From eea84d2d4b7bdd830b52f915f68b2ff65caef3f7 Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Sun, 2 Aug 2020 18:49:42 +0200 Subject: [PATCH] tests/eve-alert-verbose: introduce test Introduce test on alert verbosity change. --- tests/eve-alert-verbose/suricata.yaml | 31 +++++++++++++++++++++++++ tests/eve-alert-verbose/test.rules | 5 ++++ tests/eve-alert-verbose/test.yaml | 20 ++++++++++++++++ tests/eve-alert-verbose/testmyids.pcap | Bin 0 -> 1104 bytes 4 files changed, 56 insertions(+) create mode 100644 tests/eve-alert-verbose/suricata.yaml create mode 100644 tests/eve-alert-verbose/test.rules create mode 100644 tests/eve-alert-verbose/test.yaml create mode 100644 tests/eve-alert-verbose/testmyids.pcap diff --git a/tests/eve-alert-verbose/suricata.yaml b/tests/eve-alert-verbose/suricata.yaml new file mode 100644 index 000000000..49392f531 --- /dev/null +++ b/tests/eve-alert-verbose/suricata.yaml @@ -0,0 +1,31 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + full-logging-for-alerted-flows: printable + + types: + - alert: + http-headers: yes + - http: + extended: yes + - dns: + query: yes # enable logging of DNS queries + answer: yes # enable logging of DNS answers + - tls: + extended: yes # enable this for extended logging information + - files: + force-magic: no # force logging magic on all logged files + - smtp: + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + - flow + - netflow + - metadata diff --git a/tests/eve-alert-verbose/test.rules b/tests/eve-alert-verbose/test.rules new file mode 100644 index 000000000..0789cd5a0 --- /dev/null +++ b/tests/eve-alert-verbose/test.rules @@ -0,0 +1,5 @@ +# Silly rule to set the flowbit "traffic/label/cli-http" on +# the curl user-agent. +alert http any any -> any any (msg:"TEST"; \ + http.user_agent; content:"curl"; \ + sid:1; rev:1;) diff --git a/tests/eve-alert-verbose/test.yaml b/tests/eve-alert-verbose/test.yaml new file mode 100644 index 000000000..b7baee94b --- /dev/null +++ b/tests/eve-alert-verbose/test.yaml @@ -0,0 +1,20 @@ +requires: + + script: + - grep "http-headers" suricata.yaml.in > /dev/null + +checks: + + - filter: + count: 1 + match: + event_type: alert + has-key: flow + has-key: http.response_headers + has-key: http.request_headers + - filter: + count: 1 + match: + event_type: http + has-key: http.response_headers + has-key: http.request_headers diff --git a/tests/eve-alert-verbose/testmyids.pcap b/tests/eve-alert-verbose/testmyids.pcap new file mode 100644 index 0000000000000000000000000000000000000000..868c57e59394515e398bfe1c893685a57ee9c2db GIT binary patch literal 1104 zc-noEO-vI(7>2(s6>!MLVxn@Ka6)9;-K9TtsfL35gtA)c8skB9-7amF?l!xN*rO*B zJ@^w(kf21-3rPG4#)~9+G||L(@M0ng;Y7TUcy(qs4cIi@#a`@P>jzFPEw zAND>!Fyw#d&+vu!Py8@S*0kWrF}CsV_fNNX7KfT)5FjD{?1R3>AGc6|X&GO7Ik%R8 z^q1?G=w*29vjQL90{Hv~-uQjZD9{ktpnayHp^1{eK5K$gWKYXudVH761N4E|7&j=D z(jmQ;SlwNoBXnQs@KW~fx<{_ijy`XKC?Q2_>FkgOcJd2W=rk6;wGt|i<7ExIjpCU*QMTuHgb!;c8Rpa3*tLBNc zOgg}%E@vuZrL30M2;yWww5nOmiS2&MI>*;!wK1v9g8-GsVUg$Y*%XUTtBx+=A*;}Z z#Tb^=GC2{Vn2$=4s3Zt@SXNk+(XAW0CE;XA)$%%v##GzkWHVcsEa+JY%cjwVg$N#1 z4a$vSv720#A`$QQprYm^+%EJ8T2DBxa$<}Ni!niqObV(N*7){{Z``nY_D(e3CrolxE>PEog~3)z!=hh>`1ah%(~w#@00UD>)r z;fRrS68GE9%7dz`WL9@q7D(cDCSG{scvqjY=~C|3q_h&sibpxL&ejXafEy6;|Dmod i5R#H^Wl|Go_6MYwu<9txBllg)0RI4S^+V?X literal 0 Hc-jL100001 -- 2.47.2