From 197246d27b968254150a4873e92db2cf9b3f90fd Mon Sep 17 00:00:00 2001 From: Jerry Hardee Date: Fri, 2 Jan 2026 14:22:13 -0900 Subject: [PATCH] tests: add geoip-enrichment tests Add tests for the geoip-enrichment output feature. - geoip-enrichment: Tests that geoip_dst fields are added to alert and flow events when geoip-enrichment is enabled - geoip-enrichment-disabled: Tests that NO events have geoip fields when geoip-enrichment is disabled Ticket: 6999 --- tests/geoip-enrichment-disabled/input.pcap | Bin 0 -> 411 bytes tests/geoip-enrichment-disabled/suricata.yaml | 14 ++++++++ tests/geoip-enrichment-disabled/test.mmdb | Bin 0 -> 1411 bytes tests/geoip-enrichment-disabled/test.rules | 1 + tests/geoip-enrichment-disabled/test.yaml | 34 ++++++++++++++++++ tests/geoip-enrichment/input.pcap | Bin 0 -> 411 bytes tests/geoip-enrichment/suricata.yaml | 14 ++++++++ tests/geoip-enrichment/test.mmdb | Bin 0 -> 1411 bytes tests/geoip-enrichment/test.rules | 1 + tests/geoip-enrichment/test.yaml | 25 +++++++++++++ 10 files changed, 89 insertions(+) create mode 100644 tests/geoip-enrichment-disabled/input.pcap create mode 100644 tests/geoip-enrichment-disabled/suricata.yaml create mode 100644 tests/geoip-enrichment-disabled/test.mmdb create mode 100644 tests/geoip-enrichment-disabled/test.rules create mode 100644 tests/geoip-enrichment-disabled/test.yaml create mode 100644 tests/geoip-enrichment/input.pcap create mode 100644 tests/geoip-enrichment/suricata.yaml create mode 100644 tests/geoip-enrichment/test.mmdb create mode 100644 tests/geoip-enrichment/test.rules create mode 100644 tests/geoip-enrichment/test.yaml diff --git a/tests/geoip-enrichment-disabled/input.pcap b/tests/geoip-enrichment-disabled/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..0ff47fce2b8ee44eecce785d38ad82f8ffaf2ca9 GIT binary patch literal 411 zcmca|c+)~A1{MYw`2U}Qff2~zONz+cyOfK;49EuIwDOLbt9CO8DjBsTGO21v#mD$@#gwT)bQ$t6G;5cuCPdU<8FckJNDi?D%cf!ugv%W z`VR2TPmXWkdNLPBGnwD~b9Pzo0x3WdkP37IIsh$zi*^LM0G-&KsdLHsc9oqbqdPE> z-2>>!=p`@p2KvbE3-puS9~i(+m&-sPL-ruXU|@(`hBAf$!x7zK=GjFJ0T z#yDWSTqXeD*^_{2z+|~k0W#THbgJBwuRI;d1`0XOpfiD4@}Aj@Idm?aN9O|z7|uf$ z0*hoX29~gw(q(e@Fmh-vkjL;+A9bFS&+yX%ARzZ&jG+9v9MIUszzR8*04srVpj0la z7^~?Tx|Xh^>uDL?K%E0@WGHkKRcVMiH#pxg@C6X;&A=m|0yqy;a?xoOa01u@>;|g2 zM5sYc8l_vQMQs|Raau#S(OO^^kYLx*?Q{p-Ns}i`x<@X18TG(E#(sK$9;D9whZu)} zBaEZ;n7n#i#z`5cfYY+i0B70fho=OY}0m0$gWY1+Fm~X#2@;05`cb%Dstk z3%D(pJB+))J;r^xKL8%eb{^O)`!VAQ@Rae4KBq6}OZtkwrf=w5>OATl<30TVd}Ms0 zpK1H~o%r|D>eI})5wj9)`MPZ?ni&?J+`L>vjR>DlSP|7ow7OH;+-V+fi96lvwNyhB z&EI|o)!LwLgtIg=@}n%I8>*F1Hk;1c-!zje$^HuMR6B zYHF3P)bjd7Lolqy)R1ZmC6Jdg^sjy>if3f?