From: Joyce Yu <joyce.yu@cyber.gc.ca>
Date: Mon, 17 Mar 2025 18:51:12 +0000 (-0400)
Subject: Tests: add bug-5486
X-Git-Tag: suricata-7.0.10~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2350%2Fhead;p=thirdparty%2Fsuricata-verify.git

Tests: add bug-5486

- add test to check presence of ethernet metadata in events
  triggered on flow timeout pseudopackets
---

diff --git a/tests/bug-5486/154.pcap b/tests/bug-5486/154.pcap
new file mode 100644
index 000000000..392c3bb59
Binary files /dev/null and b/tests/bug-5486/154.pcap differ
diff --git a/tests/bug-5486/README.md b/tests/bug-5486/README.md
new file mode 100644
index 000000000..e24c3d0e2
--- /dev/null
+++ b/tests/bug-5486/README.md
@@ -0,0 +1,11 @@
+# Test
+
+This test checks bug 5867 for missing ethernet metadata in
+events triggered on flow timeout pseudopackets.
+
+Ticket: https://redmine.openinfosecfoundation.org/issues/5486
+
+# Pcap
+
+Pcap comes from the ticket, where it demonstrates the bug:
+https://redmine.openinfosecfoundation.org/issues/5486 
diff --git a/tests/bug-5486/suricata.yaml b/tests/bug-5486/suricata.yaml
new file mode 100644
index 000000000..8e2755830
--- /dev/null
+++ b/tests/bug-5486/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      ethernet: yes
+      types:
+        - http
diff --git a/tests/bug-5486/test.yaml b/tests/bug-5486/test.yaml
new file mode 100644
index 000000000..d9dc92c67
--- /dev/null
+++ b/tests/bug-5486/test.yaml
@@ -0,0 +1,13 @@
+requires:
+  min-version: 8
+
+pcap: 154.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        has-key: ether
+        ether.src_mac: 00:08:02:1c:47:ae
+        ether.dest_mac: 20:e5:2a:b6:93:f1