From 0d623471919191368bbcf27aa0a3c2a8289623d8 Mon Sep 17 00:00:00 2001
From: Yatin Kanetkar <yatin.kanetkar@gmail.com>
Date: Thu, 24 Aug 2023 07:11:23 -0500
Subject: [PATCH] dhcp: Validate dhcp option 60 is being logged

---
 tests/dhcp-eve-extended-option-60/README.md   |  11 +++++
 tests/dhcp-eve-extended-option-60/input.pcap  | Bin 0 -> 396 bytes
 .../dhcp-eve-extended-option-60/suricata.yaml |  12 ++++++
 tests/dhcp-eve-extended-option-60/test.yaml   |  38 ++++++++++++++++++
 4 files changed, 61 insertions(+)
 create mode 100644 tests/dhcp-eve-extended-option-60/README.md
 create mode 100644 tests/dhcp-eve-extended-option-60/input.pcap
 create mode 100644 tests/dhcp-eve-extended-option-60/suricata.yaml
 create mode 100644 tests/dhcp-eve-extended-option-60/test.yaml

diff --git a/tests/dhcp-eve-extended-option-60/README.md b/tests/dhcp-eve-extended-option-60/README.md
new file mode 100644
index 000000000..7e01dc5e2
--- /dev/null
+++ b/tests/dhcp-eve-extended-option-60/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Validate that dhcp option 60 (vendor class identifier) is being logged by suricata
+
+## PCAP
+
+Extracted a single packet from a pcap that had the vendor-class-id option present
+
+## Related issues
+[Feature 4587](https://redmine.openinfosecfoundation.org/issues/4587)
+
diff --git a/tests/dhcp-eve-extended-option-60/input.pcap b/tests/dhcp-eve-extended-option-60/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c11b5708417603e58e6f46a9f5dbfa8c23da3411
GIT binary patch
literal 396
zc-p&ic+)~A1{MYcU}0bclGmlXf_7eKW=H{YK=?lxXq>-wr?-rQ!IgnAjOQc+LxZ5s
zd5|8E9D@skGozEzQbtBLh6ggoB^a;(h<=7)1CpD9lT8_!ZP^(iJ~LuDu!1q4hsQ57
tIlI_5G1)0UKRb{gs1RAehQl}5Ekwao&%m6Ak)N4OM^9f~vGS+(e*oz;Hdz1w

literal 0
Hc-jL100001

diff --git a/tests/dhcp-eve-extended-option-60/suricata.yaml b/tests/dhcp-eve-extended-option-60/suricata.yaml
new file mode 100644
index 000000000..cba2138a3
--- /dev/null
+++ b/tests/dhcp-eve-extended-option-60/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: true
+      filename: eve.json
+      types:
+        - alert
+        - dhcp:
+            extended: true
+        - flow
diff --git a/tests/dhcp-eve-extended-option-60/test.yaml b/tests/dhcp-eve-extended-option-60/test.yaml
new file mode 100644
index 000000000..b875a1970
--- /dev/null
+++ b/tests/dhcp-eve-extended-option-60/test.yaml
@@ -0,0 +1,38 @@
+requires:
+  min-version: 7
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_port: 67
+      dhcp.id: 3759982360
+      dhcp.params[0]: subnet_mask
+      dhcp.params[1]: domain
+      dhcp.params[2]: router
+      dhcp.params[3]: dns_server
+      dhcp.type: request
+      dhcp.vendor_class_identifier: MSFT 5.0
+      event_type: dhcp
+      pcap_cnt: 1
+      proto: UDP
+      src_ip: 0.0.0.0
+      src_port: 68
+- filter:
+    count: 1
+    match:
+      app_proto: dhcp
+      dest_ip: 255.255.255.255
+      dest_port: 67
+      event_type: flow
+      flow.age: 0
+      flow.alerted: false
+      flow.bytes_toclient: 0
+      flow.bytes_toserver: 356
+      flow.pkts_toclient: 0
+      flow.pkts_toserver: 1
+      flow.reason: shutdown
+      flow.state: new
+      proto: UDP
+      src_ip: 0.0.0.0
+      src_port: 68
-- 
2.47.2