert-metadata-defaults/testmyids.pcap
new file mode 100644
index 000000000..868c57e59
Binary files /dev/null and b/tests/eve-alert-metadata-defaults/testmyids.pcap differ
diff --git a/tests/eve-alert-metadata-enable-rule/suricata.yaml b/tests/eve-alert-metadata-enable-rule/suricata.yaml
new file mode 100644
index 000000000..4079bc091
--- /dev/null
+++ b/tests/eve-alert-metadata-enable-rule/suricata.yaml
@@ -0,0 +1,38 @@
+%YAML 1.1
+---
+
+include: ../../etc/suricata-4.0.3.yaml
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+
+      # Enable to disable top-level metadata logging. Default: yes.
+      #metadata: no
+
+      types:
+        - alert:
+            metadata:
+              rule:
+                raw: true
+        - http:
+            extended: yes
+        - dns:
+            query: yes     # enable logging of DNS queries
+            answer: yes    # enable logging of DNS answers
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - files:
+            force-magic: no   # force logging magic on all logged files
+        - smtp:
+        - ssh
+        - stats:
+            totals: yes       # stats for all threads merged together
+            threads: no       # per thread stats
+            deltas: no        # include delta values
+        - flow
+        - netflow
+        - metadata
diff --git a/tests/eve-alert-metadata-enable-rule/test.rules b/tests/eve-alert-metadata-enable-rule/test.rules
new file mode 100644
index 000000000..56b4ee23a
--- /dev/null
+++ b/tests/eve-alert-metadata-enable-rule/test.rules
@@ -0,0 +1,7 @@
+# Silly rule to set the flowbit "traffic/label/cli-http" on
+# the curl user-agent.
+alert http any any -> any any (msg:"TEST"; \
+      content:"curl"; \
+      http_user_agent; \
+      metadata:tag tag1, created_at 2018-01-30; \
+      sid:1; rev:1;)
diff --git a/tests/eve-alert-metadata-enable-rule/test.yaml b/tests/eve-alert-metadata-enable-rule/test.yaml
new file mode 100644
index 000000000..42bd1a0a3
--- /dev/null
+++ b/tests/eve-alert-metadata-enable-rule/test.yaml
@@ -0,0 +1,16 @@
+requires:
+
+  script:
+    - grep METADATA_DEFAULTS src/output-json-alert.c > /dev/null
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.metadata.created_at[0]: "2018-01-30"
+        alert.metadata.tag[0]: "tag1"
+        has-key: flow
+        has-key: http
+        has-key: alert.rule
diff --git a/tests/eve-alert-metadata-enable-rule/testmyids.pcap b/tests/eve-alert-metadata-enable-rule/testmyids.pcap
new file mode 100644
index 000000000..868c57e59
Binary files /dev/null and b/tests/eve-alert-metadata-enable-rule/testmyids.pcap differ
diff --git a/tests/eve-alert-metadata-off/suricata.yaml b/tests/eve-alert-metadata-off/suricata.yaml
new file mode 100644
index 000000000..bc3e3ae63
--- /dev/null
+++ b/tests/eve-alert-metadata-off/suricata.yaml
@@ -0,0 +1,36 @@
+%YAML 1.1
+---
+
+include: ../../etc/suricata-4.0.3.yaml
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+
+      # Enable to disable top-level metadata logging. Default: yes.
+      #metadata: no
+
+      types:
+        - alert:
+            metadata: false
+        - http:
+            extended: yes
+        - dns:
+            query: yes     # enable logging of DNS queries
+            answer: yes    # enable logging of DNS answers
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - files:
+            force-magic: no   # force logging magic on all logged files
+        - smtp:
+        - ssh
+        - stats:
+            totals: yes       # stats for all threads merged together
+            threads: no       # per thread stats
+            deltas: no        # include delta values
+        - flow
+        - netflow
+        - metadata
diff --git a/tests/eve-alert-metadata-off/test.rules b/tests/eve-alert-metadata-off/test.rules
new file mode 100644
index 000000000..56b4ee23a
--- /dev/null
+++ b/tests/eve-alert-metadata-off/test.rules
@@ -0,0 +1,7 @@
+# Silly rule to set the flowbit "traffic/label/cli-http" on
+# the curl user-agent.
+alert http any any -> any any (msg:"TEST"; \
+      content:"curl"; \
+      http_user_agent; \
+      metadata:tag tag1, created_at 2018-01-30; \
+      sid:1; rev:1;)
diff --git a/tests/eve-alert-metadata-off/test.yaml b/tests/eve-alert-metadata-off/test.yaml
new file mode 100644
index 000000000..c1bdf6273
--- /dev/null
+++ b/tests/eve-alert-metadata-off/test.yaml
@@ -0,0 +1,15 @@
+requires:
+
+  script:
+    - grep METADATA_DEFAULTS src/output-json-alert.c > /dev/null
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        not-has-key: flow
+        not-has-key: http
+        not-has-key: alert.metadata
+        not-has-key: alert.rule
diff --git a/tests/eve-alert-metadata-off/testmyids.pcap b/tests/eve-alert-metadata-off/testmyids.pcap
new file mode 100644
index 000000000..868c57e59
Binary files /dev/null and b/tests/eve-alert-metadata-off/testmyids.pcap differ