From: Jason Ish <jason.ish@oisf.net>
Date: Mon, 16 Dec 2024 18:50:54 +0000 (-0600)
Subject: test: truncated ipv4 test
X-Git-Tag: suricata-7.0.9~91
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2219%2Fhead;p=thirdparty%2Fsuricata-verify.git

test: truncated ipv4 test

Test that no src_ip, dest_ip are logged instead of just empty strings.

Ticket: https://redmine.openinfosecfoundation.org/issues/7460
---

diff --git a/tests/ipv4-truncated/README.md b/tests/ipv4-truncated/README.md
new file mode 100644
index 000000000..7e3f006af
--- /dev/null
+++ b/tests/ipv4-truncated/README.md
@@ -0,0 +1,3 @@
+Test that alerts that have unknown IP addresses and ports don't log them.
+
+Ticket: https://redmine.openinfosecfoundation.org/issues/7460
diff --git a/tests/ipv4-truncated/decoder-events.rules b/tests/ipv4-truncated/decoder-events.rules
new file mode 100644
index 000000000..c7ffb2624
--- /dev/null
+++ b/tests/ipv4-truncated/decoder-events.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA IPv4 truncated packet"; decode-event:ipv4.trunc_pkt; classtype:protocol-command-decode; sid:2200003; rev:2;)
diff --git a/tests/ipv4-truncated/test.yaml b/tests/ipv4-truncated/test.yaml
new file mode 100644
index 000000000..80d4513c6
--- /dev/null
+++ b/tests/ipv4-truncated/test.yaml
@@ -0,0 +1,9 @@
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        src_ip: null
+        dest_ip: null
+        src_port: null
+        dest_port: null
diff --git a/tests/ipv4-truncated/truncated.pcap b/tests/ipv4-truncated/truncated.pcap
new file mode 100644
index 000000000..1d7f1c02c
Binary files /dev/null and b/tests/ipv4-truncated/truncated.pcap differ