test: add test for vlan.id

Ticket: #1065
OISF · Dec 11, 2024 · 0f99e37 · 0f99e37
1 parent 4a9d6ad
commit 0f99e37
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 0 deletions.
diff --git a/tests/detect-vlan-id/README.md b/tests/detect-vlan-id/README.md
@@ -0,0 +1,3 @@
+Test for checking the working of vlan.id keyword by creating rules and matching a crafted packet against them. The packet is an ICMP packet with 3 different VLAN ids [200,300,400].
+
+PCAP created with scapy.
diff --git a/tests/detect-vlan-id/input.pcap b/tests/detect-vlan-id/input.pcap
diff --git a/tests/detect-vlan-id/test.rules b/tests/detect-vlan-id/test.rules
@@ -0,0 +1,2 @@
+alert ip any any -> any any (msg:"Vlan ID is equal to 200 with specific layer"; vlan.id:200,1; sid:1;)
+alert ip any any -> any any (msg:"Vlan ID is equal to 400"; vlan.id:400; sid:2;)
diff --git a/tests/detect-vlan-id/test.yaml b/tests/detect-vlan-id/test.yaml
@@ -0,0 +1,19 @@
+requires:
+ min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     vlan[0]: 200
+     alert.signature_id: 1
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     vlan[2]: 400
+     alert.signature_id: 2
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		Test for checking the working of vlan.id keyword by creating rules and matching a crafted packet against them. The packet is an ICMP packet with 3 different VLAN ids [200,300,400].

		PCAP created with scapy.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		alert ip any any -> any any (msg:"Vlan ID is equal to 200 with specific layer"; vlan.id:200,1; sid:1;)
		alert ip any any -> any any (msg:"Vlan ID is equal to 400"; vlan.id:400; sid:2;)