Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test: add test for vlan.id - v3 #2134

Closed
wants to merge 1 commit into from
Closed

test: add test for vlan.id - v3 #2134

wants to merge 1 commit into from

Conversation

AkakiAlice
Copy link
Contributor

Ticket: #1065

Description:

  • Add Suricata-Verify test for vlan.id keyword

Redmine ticket: https://redmine.openinfosecfoundation.org/issues/1065

Suricata PR: OISF/suricata#12103

Previous PR: #2124

@AkakiAlice AkakiAlice mentioned this pull request Nov 26, 2024
Closed
5 tasks
@catenacyber catenacyber added the requires suricata pr Depends on a PR in Suricata label Nov 27, 2024
catenacyber
catenacyber reviewed Nov 27, 2024
View reviewed changes
tests/detect-vlan-id/test.rules
@@ -0,0 +1,3 @@
alert ip any any -> any any (msg:"Vlan ID is equal to 200 with especific layer"; vlan.id:200,1; sid:1;)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit typo especific

catenacyber
catenacyber reviewed Nov 27, 2024
View reviewed changes
tests/detect-vlan-id/test.rules
@@ -0,0 +1,3 @@
alert ip any any -> any any (msg:"Vlan ID is equal to 200 with especific layer"; vlan.id:200,1; sid:1;)
alert ip any any -> any any (msg:"Vlan ID is equal to 300 with explicit 'any' layer "; vlan.id:300,any; sid:2;)
alert ip any any -> any any (msg:"Vlan ID is equal to 400"; vlan.id:300; sid:3;)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

msg:"Vlan ID is equal to 400"; vlan.id:300;

These do not seem to match...

catenacyber
catenacyber reviewed Nov 27, 2024
View reviewed changes
tests/detect-vlan-id/test.yaml
count: 1
match:
event_type: alert
alert.signature_id: 1
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we check the vlan id in the alert data ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I didn't understand the question. Could you be more specific, please?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we we add in this match section a check about vlan.id: 200 ? (with the good syntax and value)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think so. Should I use these other commits as examples for the implementation?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

schema.json tells me that it should be vlan[0]: 200

@AkakiAlice AkakiAlice closed this Dec 2, 2024
@AkakiAlice AkakiAlice mentioned this pull request Dec 11, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@catenacyber catenacyber catenacyber left review comments

Assignees
No one assigned
Labels
requires suricata pr Depends on a PR in Suricata
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AkakiAlice @catenacyber