From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Thu, 5 Mar 2020 13:25:36 +0000 (-0500)
Subject: tests: ERSPAN Type I packet decode if config
X-Git-Tag: suricata-6.0.4~270
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F289%2Fhead;p=thirdparty%2Fsuricata-verify.git

tests: ERSPAN Type I packet decode if config

This commit adds tests for ERSPAN Type I decoding based on configuration
settings.
---

diff --git a/tests/decode-erspan-typeI-02/README.md b/tests/decode-erspan-typeI-02/README.md
new file mode 100644
index 000000000..18aaf211d
--- /dev/null
+++ b/tests/decode-erspan-typeI-02/README.md
@@ -0,0 +1 @@
+Ensure ERSPAN Type I packets are decoded when configured
diff --git a/tests/decode-erspan-typeI-02/input.pcap b/tests/decode-erspan-typeI-02/input.pcap
new file mode 100644
index 000000000..961075040
Binary files /dev/null and b/tests/decode-erspan-typeI-02/input.pcap differ
diff --git a/tests/decode-erspan-typeI-02/test.yaml b/tests/decode-erspan-typeI-02/test.yaml
new file mode 100644
index 000000000..eb966e6ef
--- /dev/null
+++ b/tests/decode-erspan-typeI-02/test.yaml
@@ -0,0 +1,35 @@
+requires:
+
+  min-version: 5.0.0
+
+
+args:
+    - --set decoder.erspan.typeI.enabled=true
+
+checks:
+
+    - filter:
+        count: 2
+        match:
+            event_type: flow
+
+    - filter:
+        count: 1
+        match:
+            event_type: flow
+            src_ip: 100.95.2.201
+            proto: ICMP
+            vlan: [1011]
+
+    - filter:
+        count: 1
+        match:
+            event_type: flow
+            src_ip: 100.95.3.105
+            proto: ICMP
+            vlan: [999]
+
+    - stats:
+        decoder.ipv4: 84
+        decoder.gre: 42
+        decoder.erspan: 42
diff --git a/tests/decode-erspan-typeI-03/README.md b/tests/decode-erspan-typeI-03/README.md
new file mode 100644
index 000000000..18aaf211d
--- /dev/null
+++ b/tests/decode-erspan-typeI-03/README.md
@@ -0,0 +1 @@
+Ensure ERSPAN Type I packets are decoded when configured
diff --git a/tests/decode-erspan-typeI-03/input.pcap b/tests/decode-erspan-typeI-03/input.pcap
new file mode 100644
index 000000000..961075040
Binary files /dev/null and b/tests/decode-erspan-typeI-03/input.pcap differ
diff --git a/tests/decode-erspan-typeI-03/test.yaml b/tests/decode-erspan-typeI-03/test.yaml
new file mode 100644
index 000000000..cfed3ce78
--- /dev/null
+++ b/tests/decode-erspan-typeI-03/test.yaml
@@ -0,0 +1,18 @@
+requires:
+
+  min-version: 5
+  lt-version: 6
+
+
+args:
+    - --set decoder.erspan.typeI.enabled=false
+
+checks:
+
+    - filter:
+        count: 0
+        match:
+            event_type: flow
+
+    - stats:
+        decoder.erspan: 0