Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test: add test for vlan.id - v3 #2134

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

test: add test for vlan.id - v3 #2134

wants to merge 1 commit into from

Conversation

AkakiAlice
Copy link
Contributor

Ticket: #1065

Description:

  • Add Suricata-Verify test for vlan.id keyword

Redmine ticket: https://redmine.openinfosecfoundation.org/issues/1065

Suricata PR: OISF/suricata#12103

Previous PR: #2124

@AkakiAlice AkakiAlice mentioned this pull request Nov 26, 2024
Open
5 tasks
@catenacyber catenacyber added the requires suricata pr Depends on a PR in Suricata label Nov 27, 2024
catenacyber
catenacyber reviewed Nov 27, 2024
View reviewed changes
tests/detect-vlan-id/test.rules
@@ -0,0 +1,3 @@
alert ip any any -> any any (msg:"Vlan ID is equal to 200 with especific layer"; vlan.id:200,1; sid:1;)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit typo especific

catenacyber
catenacyber reviewed Nov 27, 2024
View reviewed changes
tests/detect-vlan-id/test.rules
@@ -0,0 +1,3 @@
alert ip any any -> any any (msg:"Vlan ID is equal to 200 with especific layer"; vlan.id:200,1; sid:1;)
alert ip any any -> any any (msg:"Vlan ID is equal to 300 with explicit 'any' layer "; vlan.id:300,any; sid:2;)
alert ip any any -> any any (msg:"Vlan ID is equal to 400"; vlan.id:300; sid:3;)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

msg:"Vlan ID is equal to 400"; vlan.id:300;

These do not seem to match...

catenacyber
catenacyber reviewed Nov 27, 2024
View reviewed changes
tests/detect-vlan-id/test.yaml
count: 1
match:
event_type: alert
alert.signature_id: 1
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we check the vlan id in the alert data ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@catenacyber catenacyber catenacyber left review comments

Assignees
No one assigned
Labels
requires suricata pr Depends on a PR in Suricata
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AkakiAlice @catenacyber