dhcp: verify option 52 overload parsing

Add a verification test that runs Suricata over a pcap where the server places dns_servers, routers and a domain inside the BOOTP sname continuation area while flagging Option Overload (52) value 2 in the standard options block. The test asserts that the EVE DHCP events for both the OFFER and the ACK now expose those
overloaded values and that the parallel non overloaded flow in the same capture still reports its inline values.

Bug: #8538.

diff --git a/tests/dhcp-option-52-overload/input.pcap b/tests/dhcp-option-52-overload/input.pcap
new file mode 100755 (executable)
index 0000000..773edcd
Binary files /dev/null and b/tests/dhcp-option-52-overload/input.pcap differ

diff --git a/tests/dhcp-option-52-overload/suricata.yaml b/tests/dhcp-option-52-overload/suricata.yaml
new file mode 100644 (file)
index 0000000..055b4d3
--- /dev/null
+++ b/tests/dhcp-option-52-overload/suricata.yaml
@@ -0,0 +1,16 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: true
+      filename: eve.json
+      types:
+        - dhcp:
+            extended: true
+        - flow
+
+app-layer:
+  protocols:
+    dhcp:
+      enabled: yes

diff --git a/tests/dhcp-option-52-overload/test.yaml b/tests/dhcp-option-52-overload/test.yaml
new file mode 100644 (file)
index 0000000..f35660f
--- /dev/null
+++ b/tests/dhcp-option-52-overload/test.yaml
@@ -0,0 +1,45 @@
+requires:
+  min-version: 9.0.0
+
+checks:
+# Packet 4 is a DHCP OFFER carrying Option Overload (52) value 2, which
+# means the BOOTP sname field holds extra options. The fix exposes
+# dns_servers and routers parsed out of sname.
+- filter:
+    count: 1
+    match:
+      event_type: dhcp
+      pcap_cnt: 4
+      dhcp.dhcp_type: offer
+      dhcp.dns_servers[0]: 10.100.0.2
+      dhcp.routers[0]: 10.100.0.2
+
+# Packet 7 is a DHCP ACK with the same overloaded sname options.
+- filter:
+    count: 1
+    match:
+      event_type: dhcp
+      pcap_cnt: 7
+      dhcp.dhcp_type: ack
+      dhcp.dns_servers[0]: 10.100.0.2
+      dhcp.routers[0]: 10.100.0.2
+
+# Sanity check that the parallel non-overloaded OFFER and ACK in the
+# same pcap still surface their inline option values unchanged.
+- filter:
+    count: 1
+    match:
+      event_type: dhcp
+      pcap_cnt: 3
+      dhcp.dhcp_type: offer
+      dhcp.dns_servers[0]: 10.100.0.1
+      dhcp.routers[0]: 10.100.0.1
+
+- filter:
+    count: 1
+    match:
+      event_type: dhcp
+      pcap_cnt: 8
+      dhcp.dhcp_type: ack
+      dhcp.dns_servers[0]: 10.100.0.1
+      dhcp.routers[0]: 10.100.0.1