| r9~J1)_W$bgSF1)vT&)l`Tm^>nR?e$A@A 82.165.177.154 any (msg:"Test GeoIP enrichment disabled"; flow:established,to_server; sid:1; rev:1;) diff --git a/tests/geoip-enrichment-disabled/test.yaml b/tests/geoip-enrichment-disabled/test.yaml new file mode 100644 index 000000000..13bad2475 --- /dev/null +++ b/tests/geoip-enrichment-disabled/test.yaml @@ -0,0 +1,34 @@ +requires: + features: + - GeoIP2 + +pcap: input.pcap + +checks: + # Verify NO alerts have geoip_dst when enrichment is disabled + - filter: + count: 0 + match: + event_type: alert + has-key: geoip_dst + + # Verify NO alerts have geoip_src when enrichment is disabled + - filter: + count: 0 + match: + event_type: alert + has-key: geoip_src + + # Verify NO flows have geoip_dst when enrichment is disabled + - filter: + count: 0 + match: + event_type: flow + has-key: geoip_dst + + # Verify NO flows have geoip_src when enrichment is disabled + - filter: + count: 0 + match: + event_type: flow + has-key: geoip_src diff --git a/tests/geoip-enrichment/input.pcap b/tests/geoip-enrichment/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..0ff47fce2b8ee44eecce785d38ad82f8ffaf2ca9 GIT binary patch literal 411 zcmca|c+)~A1{MYw`2U}Qff2~zONz+cyOfK;49EuIwDOLbt9CO8DjBsTGO21v#mD$@#gwT)bQ$t6G;5cuCPdU<8FckJNDi?D%cf!ugv%W z`VR2TPmXWkdNLPBGnwD~b9Pzo0x3WdkP37IIsh$zi*^LM0G-&KsdLHsc9oqbqdPE> z-2>>!=p`@p2KvbE3-puS9~i(+m&-sPL-ruXU|@(`hBAf$!x7zK=GjFJ0T z#yDWSTqXeD*^_{2z+|~k0W#THbgJBwuRI;d1`0XOpfiD4@}Aj@Idm?aN9O|z7|uf$ z0*hoX29~gw(q(e@Fmh-vkjL;+A9bFS&+yX%ARzZ&jG+9v9MIUszzR8*04srVpj0la z7^~?Tx|Xh^>uDL?K%E0@WGHkKRcVMiH#pxg@C6X;&A=m|0yqy;a?xoOa01u@>;|g2 zM5sYc8l_vQMQs|Raau#S(OO^^kYLx*?Q{p-Ns}i`x<@X18TG(E#(sK$9;D9whZu)} zBaEZ;n7n#i#z`5cfYY+i0B70fho=OY}0m0$gWY1+Fm~X#2@;05`cb%Dstk z3%D(pJB+))J;r^xKL8%eb{^O)`!VAQ@Rae4KBq6}OZtkwrf=w5>OATl<30TVd}Ms0 zpK1H~o%r|D>eI})5wj9)`MPZ?ni&?J+`L>vjR>DlSP|7ow7OH;+-V+fi96lvwNyhB z&EI|o)!LwLgtIg=@}n%I8>*F1Hk;1c-!zje$^HuMR6B zYHF3P)bjd7Lolqy)R1ZmC6Jdg^sjy>if3f?| r9~J1)_W$bgSF1)vT&)l`Tm^>nR?e$A@A 82.165.177.154 any (msg:"Test GeoIP enrichment to Germany"; flow:established,to_server; sid:1; rev:1;) diff --git a/tests/geoip-enrichment/test.yaml b/tests/geoip-enrichment/test.yaml new file mode 100644 index 000000000..b3e8dea0b --- /dev/null +++ b/tests/geoip-enrichment/test.yaml @@ -0,0 +1,25 @@ +requires: + features: + - GeoIP2 + +pcap: input.pcap + +checks: + # Check alert has geoip_dst with correct structure + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + has-key: geoip_dst + has-key: geoip_dst.ip + has-key: geoip_dst.geo.country_iso_code + geoip_dst.geo.country_iso_code: DE + + # Check flow has geoip_dst enrichment + - filter: + count: 1 + match: + event_type: flow + has-key: geoip_dst + geoip_dst.geo.country_iso_code: DE