From: Philippe Antoine <pantoine@oisf.net>
Date: Fri, 1 Dec 2023 20:56:03 +0000 (+0100)
Subject: Add test about enip stats with _udp prefix
X-Git-Tag: suricata-6.0.16~22
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ccdb5fab3c95c6e0099f6f234874dd964aeb7dbb;p=thirdparty%2Fsuricata-verify.git

Add test about enip stats with _udp prefix

Ticket: 6304
---

diff --git a/tests/enip-stats-udp/README.md b/tests/enip-stats-udp/README.md
new file mode 100644
index 000000000..a49716dbc
--- /dev/null
+++ b/tests/enip-stats-udp/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test ENIP stats always have `_udp` or `_tcp` prefix
+
+# Issue
+
+https://redmine.openinfosecfoundation.org/issues/6304
+
+# PCAP
+
+The pcap is reused enip-alert test
diff --git a/tests/enip-stats-udp/suricata.yaml b/tests/enip-stats-udp/suricata.yaml
new file mode 100644
index 000000000..205735ab8
--- /dev/null
+++ b/tests/enip-stats-udp/suricata.yaml
@@ -0,0 +1,18 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - flow
+        - stats
+
+app-layer:
+  protocols:
+    enip:
+      enabled: detection-only
+      detection-ports:
+        dp: 44818
diff --git a/tests/enip-stats-udp/test.yaml b/tests/enip-stats-udp/test.yaml
new file mode 100644
index 000000000..2fc6e23e6
--- /dev/null
+++ b/tests/enip-stats-udp/test.yaml
@@ -0,0 +1,28 @@
+requires:
+  min-version: 8
+
+pcap: ../enip-alert/enip_test1.pcap
+
+# disables checksum verification
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        app_proto: enip
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        # not stats.app_layer.flow.enip
+        stats.app_layer.flow.enip_tcp: 1
+        stats.app_layer.flow.enip_udp: 0
+  - filter:
+      count: 0
+      match:
+        event_type: stats
+        # this key does not exist in eve output
+        stats.app_layer.flow.enip: 0