From 1e61ec90f06b947e926b8f1c2cb715234259d70e Mon Sep 17 00:00:00 2001
From: Giuseppe Longo <giuseppe@glongo.it>
Date: Mon, 4 Mar 2024 13:27:34 +0100
Subject: [PATCH] arp: add tests

---
 tests/decode-arp-2/README.md      |   1 +
 tests/decode-arp-2/arp.pcap       | Bin 0 -> 520 bytes
 tests/decode-arp-2/suricata.yaml  |  12 ++++++++++
 tests/decode-arp-2/test.yaml      |  35 ++++++++++++++++++++++++++++++
 tests/decode-arp-3/README.md      |  14 ++++++++++++
 tests/decode-arp-3/arp-encap.pcap | Bin 0 -> 110 bytes
 tests/decode-arp-3/suricata.yaml  |  12 ++++++++++
 tests/decode-arp-3/test.yaml      |  18 +++++++++++++++
 8 files changed, 92 insertions(+)
 create mode 100644 tests/decode-arp-2/README.md
 create mode 100644 tests/decode-arp-2/arp.pcap
 create mode 100644 tests/decode-arp-2/suricata.yaml
 create mode 100644 tests/decode-arp-2/test.yaml
 create mode 100644 tests/decode-arp-3/README.md
 create mode 100644 tests/decode-arp-3/arp-encap.pcap
 create mode 100644 tests/decode-arp-3/suricata.yaml
 create mode 100644 tests/decode-arp-3/test.yaml

diff --git a/tests/decode-arp-2/README.md b/tests/decode-arp-2/README.md
new file mode 100644
index 000000000..aec1316eb
--- /dev/null
+++ b/tests/decode-arp-2/README.md
@@ -0,0 +1 @@
+PCAP from https://www.cloudshark.org/captures/e4d6ea732135/export
diff --git a/tests/decode-arp-2/arp.pcap b/tests/decode-arp-2/arp.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c15ef60a25bcb7635cca6b02747828311cb86549
GIT binary patch
literal 520
zc-p&ic+)~A1{MYw`2U}Qfe}bA`7tk`^)n}f4UlaE76$<asq7q{GaPITj2sMXEI@@|
zJ{K1k6GS(V#mImGKxQolnxzF~gD^xFgDmHVNvq*zF+uoX6X2$Tbk=?4WJm&P0%3?6
zs4Ey;85lws7#tWJ7=<Q-RD<+#FwCu1n9RV~@qJ!^>{2cU4o)s^9$r3v0YM>Q5m7O5
z2}vnw8Cf}b1w|!g6;(BL4NWa=9bG+r14AQY6H_yDkc~5tZA5k}*v7SaKsy<is(@^R
q_<SivHm(HP82Obz=rAIM4lJaZKsw{TBjN}pbP(Z+h$A#JkO2UW*kxM)

literal 0
Hc-jL100001

diff --git a/tests/decode-arp-2/suricata.yaml b/tests/decode-arp-2/suricata.yaml
new file mode 100644
index 000000000..183f2e999
--- /dev/null
+++ b/tests/decode-arp-2/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - arp:
+            enabled: yes
+
diff --git a/tests/decode-arp-2/test.yaml b/tests/decode-arp-2/test.yaml
new file mode 100644
index 000000000..10a2c2732
--- /dev/null
+++ b/tests/decode-arp-2/test.yaml
@@ -0,0 +1,35 @@
+requires:
+    min-version: 8
+
+pcap: arp.pcap
+
+checks:
+  - filter:
+      count: 4
+      match:
+        event_type: arp
+  - filter:
+      count: 1
+      match:
+        event_type: arp
+        pcap_cnt: 5
+        arp.hw_type: ethernet
+        arp.proto_type: ipv4
+        arp.opcode: request
+        arp.src_mac: 00:1d:09:f0:92:ab
+        arp.src_ip: 10.10.10.1
+        arp.dest_mac: 00:00:00:00:00:00
+        arp.dest_ip: 10.10.10.2
+  - filter:
+      count: 1
+      match:
+        event_type: arp
+        pcap_cnt: 6
+        arp.hw_type: ethernet
+        arp.proto_type: ipv4
+        arp.opcode: reply
+        arp.src_mac: 00:1a:6b:6c:0c:cc
+        arp.src_ip: 10.10.10.2
+        arp.dest_mac: 00:1d:09:f0:92:ab
+        arp.dest_ip: 10.10.10.1
+
diff --git a/tests/decode-arp-3/README.md b/tests/decode-arp-3/README.md
new file mode 100644
index 000000000..b3e4740c3
--- /dev/null
+++ b/tests/decode-arp-3/README.md
@@ -0,0 +1,14 @@
+Decode ARP packet over GRE.
+
+PCAP made with the following scapy script:
+
+```
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/GRE()/ARP()
+
+wrpcap('arp-encap.pcap', pkts)
+```
diff --git a/tests/decode-arp-3/arp-encap.pcap b/tests/decode-arp-3/arp-encap.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..2ec6dc9101524d9c2121f250a014290e97e0480d
GIT binary patch
literal 110
zc-p&ic+)~A1{MYw`2U}Qfe}b6GyF)^vSej&1F}Jwm4%rJD9*^l%);8pz`(}A;L5;Y
q0#fRrUow>u2$+C?fq{dKfsuoOjfH`64|7D+)l&ynFv`FUX8-_>8xF<*

literal 0
Hc-jL100001

diff --git a/tests/decode-arp-3/suricata.yaml b/tests/decode-arp-3/suricata.yaml
new file mode 100644
index 000000000..183f2e999
--- /dev/null
+++ b/tests/decode-arp-3/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - arp:
+            enabled: yes
+
diff --git a/tests/decode-arp-3/test.yaml b/tests/decode-arp-3/test.yaml
new file mode 100644
index 000000000..c03b553a4
--- /dev/null
+++ b/tests/decode-arp-3/test.yaml
@@ -0,0 +1,18 @@
+pcap: arp-encap.pcap
+
+requires:
+    min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: arp
+        arp.hw_type: ethernet
+        arp.proto_type: ipv4
+        arp.opcode: request
+        arp.src_mac: bc:03:58:5a:d5:ca
+        arp.src_ip: 192.168.1.28
+        arp.dest_mac: 00:00:00:00:00:00
+        arp.dest_ip: 0.0.0.0
+
-- 
2.47.2