From eaebe69c2a327a53d02d75b6d5e21d413dfd26c1 Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Tue, 3 Feb 2026 22:23:51 +0100 Subject: [PATCH 1/3] tests: check for eve version 2 --- tests/smtp-startssl/test.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/smtp-startssl/test.yaml b/tests/smtp-startssl/test.yaml index cd3b67715..b3009ec19 100644 --- a/tests/smtp-startssl/test.yaml +++ b/tests/smtp-startssl/test.yaml @@ -11,3 +11,9 @@ checks: match: smtp.helo: "desktop.unx.ca" not-has-key: "email" + - filter: + min-version: 9 + count: 1 + match: + event_type: tls + app_proto_orig: smtp From 7b6ae2ce3877af30a9d46b89e8b48bd5fa3e3efc Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Tue, 3 Feb 2026 22:24:56 +0100 Subject: [PATCH 2/3] tests: verify eve logging version is honored --- tests/force-eve-logging-v1/README.md | 1 + tests/force-eve-logging-v1/input.pcap | 1 + tests/force-eve-logging-v1/suricata.yaml | 23 +++++++++++++++++++++ tests/force-eve-logging-v1/test.yaml | 26 ++++++++++++++++++++++++ 4 files changed, 51 insertions(+) create mode 100644 tests/force-eve-logging-v1/README.md create mode 120000 tests/force-eve-logging-v1/input.pcap create mode 100644 tests/force-eve-logging-v1/suricata.yaml create mode 100644 tests/force-eve-logging-v1/test.yaml diff --git a/tests/force-eve-logging-v1/README.md b/tests/force-eve-logging-v1/README.md new file mode 100644 index 000000000..9ee1f25c2 --- /dev/null +++ b/tests/force-eve-logging-v1/README.md @@ -0,0 +1 @@ +Test that forcing EVE version to 1 trigger app_proto not to be logged. diff --git a/tests/force-eve-logging-v1/input.pcap b/tests/force-eve-logging-v1/input.pcap new file mode 120000 index 000000000..ff47473d5 --- /dev/null +++ b/tests/force-eve-logging-v1/input.pcap @@ -0,0 +1 @@ +../smtp-startssl/input.pcap \ No newline at end of file diff --git a/tests/force-eve-logging-v1/suricata.yaml b/tests/force-eve-logging-v1/suricata.yaml new file mode 100644 index 000000000..df7fb4db2 --- /dev/null +++ b/tests/force-eve-logging-v1/suricata.yaml @@ -0,0 +1,23 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + version: 1 + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - smtp + - tls diff --git a/tests/force-eve-logging-v1/test.yaml b/tests/force-eve-logging-v1/test.yaml new file mode 100644 index 000000000..9177e54d3 --- /dev/null +++ b/tests/force-eve-logging-v1/test.yaml @@ -0,0 +1,26 @@ +args: +- -k none + +requires: + min-version: 9 + +checks: + - filter: + count: 1 + match: + event_type: smtp + - filter: + count: 0 + match: + smtp.helo: "desktop.unx.ca" + not-has-key: "email" + app_proto: smtp + - filter: + count: 1 + match: + event_type: tls + - filter: + count: 0 + match: + event_type: tls + app_proto_orig: smtp From 054356e66180c558da74fd67ccd739b127a3b697 Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Fri, 6 Feb 2026 08:32:57 +0100 Subject: [PATCH 3/3] tests: verify version is present in version 2 --- tests/eve-suricata-version/suricata.yaml | 1 + tests/eve-suricata-version/test.yaml | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/tests/eve-suricata-version/suricata.yaml b/tests/eve-suricata-version/suricata.yaml index 53e52d7dc..d2b3c69f5 100644 --- a/tests/eve-suricata-version/suricata.yaml +++ b/tests/eve-suricata-version/suricata.yaml @@ -3,6 +3,7 @@ outputs: - eve-log: + version: 2 enabled: yes suricata-version: yes types: diff --git a/tests/eve-suricata-version/test.yaml b/tests/eve-suricata-version/test.yaml index 05e29a711..429248c03 100644 --- a/tests/eve-suricata-version/test.yaml +++ b/tests/eve-suricata-version/test.yaml @@ -64,4 +64,8 @@ checks: event_type: fileinfo dest_ip: 192.168.118.10 has-key: suricata_version - + - filter: + min-version: 9 + count: 53 + match: + has-key: v