From: Eric Leblond <eric@regit.org>
Date: Sun, 2 Aug 2020 16:49:42 +0000 (+0200)
Subject: tests/eve-alert-verbose: introduce test
X-Git-Tag: suricata-5.0.10~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eea84d2d4b7bdd830b52f915f68b2ff65caef3f7;p=thirdparty%2Fsuricata-verify.git

tests/eve-alert-verbose: introduce test

Introduce test on alert verbosity change.
---

diff --git a/tests/eve-alert-verbose/suricata.yaml b/tests/eve-alert-verbose/suricata.yaml
new file mode 100644
index 000000000..49392f531
--- /dev/null
+++ b/tests/eve-alert-verbose/suricata.yaml
@@ -0,0 +1,31 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      full-logging-for-alerted-flows: printable
+
+      types:
+        - alert:
+            http-headers: yes
+        - http:
+            extended: yes
+        - dns:
+            query: yes     # enable logging of DNS queries
+            answer: yes    # enable logging of DNS answers
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - files:
+            force-magic: no   # force logging magic on all logged files
+        - smtp:
+        - ssh
+        - stats:
+            totals: yes       # stats for all threads merged together
+            threads: no       # per thread stats
+            deltas: no        # include delta values
+        - flow
+        - netflow
+        - metadata
diff --git a/tests/eve-alert-verbose/test.rules b/tests/eve-alert-verbose/test.rules
new file mode 100644
index 000000000..0789cd5a0
--- /dev/null
+++ b/tests/eve-alert-verbose/test.rules
@@ -0,0 +1,5 @@
+# Silly rule to set the flowbit "traffic/label/cli-http" on
+# the curl user-agent.
+alert http any any -> any any (msg:"TEST"; \
+      http.user_agent; content:"curl"; \
+      sid:1; rev:1;)
diff --git a/tests/eve-alert-verbose/test.yaml b/tests/eve-alert-verbose/test.yaml
new file mode 100644
index 000000000..b7baee94b
--- /dev/null
+++ b/tests/eve-alert-verbose/test.yaml
@@ -0,0 +1,20 @@
+requires:
+
+  script:
+    - grep "http-headers" suricata.yaml.in > /dev/null
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        has-key: flow
+        has-key: http.response_headers
+        has-key: http.request_headers
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        has-key: http.response_headers
+        has-key: http.request_headers
diff --git a/tests/eve-alert-verbose/testmyids.pcap b/tests/eve-alert-verbose/testmyids.pcap
new file mode 100644
index 000000000..868c57e59
Binary files /dev/null and b/tests/eve-alert-verbose/testmyids.pcap differ