From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Mon, 8 Dec 2025 13:52:46 +0000 (-0500)
Subject: test/ipv4: Test case for IPv4 unknown proto
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dc4502c17317d58b70fee1ff7b06eaed5cb96d85;p=thirdparty%2Fsuricata-verify.git

test/ipv4: Test case for IPv4 unknown proto

Test case to ensure IPv4 unknown proto event fires.

Issue: 7146
---

diff --git a/tests/bug-7146/README.md b/tests/bug-7146/README.md
new file mode 100644
index 000000000..76bf09bb2
--- /dev/null
+++ b/tests/bug-7146/README.md
@@ -0,0 +1,11 @@
+Test case for handling unknown IP protocol in IPv4 header.
+
+PCAP
+----
+
+Created with create_pcap.py
+
+Ticket
+------
+
+https://redmine.openinfosecfoundation.org/issues/7146
diff --git a/tests/bug-7146/create_pcap.py b/tests/bug-7146/create_pcap.py
new file mode 100644
index 000000000..4bd270101
--- /dev/null
+++ b/tests/bug-7146/create_pcap.py
@@ -0,0 +1,16 @@
+from scapy.all import Ether, IP, Raw, wrpcap
+
+# 253 and 254 are "experimental / unused" protocol numbers
+UNKNOWN_PROTO = 253
+
+# Build Ethernet + IPv4 header with unknown protocol
+pkt = (
+    Ether(src="00:11:22:33:44:55", dst="66:77:88:99:aa:bb") /
+    IP(src="192.168.1.10", dst="192.168.1.20", proto=UNKNOWN_PROTO) /
+    Raw(b"hello-unknown-proto")
+)
+
+# Write to pcap file
+wrpcap("input.pcap", pkt)
+
+print("Wrote input.pcap")
diff --git a/tests/bug-7146/input.pcap b/tests/bug-7146/input.pcap
new file mode 100644
index 000000000..aae0b201e
Binary files /dev/null and b/tests/bug-7146/input.pcap differ
diff --git a/tests/bug-7146/test.rules b/tests/bug-7146/test.rules
new file mode 100644
index 000000000..1267108b4
--- /dev/null
+++ b/tests/bug-7146/test.rules
@@ -0,0 +1 @@
+alert ipv4 any any -> any any (msg:"SURICATA IPv4 invalid protocol"; decode-event:ipv4.unknown_protocol; classtype:protocol-command-decode; sid:1;)
diff --git a/tests/bug-7146/test.yaml b/tests/bug-7146/test.yaml
new file mode 100644
index 000000000..8c377c2a6
--- /dev/null
+++ b/tests/bug-7146/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  min-version: 9
+
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        proto: "253"
+        ip_v: 4
+
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.decoder.pkts: 1
+        stats.decoder.ipv4: 1
+        stats.decoder.event.ipv4.unknown_protocol: 1