From: Giuseppe Longo Date: Mon, 4 Mar 2024 12:27:34 +0000 (+0100) Subject: arp: add tests X-Git-Tag: suricata-6.0.20~48 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1833%2Fhead;p=thirdparty%2Fsuricata-verify.git arp: add tests --- diff --git a/tests/decode-arp-2/README.md b/tests/decode-arp-2/README.md new file mode 100644 index 000000000..aec1316eb --- /dev/null +++ b/tests/decode-arp-2/README.md @@ -0,0 +1 @@ +PCAP from https://www.cloudshark.org/captures/e4d6ea732135/export diff --git a/tests/decode-arp-2/arp.pcap b/tests/decode-arp-2/arp.pcap new file mode 100644 index 000000000..c15ef60a2 Binary files /dev/null and b/tests/decode-arp-2/arp.pcap differ diff --git a/tests/decode-arp-2/suricata.yaml b/tests/decode-arp-2/suricata.yaml new file mode 100644 index 000000000..183f2e999 --- /dev/null +++ b/tests/decode-arp-2/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - arp: + enabled: yes + diff --git a/tests/decode-arp-2/test.yaml b/tests/decode-arp-2/test.yaml new file mode 100644 index 000000000..10a2c2732 --- /dev/null +++ b/tests/decode-arp-2/test.yaml @@ -0,0 +1,35 @@ +requires: + min-version: 8 + +pcap: arp.pcap + +checks: + - filter: + count: 4 + match: + event_type: arp + - filter: + count: 1 + match: + event_type: arp + pcap_cnt: 5 + arp.hw_type: ethernet + arp.proto_type: ipv4 + arp.opcode: request + arp.src_mac: 00:1d:09:f0:92:ab + arp.src_ip: 10.10.10.1 + arp.dest_mac: 00:00:00:00:00:00 + arp.dest_ip: 10.10.10.2 + - filter: + count: 1 + match: + event_type: arp + pcap_cnt: 6 + arp.hw_type: ethernet + arp.proto_type: ipv4 + arp.opcode: reply + arp.src_mac: 00:1a:6b:6c:0c:cc + arp.src_ip: 10.10.10.2 + arp.dest_mac: 00:1d:09:f0:92:ab + arp.dest_ip: 10.10.10.1 + diff --git a/tests/decode-arp-3/README.md b/tests/decode-arp-3/README.md new file mode 100644 index 000000000..b3e4740c3 --- /dev/null +++ b/tests/decode-arp-3/README.md @@ -0,0 +1,14 @@ +Decode ARP packet over GRE. + +PCAP made with the following scapy script: + +``` +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/GRE()/ARP() + +wrpcap('arp-encap.pcap', pkts) +``` diff --git a/tests/decode-arp-3/arp-encap.pcap b/tests/decode-arp-3/arp-encap.pcap new file mode 100644 index 000000000..2ec6dc910 Binary files /dev/null and b/tests/decode-arp-3/arp-encap.pcap differ diff --git a/tests/decode-arp-3/suricata.yaml b/tests/decode-arp-3/suricata.yaml new file mode 100644 index 000000000..183f2e999 --- /dev/null +++ b/tests/decode-arp-3/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - arp: + enabled: yes + diff --git a/tests/decode-arp-3/test.yaml b/tests/decode-arp-3/test.yaml new file mode 100644 index 000000000..c03b553a4 --- /dev/null +++ b/tests/decode-arp-3/test.yaml @@ -0,0 +1,18 @@ +pcap: arp-encap.pcap + +requires: + min-version: 8 + +checks: + - filter: + count: 1 + match: + event_type: arp + arp.hw_type: ethernet + arp.proto_type: ipv4 + arp.opcode: request + arp.src_mac: bc:03:58:5a:d5:ca + arp.src_ip: 192.168.1.28 + arp.dest_mac: 00:00:00:00:00:00 + arp.dest_ip: 0.0.0.0 +