From 412cba2d4ab8ec0213154201a9582d9e7ddfad90 Mon Sep 17 00:00:00 2001
From: Jason Ish <jason.ish@oisf.net>
Date: Thu, 2 Jul 2020 11:19:14 -0600
Subject: [PATCH] new test: netflow-eve: basic check of netflow records

---
 tests/netflow-eve/input.pcap    | Bin 0 -> 1104 bytes
 tests/netflow-eve/suricata.yaml |   7 +++++
 tests/netflow-eve/test.yaml     |  45 ++++++++++++++++++++++++++++++++
 3 files changed, 52 insertions(+)
 create mode 100644 tests/netflow-eve/input.pcap
 create mode 100644 tests/netflow-eve/suricata.yaml
 create mode 100644 tests/netflow-eve/test.yaml

diff --git a/tests/netflow-eve/input.pcap b/tests/netflow-eve/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..868c57e59394515e398bfe1c893685a57ee9c2db
GIT binary patch
literal 1104
zc-noEO-vI(7>2(s6>!MLVxn@Ka6)9;-K9TtsfL35gtA)c8skB9-7amF?l!xN*rO*B
zJ@^w(kf21-3rPG4#)~9+G||L(@M0ng;Y7TUcy(qs4cIi@<lD@AlX>#a`@P>jzFPEw
zAND>!Fyw#d&+vu!Py8@S*0kWrF}CsV_fNNX7KfT)5FjD{?1R3>AGc6|X&GO7Ik%R8
z^q1?G=w*29vjQL90{Hv~-uQjZD9{ktpnayHp^1{eK5K$gWKYXudVH761N4E|7&j=D
z(jmQ;SlwNoBXnQs@KW~fx<{_ijy`XKC?Q2_>Fkg<T%8ZAbovN!J{^FqE6988HA0ys
zfZ1A<vi!@X^w*@c!B+2QfZ;&}hwzA^q(eebV9|(aI})CmnF%_&?G(#}tR2+MB8$%3
zy2T}Px<QV$X=^GJ3x>OcJd2W=rk6;wGt|i<7ExIjpCU*QMTuHgb!;c8Rpa3*tLBNc
zOgg}%E@vuZrL30M2;yWww5nOmiS2&MI>*;!wK1v9g8-GsVUg$Y*%XUTtBx+=A*;}Z
z#Tb^=GC2{Vn2$=4s3Zt@SXNk+(XAW0CE;XA)$%%v##GzkWHVcsEa+JY%cjwVg$N#1
z4a$vSv720#A`$QQprYm^+%EJ8T2DBxa$<}Ni!niqObV(N*7){{Z``<Q<aArYSIfk3
z77dt&Lp<ijbR*~FCEOj~>nY_D(e3CrolxE>PEog~3)z!=hh>`1ah%(~w#@00UD>)r
z;fRrS68GE9%7dz`WL9@q7D(cDCSG{scvqjY=~C|3q_h&sibpxL&ejXafEy6;|Dmod
i5R#H^Wl|Go_6MYwu<9t<auwaHQlt>xBllg)0RI4S^+V?X

literal 0
Hc-jL100001

diff --git a/tests/netflow-eve/suricata.yaml b/tests/netflow-eve/suricata.yaml
new file mode 100644
index 000000000..cc3aa143f
--- /dev/null
+++ b/tests/netflow-eve/suricata.yaml
@@ -0,0 +1,7 @@
+%YAML 1.1
+---
+outputs:
+  - eve-log:
+      enabled: true
+      types:
+        - netflow
diff --git a/tests/netflow-eve/test.yaml b/tests/netflow-eve/test.yaml
new file mode 100644
index 000000000..3f9ba5a15
--- /dev/null
+++ b/tests/netflow-eve/test.yaml
@@ -0,0 +1,45 @@
+checks:
+- filter:
+    count: 1
+    match:
+      app_proto: http
+      dest_ip: 82.165.177.154
+      dest_port: 80
+      event_type: netflow
+      netflow.age: 0
+      netflow.bytes: 425
+      netflow.end: 2016-05-27T06:56:11.900923+0000
+      netflow.max_ttl: 64
+      netflow.min_ttl: 64
+      netflow.pkts: 6
+      netflow.start: 2016-05-27T06:56:11.304062+0000
+      proto: TCP
+      src_ip: 10.16.1.11
+      src_port: 46652
+      tcp.ack: true
+      tcp.fin: true
+      tcp.psh: true
+      tcp.syn: true
+      tcp.tcp_flags: 1b
+- filter:
+    count: 1
+    match:
+      app_proto: http
+      dest_ip: 10.16.1.11
+      dest_port: 46652
+      event_type: netflow
+      netflow.age: 0
+      netflow.bytes: 495
+      netflow.end: 2016-05-27T06:56:11.900923+0000
+      netflow.max_ttl: 50
+      netflow.min_ttl: 50
+      netflow.pkts: 4
+      netflow.start: 2016-05-27T06:56:11.304062+0000
+      proto: TCP
+      src_ip: 82.165.177.154
+      src_port: 80
+      tcp.ack: true
+      tcp.fin: true
+      tcp.psh: true
+      tcp.syn: true
+      tcp.tcp_flags: 1b
-- 
2.47.2