From a9de21a4facf3e4413fd46d2dd0c7a53f38b0f96 Mon Sep 17 00:00:00 2001
From: Sascha Steinbiss <satta@debian.org>
Date: Thu, 22 Sep 2022 16:11:19 +0200
Subject: [PATCH] add test for extended security ipopts

---
 tests/ipopts-esec/suricata.yaml |   9 +++++++++
 tests/ipopts-esec/test.pcap     | Bin 0 -> 98 bytes
 tests/ipopts-esec/test.rules    |   1 +
 tests/ipopts-esec/test.yaml     |  21 +++++++++++++++++++++
 4 files changed, 31 insertions(+)
 create mode 100644 tests/ipopts-esec/suricata.yaml
 create mode 100644 tests/ipopts-esec/test.pcap
 create mode 100644 tests/ipopts-esec/test.rules
 create mode 100644 tests/ipopts-esec/test.yaml

diff --git a/tests/ipopts-esec/suricata.yaml b/tests/ipopts-esec/suricata.yaml
new file mode 100644
index 000000000..4ac212a29
--- /dev/null
+++ b/tests/ipopts-esec/suricata.yaml
@@ -0,0 +1,9 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert
+        - flow
diff --git a/tests/ipopts-esec/test.pcap b/tests/ipopts-esec/test.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..d9c3c550653588d3ba65709760c46572358ca6bc
GIT binary patch
literal 98
zc-p&ic+)~A1{MYw`2U}Qfe}a>c<LnEiL)?R0ohhyaS-5OP(QMwl7qpGfk6kP%z^FM
eHby3978X`E_Eu(~G7*LVm`MRl3Ji_83=9BZ_Y<4|

literal 0
Hc-jL100001

diff --git a/tests/ipopts-esec/test.rules b/tests/ipopts-esec/test.rules
new file mode 100644
index 000000000..0b4f17485
--- /dev/null
+++ b/tests/ipopts-esec/test.rules
@@ -0,0 +1 @@
+alert ip any any <> any any (msg:"ESEC option set"; ipopts:esec; sid: 42;)
\ No newline at end of file
diff --git a/tests/ipopts-esec/test.yaml b/tests/ipopts-esec/test.yaml
new file mode 100644
index 000000000..fa9912043
--- /dev/null
+++ b/tests/ipopts-esec/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  script:
+    - grep IPV4_OPT_ESEC src/decode-ipv4.h > /dev/null
+
+args:
+  - --set stream.midstream=true -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 42
+        alert.signature: "ESEC option set"
+
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        src_ip: "1.2.3.4"
+        dest_ip: "4.5.6.7"
-- 
2.47.2