From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Tue, 1 Apr 2025 10:32:31 +0000 (+0530)
Subject: flow: log elephant flow count and bool
X-Git-Tag: suricata-7.0.11~117
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f5097dbc12cf94e097acb0dac7f33a9121f55354;p=thirdparty%2Fsuricata-verify.git

flow: log elephant flow count and bool

Feature 5647
---

diff --git a/tests/elephant-flow-tracking/README.md b/tests/elephant-flow-tracking/README.md
new file mode 100644
index 000000000..eff8dcc97
--- /dev/null
+++ b/tests/elephant-flow-tracking/README.md
@@ -0,0 +1,9 @@
+Test Description
+================
+
+Test to show the output logged in case of elephant flow detected.
+
+Redmine Ticket
+==============
+
+https://redmine.openinfosecfoundation.org/issues/5647
diff --git a/tests/elephant-flow-tracking/suricata.yaml b/tests/elephant-flow-tracking/suricata.yaml
new file mode 100644
index 000000000..201593c8d
--- /dev/null
+++ b/tests/elephant-flow-tracking/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+flow:
+  rate-tracking:
+    bytes: 10KiB
+    interval: 10
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filename: eve.json
+      types:
+        - flow
+        - stats
diff --git a/tests/elephant-flow-tracking/test.yaml b/tests/elephant-flow-tracking/test.yaml
new file mode 100644
index 000000000..b95c4ebf5
--- /dev/null
+++ b/tests/elephant-flow-tracking/test.yaml
@@ -0,0 +1,15 @@
+pcap: ../tcp-urgp-09-oob-exceed-limit-inline/tcp-urgent-1byte-66k.pcap
+
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        stats.flow.elephant: 1
+
+  - filter:
+      count: 1
+      match:
+        flow.elephant: true