From 5e1ebc09e41d0c55b8436fb1e6cf15745837fcde Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Tue, 21 May 2024 09:51:01 +0200
Subject: [PATCH] tests: add pcap logging tests

---
 tests/pcap-log-uncompressed-01/README.md      |  1 +
 tests/pcap-log-uncompressed-01/suricata.yaml  | 22 +++++++++++++++++++
 tests/pcap-log-uncompressed-01/test.yaml      | 12 ++++++++++
 .../pcap-log-uncompressed-02-multi/README.md  |  1 +
 .../suricata.yaml                             | 22 +++++++++++++++++++
 .../pcap-log-uncompressed-02-multi/test.yaml  | 12 ++++++++++
 6 files changed, 70 insertions(+)
 create mode 100644 tests/pcap-log-uncompressed-01/README.md
 create mode 100644 tests/pcap-log-uncompressed-01/suricata.yaml
 create mode 100644 tests/pcap-log-uncompressed-01/test.yaml
 create mode 100644 tests/pcap-log-uncompressed-02-multi/README.md
 create mode 100644 tests/pcap-log-uncompressed-02-multi/suricata.yaml
 create mode 100644 tests/pcap-log-uncompressed-02-multi/test.yaml

diff --git a/tests/pcap-log-uncompressed-01/README.md b/tests/pcap-log-uncompressed-01/README.md
new file mode 100644
index 000000000..87ab1ba45
--- /dev/null
+++ b/tests/pcap-log-uncompressed-01/README.md
@@ -0,0 +1 @@
+Test that Suricata will write 3 uncompressed pcap files.
diff --git a/tests/pcap-log-uncompressed-01/suricata.yaml b/tests/pcap-log-uncompressed-01/suricata.yaml
new file mode 100644
index 000000000..46f108476
--- /dev/null
+++ b/tests/pcap-log-uncompressed-01/suricata.yaml
@@ -0,0 +1,22 @@
+%YAML 1.1
+---
+
+outputs:
+  - pcap-log:
+      enabled: yes
+      filename: log.pcap
+      compression: none
+      mode: normal
+      limit: 4mb
+      ts-format: usec
+
+# Enable enging logging to JSON so we can verify it.
+logging:
+  outputs:
+    - console:
+        enabled: yes
+    - file:
+        enabled: yes
+        level: perf
+        filename: eve.json
+        type: json
diff --git a/tests/pcap-log-uncompressed-01/test.yaml b/tests/pcap-log-uncompressed-01/test.yaml
new file mode 100644
index 000000000..72ec392ff
--- /dev/null
+++ b/tests/pcap-log-uncompressed-01/test.yaml
@@ -0,0 +1,12 @@
+requires:
+  min-version: 8
+      
+pcap: ../bug-2482-01/proxyCONNECT_443.pcap
+
+args:
+  - --runmode=single
+
+checks:
+    - shell:
+        args: find . -type f -name 'log.pcap.1523389*.*' | wc -l | xargs
+        expect: 3
diff --git a/tests/pcap-log-uncompressed-02-multi/README.md b/tests/pcap-log-uncompressed-02-multi/README.md
new file mode 100644
index 000000000..e87bbfd50
--- /dev/null
+++ b/tests/pcap-log-uncompressed-02-multi/README.md
@@ -0,0 +1 @@
+Test that Suricata will write 3 uncompressed pcap files in multi mode.
diff --git a/tests/pcap-log-uncompressed-02-multi/suricata.yaml b/tests/pcap-log-uncompressed-02-multi/suricata.yaml
new file mode 100644
index 000000000..99dba944d
--- /dev/null
+++ b/tests/pcap-log-uncompressed-02-multi/suricata.yaml
@@ -0,0 +1,22 @@
+%YAML 1.1
+---
+
+outputs:
+  - pcap-log:
+      enabled: yes
+      filename: log.pcap.%n-%t-%i
+      compression: none
+      mode: multi
+      limit: 4mb
+      ts-format: usec
+
+# Enable enging logging to JSON so we can verify it.
+logging:
+  outputs:
+    - console:
+        enabled: yes
+    - file:
+        enabled: yes
+        level: perf
+        filename: eve.json
+        type: json
diff --git a/tests/pcap-log-uncompressed-02-multi/test.yaml b/tests/pcap-log-uncompressed-02-multi/test.yaml
new file mode 100644
index 000000000..9d081028d
--- /dev/null
+++ b/tests/pcap-log-uncompressed-02-multi/test.yaml
@@ -0,0 +1,12 @@
+requires:
+  min-version: 8
+      
+pcap: ../bug-2482-01/proxyCONNECT_443.pcap
+
+args:
+  - --runmode=single
+
+checks:
+    - shell:
+        args: find . -type f -name 'log.pcap.1-1523389*.*-*' | wc -l | xargs
+        expect: 3
-- 
2.47.2