From f5097dbc12cf94e097acb0dac7f33a9121f55354 Mon Sep 17 00:00:00 2001
From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Tue, 1 Apr 2025 16:02:31 +0530
Subject: [PATCH] flow: log elephant flow count and bool

Feature 5647
---
 tests/elephant-flow-tracking/README.md     |  9 +++++++++
 tests/elephant-flow-tracking/suricata.yaml | 15 +++++++++++++++
 tests/elephant-flow-tracking/test.yaml     | 15 +++++++++++++++
 3 files changed, 39 insertions(+)
 create mode 100644 tests/elephant-flow-tracking/README.md
 create mode 100644 tests/elephant-flow-tracking/suricata.yaml
 create mode 100644 tests/elephant-flow-tracking/test.yaml

diff --git a/tests/elephant-flow-tracking/README.md b/tests/elephant-flow-tracking/README.md
new file mode 100644
index 000000000..eff8dcc97
--- /dev/null
+++ b/tests/elephant-flow-tracking/README.md
@@ -0,0 +1,9 @@
+Test Description
+================
+
+Test to show the output logged in case of elephant flow detected.
+
+Redmine Ticket
+==============
+
+https://redmine.openinfosecfoundation.org/issues/5647
diff --git a/tests/elephant-flow-tracking/suricata.yaml b/tests/elephant-flow-tracking/suricata.yaml
new file mode 100644
index 000000000..201593c8d
--- /dev/null
+++ b/tests/elephant-flow-tracking/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+flow:
+  rate-tracking:
+    bytes: 10KiB
+    interval: 10
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filename: eve.json
+      types:
+        - flow
+        - stats
diff --git a/tests/elephant-flow-tracking/test.yaml b/tests/elephant-flow-tracking/test.yaml
new file mode 100644
index 000000000..b95c4ebf5
--- /dev/null
+++ b/tests/elephant-flow-tracking/test.yaml
@@ -0,0 +1,15 @@
+pcap: ../tcp-urgp-09-oob-exceed-limit-inline/tcp-urgent-1byte-66k.pcap
+
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        stats.flow.elephant: 1
+
+  - filter:
+      count: 1
+      match:
+        flow.elephant: true
-- 
2.47.2