From de905c2410ad2d63ca33d7601c33e43a4e65efb8 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Mon, 18 Jan 2021 18:01:54 +0100
Subject: [PATCH] tests: add ERSPAN II test

---
 tests/decode-erspan-typeII-01/README.md  |   4 ++
 tests/decode-erspan-typeII-01/input.pcap | Bin 0 -> 1679 bytes
 tests/decode-erspan-typeII-01/test.rules |   2 +
 tests/decode-erspan-typeII-01/test.yaml  |  49 +++++++++++++++++++++++
 4 files changed, 55 insertions(+)
 create mode 100644 tests/decode-erspan-typeII-01/README.md
 create mode 100644 tests/decode-erspan-typeII-01/input.pcap
 create mode 100644 tests/decode-erspan-typeII-01/test.rules
 create mode 100644 tests/decode-erspan-typeII-01/test.yaml

diff --git a/tests/decode-erspan-typeII-01/README.md b/tests/decode-erspan-typeII-01/README.md
new file mode 100644
index 000000000..463b816b4
--- /dev/null
+++ b/tests/decode-erspan-typeII-01/README.md
@@ -0,0 +1,4 @@
+PCAP
+====
+
+Pcap found here https://www.cloudshark.org/captures/76ce4261df29
diff --git a/tests/decode-erspan-typeII-01/input.pcap b/tests/decode-erspan-typeII-01/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..100acd791364ea37ebd00defcb924db5bbc0b254
GIT binary patch
literal 1679
zc-rlg&ui0A9KgRXY1deS%prC#l;=Tcp=pz5t8Gt~E|cPZNHe?MN|t78U`<P!SqdH%
zlwH+>o<t92f(PgDq9S-)y$K4QCV24ZKj8LW)7jDK2DL}uBM;tt-|u^$d_T#j4=<lE
z;DKKA03zeo*T?F;jZ^T3Oz2aBpWo0}XG9z*fL;JxfnU+}35GO8+9=$82jF8y16+xo
zgMe?h+azO`Wznt8O%{O1z`S~NmTYkuH7A1?F&VS2S8;Yh#cFlMX=t_)rZb_S{9eGp
zLLy#_PZnph^EV1bvO6uLr}N7EqLRCw%c{z?q%ao><Gf+l&8mf^sfZkmg;Y@s<D4?9
zq*Zd(!p!1QI;Y^^iY|rxi-umdOkG>U>UynKwVf0$J5DVXjW!yMh)$UzdbJXDNL<~G
z@Mo&Erfsg49URm{SV|`1LQIroyxhd@OQ_AdV^r#d-_j!_yizmQj1pEg2g{-`r`ZCD
zmXawkL31j4%{E{J#yYoQQV&TK#XK-@h87Q@Hh2O6Ea`!(=Bl=AI*L;^Y|C(@NK7W0
zI1+aed~n)tSup;-h2R35>(8D5FKiQ+KV}%%As%=B<nnFTCEw?gJ?fI|Z}eP#pX|Df
z{dak?OXg&k=cxhQ5z3RLah~V@qL%5XeNEMhet1T<=+mzj9=d98%6)1*2Ws6P)K%Nb
zC~@}z_Rt-mm(XvBgQab9yW3iqK0p8XZ=Evl#s*;a9%g13m;4Ab+bIqdhtB+TY5?Yu
lW9s~XGT+`iROc<ijJnKUhQZvrJOH!rm^$~E59&Nr=6!I&5=a05

literal 0
Hc-jL100001

diff --git a/tests/decode-erspan-typeII-01/test.rules b/tests/decode-erspan-typeII-01/test.rules
new file mode 100644
index 000000000..5b34d4a9b
--- /dev/null
+++ b/tests/decode-erspan-typeII-01/test.rules
@@ -0,0 +1,2 @@
+alert icmp any any -> any any (itype:0; sid:1;)
+alert icmp any any -> any any (itype:8; prefilter; sid:2;)
diff --git a/tests/decode-erspan-typeII-01/test.yaml b/tests/decode-erspan-typeII-01/test.yaml
new file mode 100644
index 000000000..36eaf2df2
--- /dev/null
+++ b/tests/decode-erspan-typeII-01/test.yaml
@@ -0,0 +1,49 @@
+requires:
+  min-version: 6
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 23.0.0.3
+      event_type: flow
+      flow.age: 0
+      flow.alerted: true
+      flow.bytes_toclient: 244
+      flow.bytes_toserver: 244
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 2
+      flow.reason: shutdown
+      flow.state: established
+      icmp_code: 0
+      icmp_type: 8
+      proto: ICMP
+      response_icmp_code: 0
+      response_icmp_type: 0
+      src_ip: 23.0.0.2
+      vlan[0]: 23
+- filter:
+    count: 2
+    match:
+      dest_ip: 23.0.0.3
+      event_type: alert
+      icmp_code: 0
+      icmp_type: 8
+      proto: ICMP
+      src_ip: 23.0.0.2
+      vlan[0]: 23
+      alert.signature_id: 2
+- filter:
+    count: 2
+    match:
+      dest_ip: 23.0.0.2
+      event_type: alert
+      icmp_code: 0
+      icmp_type: 0
+      proto: ICMP
+      src_ip: 23.0.0.3
+      vlan[0]: 23
+      alert.signature_id: 1
-- 
2.47.2