tests: add igmp tests

tests/igmp/igmp-v1-v2-rgmp-01/README.md

@@ -0,0 +1 @@
+Pcap from https://wiki.wireshark.org/IGMP

tests/igmp/igmp-v1-v2-rgmp-01/test.rules

@@ -0,0 +1,8 @@
+alert igmp any any -> 224.0.0.25 any (msg:"RGMP Hello"; igmp.hdr; content:"|ff|"; startswith; ttl:1; sid:1;)
+alert igmp any any -> 224.0.0.25 any (msg:"RGMP Hello"; igmp.type:0xff; ttl:1; sid:2;)
+alert igmp any any -> any any (msg:"IGMP with payload"; dsize:>0; sid:3;)
+alert igmp any any -> any any (msg:"IGMP with ttl > 1"; ttl:>1; sid:4;)
+alert igmp any any -> any any (msg:"IGMP with router alert"; ipopts:rtralt; sid:5;)
+alert igmp any any -> any any (msg:"IGMP w/o router alert"; ipv4.hdr; content:!"|94 04 00 00|"; offset:20; sid:6;)
+alert igmp any any -> any any (msg:"IGMP good csum"; igmp-csum:valid; sid:7;)
+alert igmp any any -> any any (msg:"IGMP bad csum"; igmp-csum:invalid; sid:8;)

tests/igmp/igmp-v1-v2-rgmp-01/test.yaml

@@ -0,0 +1,78 @@
+requires:
+  min-version: 9
+
+checks:
+  - filter:
+      count: 19
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        proto: "IGMP"
+        rgmp.type: 255
+  - filter:
+      count: 19
+      match:
+        event_type: alert
+        alert.signature_id: 2
+        proto: "IGMP"
+        rgmp.type: 255
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 87
+      match:
+        event_type: alert
+        alert.signature_id: 5
+        proto: "IGMP"
+  - filter:
+      count: 60
+      match:
+        event_type: alert
+        alert.signature_id: 6
+        proto: "IGMP"
+  - filter:
+      count: 147
+      match:
+        event_type: alert
+        alert.signature_id: 7
+        proto: "IGMP"
+  - filter:
+      count: 19
+      match:
+        event_type: alert
+        alert.signature_id: 7
+        proto: "IGMP"
+        rgmp.type: 255
+  - filter:
+      count: 10
+      match:
+        event_type: alert
+        alert.signature_id: 7
+        proto: "IGMP"
+        igmp.version: 1
+  - filter:
+      count: 118
+      match:
+        event_type: alert
+        alert.signature_id: 7
+        proto: "IGMP"
+        igmp.version: 2
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 8
+        proto: "IGMP"
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.decoder.igmp: 147

tests/igmp/igmp-v1-v2-rgmp-02-decoder-events/test.rules

@@ -0,0 +1,4 @@
+# IGMP
+alert igmp any any -> any any (msg:"SURICATA IGMP packet too small"; decode-event:igmp.pkt_too_small; classtype:protocol-command-decode; sid:2200127; rev:1;)
+alert igmp any any -> any any (msg:"SURICATA IGMPv3 packet too small"; decode-event:igmp.v3_pkt_too_small; classtype:protocol-command-decode; sid:2200128; rev:1;)
+alert igmp any any -> any any (msg:"SURICATA IGMP malformed packet"; decode-event:igmp.malformed; classtype:protocol-command-decode; sid:2200129; rev:1;)

tests/igmp/igmp-v1-v2-rgmp-02-decoder-events/test.yaml

@@ -0,0 +1,29 @@
+requires:
+  min-version: 9
+
+pcap: ../igmp-v1-v2-rgmp-01/wireshark-wiki-IGMP-dataset.pcap
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2200127
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2200128
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2200129
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.decoder.igmp: 147
+        stats.decoder.event.igmp.pkt_too_small: 0
+        stats.decoder.event.igmp.v3_pkt_too_small: 0
+        stats.decoder.event.igmp.malformed: 0

tests/igmp/igmp-v3-queries-01/README.md

@@ -0,0 +1 @@
+Pcap from https://github.com/the-tcpdump-group/tcpdump/blob/master/tests/igmpv3-queries.pcap

tests/igmp/igmp-v3-queries-01/test.rules

@@ -0,0 +1,8 @@
+alert igmp any any -> 224.0.0.25 any (msg:"RGMP Hello"; igmp.hdr; content:"|ff|"; startswith; ttl:1; sid:1;)
+alert igmp any any -> 224.0.0.25 any (msg:"RGMP Hello"; igmp.type:0xff; ttl:1; sid:2;)
+alert igmp any any -> any any (msg:"IGMP with payload"; dsize:>0; sid:3;)
+alert igmp any any -> any any (msg:"IGMP with ttl > 1"; ttl:>1; sid:4;)
+alert igmp any any -> any any (msg:"IGMP with router alert"; ipopts:rtralt; sid:5;)
+alert igmp any any -> any any (msg:"IGMP w/o router alert"; ipv4.hdr; content:!"|94 04 00 00|"; offset:20; sid:6;)
+alert igmp any any -> any any (msg:"IGMP good csum"; igmp-csum:valid; sid:7;)
+alert igmp any any -> any any (msg:"IGMP bad csum"; igmp-csum:invalid; sid:8;)

tests/igmp/igmp-v3-queries-01/test.yaml

@@ -0,0 +1,64 @@
+requires:
+  min-version: 9
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        proto: "IGMP"
+        rgmp.type: 255
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2
+        proto: "IGMP"
+        rgmp.type: 255
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 6
+      match:
+        event_type: alert
+        alert.signature_id: 5
+        proto: "IGMP"
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 6
+        proto: "IGMP"
+  - filter:
+      count: 6
+      match:
+        event_type: alert
+        alert.signature_id: 7
+        proto: "IGMP"
+  - filter:
+      count: 6
+      match:
+        event_type: alert
+        alert.signature_id: 7
+        proto: "IGMP"
+        igmp.version: 3
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 8
+        proto: "IGMP"
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.decoder.igmp: 6