From f8605e37ffb0bdc6f2a79a2660d594158c15b8d6 Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Thu, 1 Aug 2019 21:29:12 +0200
Subject: [PATCH] tests: basic geoip test

The tests are done by using a local database generated via the
geoip.pl Perl script. The obtained maxmindb test.mmdb and it only
contains 2 entries.
---
 tests/geoip/geoip.pl      |  60 ++++++++++++++++++++++++++++++++++++++
 tests/geoip/input.pcap    |   1 +
 tests/geoip/suricata.yaml |  13 +++++++++
 tests/geoip/test.mmdb     | Bin 0 -> 1411 bytes
 tests/geoip/test.rules    |   2 ++
 tests/geoip/test.yaml     |  19 ++++++++++++
 6 files changed, 95 insertions(+)
 create mode 100644 tests/geoip/geoip.pl
 create mode 120000 tests/geoip/input.pcap
 create mode 100644 tests/geoip/suricata.yaml
 create mode 100644 tests/geoip/test.mmdb
 create mode 100644 tests/geoip/test.rules
 create mode 100644 tests/geoip/test.yaml

diff --git a/tests/geoip/geoip.pl b/tests/geoip/geoip.pl
new file mode 100644
index 000000000..39fe33ae1
--- /dev/null
+++ b/tests/geoip/geoip.pl
@@ -0,0 +1,60 @@
+#!/usr/bin/env perl
+
+use strict;
+use warnings;
+use feature qw( say );
+
+use MaxMind::DB::Writer::Tree;
+
+my $filename = 'test.mmdb';
+
+# Your top level data structure will always be a map (hash).  The MMDB format
+# is strongly typed.  Describe your data types here.
+# See https://metacpan.org/pod/MaxMind::DB::Writer::Tree#DATA-TYPES
+
+my %types = (
+    country 	=> 'map',
+    iso_code	=> 'utf8_string',
+    name	=> 'utf8_string',
+);
+
+my $tree = MaxMind::DB::Writer::Tree->new(
+
+    # "database_type" is some arbitrary string describing the database.  At
+    # MaxMind we use strings like 'GeoIP2-City', 'GeoIP2-Country', etc.
+    database_type => 'GeoIP2-Country',
+
+    # "description" is a hashref where the keys are language names and the
+    # values are descriptions of the database in that language.
+    description =>
+        { en => 'Test IP data', },
+
+    # "ip_version" can be either 4 or 6
+    ip_version => 4,
+
+    # add a callback to validate data going in to the database
+    map_key_type_callback => sub { $types{ $_[0] } },
+
+    # "record_size" is the record size in bits.  Either 24, 28 or 32.
+    record_size => 24,
+);
+
+my %ips_list = (
+    '123.125.71.29/32' => {
+        country => { name => 'France', iso_code => 'FR' }
+    },
+    '82.165.177.154/32' => {
+        country => { name => 'Germany', iso_code => 'DE' }
+    },
+);
+
+for my $network ( keys %ips_list ) {
+    $tree->insert_network( $network, $ips_list{$network} );
+}
+
+# Write the database to disk.
+open my $fh, '>:raw', $filename;
+$tree->write_tree( $fh );
+close $fh;
+
+say "$filename has now been created";
diff --git a/tests/geoip/input.pcap b/tests/geoip/input.pcap
new file mode 120000
index 000000000..39fbe323b
--- /dev/null
+++ b/tests/geoip/input.pcap
@@ -0,0 +1 @@
+../alert-testmyids/input.pcap
\ No newline at end of file
diff --git a/tests/geoip/suricata.yaml b/tests/geoip/suricata.yaml
new file mode 100644
index 000000000..bb6900103
--- /dev/null
+++ b/tests/geoip/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+geoip-database: ./test.mmdb
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+
diff --git a/tests/geoip/test.mmdb b/tests/geoip/test.mmdb
new file mode 100644
index 0000000000000000000000000000000000000000..02ad86964cdc0affedce4d7aeccf61b09213bffa
GIT binary patch
literal 1411
zc-m#rXIIl;7{>7ntPA%-+;vY-ac?cqQc4jKCt^(707076v_*;=_ud;7+=_co&hZ22
zcYt@k^7sv`7w1;0JvqPg@BKVUlN3k-3V>vw8_)r025ht=&;{tk?o8W`t`aE{-GPaW
z9zah<FInmh^pWlh^poxn3}B?nWFU|xJ%|nlhR9?n9R>_%jG%T|9Z5$4qZwmlK9-IH
z#>->^@QpDEm<CLi`4k|XkwK@nd*1jl9moXo*)!-&V3w@TrgP|AI*-l=7Ra83z#{3z
zz!Jt%x=iK{nnkmL9EOv+WKS-2(>%Z<^Pki!UzY=ZMj^05hDE?ipcE*U$tt><uAyt`
zI=Y^g&<%3RMyk+FRHeRluPXq21~hgV@DL~m&H)vi=(G|z4r~T?0acs?sX<K|qFbm%
z!!$ypw3=?EHNZ|F#;&E?=ytjz@js0pyCwF}I$$qjAKgz6$ex4r5OA1rgdUaEV-hDM
zP6DT-PXlKdXA^JWJaB<=kzS&gfoqH_z*R<l;#t>$8;k~-G}4>EEt%Y=cYwQ$dosTd
zJZN{RCW%M%G4O=(ls==+=?nUjzM`+`8@a+;`i{N_J}^GgPyfC7#7~RMZ$^!X6>H7a
z!=~al1DYc{C)-ein#-kGLDh)0*ppiADGq0mJ=N*7RKu?|ef{B8YrMJ<$ncxN?<GFn
zP_39!X2$nNl%QH^T1vHMg>}<tO#XLOH~y|RczjX4Dxhc~(_djrF0G5zdjo1j^{HV^
ziNr!$flD*pg_-GDZ8zx&Xkovlha&NFTO68^U#x{Ac6Xuu_eptr=+Cd(+*PVk9#zY=
bFl>27{HYW^=a*)WrTI-OpoH~WtugHvMCUpv

literal 0
Hc-jL100001

diff --git a/tests/geoip/test.rules b/tests/geoip/test.rules
new file mode 100644
index 000000000..213a09165
--- /dev/null
+++ b/tests/geoip/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (msg:"French IP"; flow:established,to_server; geoip:dst,FR; sid:1; rev:1; flowbits:isnotset,french; flowbits:set,french;)
+alert tcp any any -> any any (msg:"German IP"; flow:established,to_server; geoip: dst,DE; sid:2; rev:1; flowbits:isnotset,german; flowbits:set,german;)
diff --git a/tests/geoip/test.yaml b/tests/geoip/test.yaml
new file mode 100644
index 000000000..08bc83c35
--- /dev/null
+++ b/tests/geoip/test.yaml
@@ -0,0 +1,19 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - GeoIP2
+
+checks:
+
+  # Check that we only have one alert event type in eve.
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+
+  # Check alert is the good one
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
-- 
2.47.2