tests: add test for bpf in pcap multi logging (issue 8002)

diff --git a/tests/pcap-log-uncompressed-03-multi-bpf/README.md b/tests/pcap-log-uncompressed-03-multi-bpf/README.md
new file mode 100644 (file)
index 0000000..fb9cb12
--- /dev/null
+++ b/tests/pcap-log-uncompressed-03-multi-bpf/README.md
@@ -0,0 +1 @@
+Test that Suricata will apply bpf in multi-mode.

diff --git a/tests/pcap-log-uncompressed-03-multi-bpf/suricata.yaml b/tests/pcap-log-uncompressed-03-multi-bpf/suricata.yaml
new file mode 100644 (file)
index 0000000..f3a75a0
--- /dev/null
+++ b/tests/pcap-log-uncompressed-03-multi-bpf/suricata.yaml
@@ -0,0 +1,27 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - stats:
+  - pcap-log:
+      enabled: yes
+      filename: log.pcap.%n-%t-%i
+      compression: none
+      mode: multi
+      limit: 4mb
+      ts-format: usec
+      bpf-filter: tcp and not port 443
+
+# Enable enging logging to JSON so we can verify it.
+logging:
+  outputs:
+    - console:
+        enabled: yes
+    - file:
+        enabled: yes
+        level: perf
+        filename: eve.json
+        type: json

diff --git a/tests/pcap-log-uncompressed-03-multi-bpf/test.yaml b/tests/pcap-log-uncompressed-03-multi-bpf/test.yaml
new file mode 100644 (file)
index 0000000..bf4b101
--- /dev/null
+++ b/tests/pcap-log-uncompressed-03-multi-bpf/test.yaml
@@ -0,0 +1,18 @@
+requires:
+  min-version: 9
+      
+pcap: ../bug-2482-01/proxyCONNECT_443.pcap
+
+args:
+  - --runmode=single
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.pcap_log.written: 38
+        stats.pcap_log.filtered_bpf: 14063
+  - shell:
+      args: find . -type f -name 'log.pcap.1-1523389*.*-*' | wc -l | xargs
+      expect: 1