From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Wed, 17 Apr 2019 23:34:36 +0000 (-0700)
Subject: Adds test case for JSON anomaly logging
X-Git-Tag: suricata-6.0.4~459
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F50%2Fhead;p=thirdparty%2Fsuricata-verify.git

Adds test case for JSON anomaly logging
---

diff --git a/tests/output-eve-anomaly-packethdr/anomaly.pcap b/tests/output-eve-anomaly-packethdr/anomaly.pcap
new file mode 100644
index 000000000..bf0f25b4c
Binary files /dev/null and b/tests/output-eve-anomaly-packethdr/anomaly.pcap differ
diff --git a/tests/output-eve-anomaly-packethdr/suricata.yaml b/tests/output-eve-anomaly-packethdr/suricata.yaml
new file mode 100644
index 000000000..dce7bb003
--- /dev/null
+++ b/tests/output-eve-anomaly-packethdr/suricata.yaml
@@ -0,0 +1,10 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - anomaly:
+            packethdr: yes            # enable dumping of packet header
diff --git a/tests/output-eve-anomaly-packethdr/test.yaml b/tests/output-eve-anomaly-packethdr/test.yaml
new file mode 100644
index 000000000..c268cfbd7
--- /dev/null
+++ b/tests/output-eve-anomaly-packethdr/test.yaml
@@ -0,0 +1,27 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+  files:
+    - src/output-json-anomaly.c
+
+checks:
+  - filter:
+      count: 48
+      match:
+        event_type: anomaly
+        anomaly.type: packet
+        packet_info.linktype: 1
+        has-key: packet
+  - filter:
+      count: 4
+      match:
+        anomaly.event: decoder.icmpv4.unknown_code
+  - filter:
+      count: 42
+      match:
+        anomaly.event: decoder.icmpv4.unknown_type
+  - filter:
+      count: 2
+      match:
+        anomaly.event: decoder.ipv4.trunc_pkt
diff --git a/tests/output-eve-anomaly/anomaly.pcap b/tests/output-eve-anomaly/anomaly.pcap
new file mode 100644
index 000000000..bf0f25b4c
Binary files /dev/null and b/tests/output-eve-anomaly/anomaly.pcap differ
diff --git a/tests/output-eve-anomaly/suricata.yaml b/tests/output-eve-anomaly/suricata.yaml
new file mode 100644
index 000000000..284402839
--- /dev/null
+++ b/tests/output-eve-anomaly/suricata.yaml
@@ -0,0 +1,9 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - anomaly:
diff --git a/tests/output-eve-anomaly/test.yaml b/tests/output-eve-anomaly/test.yaml
new file mode 100644
index 000000000..d07928738
--- /dev/null
+++ b/tests/output-eve-anomaly/test.yaml
@@ -0,0 +1,25 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+  files:
+    - src/output-json-anomaly.c
+
+checks:
+  - filter:
+      count: 48
+      match:
+        event_type: anomaly
+        anomaly.type: packet
+  - filter:
+      count: 4
+      match:
+        anomaly.event: decoder.icmpv4.unknown_code
+  - filter:
+      count: 42
+      match:
+        anomaly.event: decoder.icmpv4.unknown_type
+  - filter:
+      count: 2
+      match:
+        anomaly.event: decoder.ipv4.trunc_pkt