arp: add tests

glongo · victorjulien · commit 1e61ec90f06b · 2024-05-16T07:09:27.000+02:00
diff --git a/tests/decode-arp-2/README.md b/tests/decode-arp-2/README.md
@@ -0,0 +1 @@
+PCAP from https://www.cloudshark.org/captures/e4d6ea732135/export
diff --git a/tests/decode-arp-2/arp.pcap b/tests/decode-arp-2/arp.pcap
diff --git a/tests/decode-arp-2/suricata.yaml b/tests/decode-arp-2/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - arp:
+            enabled: yes
+
diff --git a/tests/decode-arp-2/test.yaml b/tests/decode-arp-2/test.yaml
@@ -0,0 +1,35 @@
+requires:
+    min-version: 8
+
+pcap: arp.pcap
+
+checks:
+  - filter:
+      count: 4
+      match:
+        event_type: arp
+  - filter:
+      count: 1
+      match:
+        event_type: arp
+        pcap_cnt: 5
+        arp.hw_type: ethernet
+        arp.proto_type: ipv4
+        arp.opcode: request
+        arp.src_mac: 00:1d:09:f0:92:ab
+        arp.src_ip: 10.10.10.1
+        arp.dest_mac: 00:00:00:00:00:00
+        arp.dest_ip: 10.10.10.2
+  - filter:
+      count: 1
+      match:
+        event_type: arp
+        pcap_cnt: 6
+        arp.hw_type: ethernet
+        arp.proto_type: ipv4
+        arp.opcode: reply
+        arp.src_mac: 00:1a:6b:6c:0c:cc
+        arp.src_ip: 10.10.10.2
+        arp.dest_mac: 00:1d:09:f0:92:ab
+        arp.dest_ip: 10.10.10.1
+
diff --git a/tests/decode-arp-3/README.md b/tests/decode-arp-3/README.md
@@ -0,0 +1,14 @@
+Decode ARP packet over GRE.
+
+PCAP made with the following scapy script:
+
+```
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/GRE()/ARP()
+
+wrpcap('arp-encap.pcap', pkts)
+```
diff --git a/tests/decode-arp-3/arp-encap.pcap b/tests/decode-arp-3/arp-encap.pcap
diff --git a/tests/decode-arp-3/suricata.yaml b/tests/decode-arp-3/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - arp:
+            enabled: yes
+
diff --git a/tests/decode-arp-3/test.yaml b/tests/decode-arp-3/test.yaml
@@ -0,0 +1,18 @@
+pcap: arp-encap.pcap
+
+requires:
+    min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: arp
+        arp.hw_type: ethernet
+        arp.proto_type: ipv4
+        arp.opcode: request
+        arp.src_mac: bc:03:58:5a:d5:ca
+        arp.src_ip: 192.168.1.28
+        arp.dest_mac: 00:00:00:00:00:00
+        arp.dest_ip: 0.0.0.0
+

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+PCAP from https://www.cloudshark.org/captures/e4d6ea732135/export`