test/linktype: Expand linktype_name coverage

Issue: 4974 This commit extends the linktype_name validation across the existing tests so that more linktype name values are checked: - C_HDLC - PPP - IPV4 - IPV6 - RAW - EN10B - LINUX_SLL Some existing tests required suricata.yaml configuration to enable the packet values to be in the alerts.
OISF · Aug 28, 2024 · be142e4 · be142e4
1 parent 4fe8d00
commit be142e4
Show file tree

Hide file tree

Showing 18 changed files with 291 additions and 30 deletions.
diff --git a/tests/decode-chdlc-01/test.yaml b/tests/decode-chdlc-01/test.yaml
@@ -2,35 +2,34 @@ requires:
 
  min-version: 6.0.0
 
-
 checks:
 
-  - filter:
-  count: 1
-  match:
-  event_type: http
-  http.hostname: "view.atdmt.com"
-  http.status: 200
-  http.length: 8079
-
-  - filter:
-  count: 1
-  match:
-  event_type: fileinfo
-  fileinfo.state: CLOSED
-
-  - filter:
-  count: 1
-  match:
-  event_type: alert
-  alert.signature_id: 666
-
-  - filter:
-  count: 1
-  match:
-  event_type: flow
-  proto: TCP
-
-  - stats:
-  decoder.ipv4: 17
-  decoder.chdlc: 17
+ - filter:
+ count: 1
+ match:
+ event_type: http
+ http.hostname: "view.atdmt.com"
+ http.status: 200
+ http.length: 8079
+
+ - filter:
+ count: 1
+ match:
+ event_type: fileinfo
+ fileinfo.state: CLOSED
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 666
+
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ proto: TCP
+
+ - stats:
+ decoder.ipv4: 17
+ decoder.chdlc: 17
diff --git a/tests/decode-chdlc-02/README.md b/tests/decode-chdlc-02/README.md
@@ -0,0 +1,3 @@
+Ensure Cisco HDLC packets are decoded and the linktype name is correct
+
+
diff --git a/tests/decode-chdlc-02/suricata.yaml b/tests/decode-chdlc-02/suricata.yaml
@@ -0,0 +1,24 @@
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ packet: yes # enable dumping of packet (without stream segments)
+ - http:
+ extended: true
+ - files:
+ force-magic: no
+ - flow
+ - stats
+app-layer:
+ protocols:
+ http:
+ enabled: yes
+ libhtp:
+ default-config:
+ response-body-limit: 100kb
diff --git a/tests/decode-chdlc-02/test.rules b/tests/decode-chdlc-02/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (http.method; content:"GET"; sid:666;)
diff --git a/tests/decode-chdlc-02/test.yaml b/tests/decode-chdlc-02/test.yaml
@@ -0,0 +1,38 @@
+requires:
+
+ min-version: 8
+
+pcap: ../decode-chdlc-01/hdlc-http_1tx.pcap
+
+checks:
+
+ - filter:
+ count: 1
+ match:
+ event_type: http
+ http.hostname: "view.atdmt.com"
+ http.status: 200
+ http.length: 8079
+
+ - filter:
+ count: 1
+ match:
+ event_type: fileinfo
+ fileinfo.state: CLOSED
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 666
+ packet_info.linktype_name: C_HDLC
+
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ proto: TCP
+
+ - stats:
+ decoder.ipv4: 17
+ decoder.chdlc: 17
diff --git a/tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml b/tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml
@@ -9,3 +9,13 @@ checks:
  alert.signature_id: 1
  packet: "YAAAAAP8BkAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAATA5H5AAAAABAAAAAFAQIADIrQAAQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQ=="
  packet_info.linktype: 229
+
+- filter:
+ count: 1
+ min-version: 8
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ packet: "YAAAAAP8BkAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAATA5H5AAAAABAAAAAFAQIADIrQAAQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQ=="
+ packet_info.linktype: 229
+ packet_info.linktype_name: IPV6
diff --git a/tests/detect-ipopts-02/README b/tests/detect-ipopts-02/README
@@ -0,0 +1,13 @@
+Test the IP options and verify the linktype name value.
+
+There's already a test for the extended security option; the following IP options are tested:
+- Record Route "rr"
+- Loose source route "lsrr"
+- EOL "eol"
+- NOP "nop"
+- Timestamp "ts"
+- Security "sec"
+- Strict source route "ssrr"
+- Stream id "satid"
+
+The pcap was generated using detect-ipopts/ipopt.py
diff --git a/tests/detect-ipopts-02/suricata.yaml b/tests/detect-ipopts-02/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ packet: yes # enable dumping of packet (without stream segments)
