From: Mark Janssen Date: Thu, 28 Feb 2019 15:15:25 +0000 (+0100) Subject: eve/flow: add vlan and double-tagged vlan test X-Git-Tag: suricata-6.0.4~464 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e20ba96685c0009374f97c44a3d4cb9df1b28917;p=thirdparty%2Fsuricata-verify.git eve/flow: add vlan and double-tagged vlan test --- diff --git a/tests/eve-flow-vlan/input.pcap b/tests/eve-flow-vlan/input.pcap new file mode 100644 index 000000000..6cfd80f9b Binary files /dev/null and b/tests/eve-flow-vlan/input.pcap differ diff --git a/tests/eve-flow-vlan/suricata.yaml b/tests/eve-flow-vlan/suricata.yaml new file mode 100644 index 000000000..04706a563 --- /dev/null +++ b/tests/eve-flow-vlan/suricata.yaml @@ -0,0 +1,10 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - flow diff --git a/tests/eve-flow-vlan/test.yaml b/tests/eve-flow-vlan/test.yaml new file mode 100644 index 000000000..8a255d5d4 --- /dev/null +++ b/tests/eve-flow-vlan/test.yaml @@ -0,0 +1,19 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 5.0.0 + +checks: + - filter: + comment: single vlan + count: 1 + match: + event_type: flow + vlan: [6] + + - filter: + comment: double-tagged vlan + count: 1 + match: + event_type: flow + vlan: [1, 10] diff --git a/tests/eve-flow-vlan/writepcap.py b/tests/eve-flow-vlan/writepcap.py new file mode 100755 index 000000000..bb6b7f16c --- /dev/null +++ b/tests/eve-flow-vlan/writepcap.py @@ -0,0 +1,16 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +# VLAN tagged packet +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='255.255.255.255', src='192.168.0.1')/ICMP() + +# Double-tagged VLAN (QinQ) packet +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=1)/Dot1Q(vlan=10)/ \ + IP(dst='255.255.255.255', src='192.168.0.1')/ICMP() + +wrpcap('input.pcap', pkts)