-
Notifications
You must be signed in to change notification settings - Fork 105
test: add test for vlan.id - v3 #2134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| Test for checking the working of vlan.id keyword by creating rules and matching a crafted packet against them. The packet is an ICMP packet with 3 different VLAN ids [200,300,400]. | ||
|
|
||
| PCAP created with scapy. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| alert ip any any -> any any (msg:"Vlan ID is equal to 200 with especific layer"; vlan.id:200,1; sid:1;) | ||
| alert ip any any -> any any (msg:"Vlan ID is equal to 300 with explicit 'any' layer "; vlan.id:300,any; sid:2;) | ||
| alert ip any any -> any any (msg:"Vlan ID is equal to 400"; vlan.id:300; sid:3;) | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. msg:"Vlan ID is equal to 400"; vlan.id:300; These do not seem to match... |
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| requires: | ||
| min-version: 8 | ||
|
|
||
| args: | ||
| - -k none | ||
|
|
||
| checks: | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: alert | ||
| alert.signature_id: 1 | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Could we check the vlan id in the alert data ?
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sorry, I didn't understand the question. Could you be more specific, please?
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can we we add in this match section a check about
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't think so. Should I use these other commits as examples for the implementation?
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. schema.json tells me that it should be |
||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: alert | ||
| alert.signature_id: 2 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: alert | ||
| alert.signature_id: 3 | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit typo
especific