diff --git a/tests/detect-ipopts-02/test.rules b/tests/detect-ipopts-02/test.rules
@@ -0,0 +1,10 @@
+alert ip any any -> any any (msg:"RR option set"; ipopts:rr; sid: 1;)
+alert ip any any -> any any (msg:"LSRR option set"; ipopts:lsrr; sid: 2;)
+alert ip any any -> any any (msg:"EOL option set"; ipopts:eol; sid: 3;)
+alert ip any any -> any any (msg:"NOP option set"; ipopts:nop; sid: 4;)
+alert ip any any -> any any (msg:"TS option set"; ipopts:ts; sid: 5;)
+alert ip any any -> any any (msg:"SEC option set"; ipopts:sec; sid: 6;)
+alert ip any any -> any any (msg:"SSRR option set"; ipopts:ssrr; sid: 7;)
+alert ip any any -> any any (msg:"SID option set"; ipopts:satid; sid: 8;)
+# covered in ipopts-sec
+#alert ip any any <> any any (msg:"ESEC option set"; ipopts:esec; sid: 42;)
diff --git a/tests/detect-ipopts-02/test.yaml b/tests/detect-ipopts-02/test.yaml
@@ -0,0 +1,64 @@
+requires:
+ min-version: 8
+
+args:
+ - --set stream.midstream=true -k none
+
+pcap: ../detect-ipopts/input.pcap
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ pcap_cnt: 1
+ alert.signature_id: 1
+ packet_info.linktype_name: IPV4
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ pcap_cnt: 2
+ alert.signature_id: 2
+ packet_info.linktype_name: IPV4
+ - filter:
+ count: 6
+ match:
+ event_type: alert
+ alert.signature_id: 3
+ packet_info.linktype_name: IPV4
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ pcap_cnt: 4
+ alert.signature_id: 4
+ packet_info.linktype_name: IPV4
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ pcap_cnt: 5
+ alert.signature_id: 5
+ packet_info.linktype_name: IPV4
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ pcap_cnt: 6
+ alert.signature_id: 6
+ packet_info.linktype_name: IPV4
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ pcap_cnt: 7
+ alert.signature_id: 7
+ packet_info.linktype_name: IPV4
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ pcap_cnt: 8
+ alert.signature_id: 8
+ packet_info.linktype_name: IPV4
diff --git a/tests/dnp3-dnp3_obj-alert/test.yaml b/tests/dnp3-dnp3_obj-alert/test.yaml
@@ -15,3 +15,11 @@ checks:
  match:
  event_type: alert
  alert.signature_id: 2
+
+ - filter:
+ count: 4
+ min-version: 8
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ packet_info.linktype_name: EN10MB
diff --git a/tests/tcp-fastopen-12/suricata.yaml b/tests/tcp-fastopen-12/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ packet: yes # enable dumping of packet (without stream segments)
+ - flow
diff --git a/tests/tcp-fastopen-12/test.rules b/tests/tcp-fastopen-12/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (content:"Hello!"; sid:1;)
diff --git a/tests/tcp-fastopen-12/test.yaml b/tests/tcp-fastopen-12/test.yaml
@@ -0,0 +1,20 @@
+pcap: ../tcp-fastopen-05/tfo.pcap
+
+requires:
+ min-version: 8
+
+args:
+ - -k none
+
+checks:
+ - filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ packet_info.linktype_name: LINUX_SLL
+ - filter:
+ count: 2
+ match:
+ event_type: flow
+ proto: TCP
diff --git a/tests/vxlan-decoder-04/README.md b/tests/vxlan-decoder-04/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test basic VXLAN decoding
+
+# PCAP
+
+https://github.com/the-tcpdump-group/tcpdump/blob/master/tests/vxlan.pcap
diff --git a/tests/vxlan-decoder-04/suricata.yaml b/tests/vxlan-decoder-04/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ packet: yes # enable dumping of packet (without stream segments)
+ - flow
diff --git a/tests/vxlan-decoder-04/test.rules b/tests/vxlan-decoder-04/test.rules
@@ -0,0 +1 @@
+alert icmp any any -> any any (itype:8; sid:1;)
diff --git a/tests/vxlan-decoder-04/test.yaml b/tests/vxlan-decoder-04/test.yaml
@@ -0,0 +1,27 @@
+requires:
+ min-version: 8
+
+args:
+ - --set decoder.vxlan.enabled=true
+
+pcap: ../vxlan-decoder-02/vxlan.pcap
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ proto: "ICMP"
+ flow.pkts_toserver: 4
+ flow.pkts_toclient: 4
+ - filter:
+ count: 4
+ match:
+ event_type: flow
+ dest_port: 4789
+ - filter:
+ count: 4
+ match:
+ event_type: alert
+ tunnel.dest_port: 4789
+ packet_info.linktype_name: RAW