test: add test for vlan.id

Ticket: #1065
OISF · Dec 13, 2024 · 9117721 · 9117721
1 parent 1c56070
commit 9117721
Show file tree

Hide file tree

Showing 5 changed files with 85 additions and 0 deletions.
diff --git a/tests/detect-vlan-id/README.md b/tests/detect-vlan-id/README.md
@@ -0,0 +1,3 @@
+Test for checking the working of vlan.id keyword by creating rules and matching a crafted packet against them. The packet is an ICMP packet with 3 different VLAN ids [200,300,400].
+
+PCAP created with scapy 2.5.0.
diff --git a/tests/detect-vlan-id/input.pcap b/tests/detect-vlan-id/input.pcap
diff --git a/tests/detect-vlan-id/test.rules b/tests/detect-vlan-id/test.rules
@@ -0,0 +1,9 @@
+alert ip any any -> any any (msg:"Vlan ID is equal to 200 with specific layer"; vlan.id:200,0; sid:1;)
+alert ip any any -> any any (msg:"One Vlan ID is equal to 300"; vlan.id:300; sid:2;)
+alert ip any any -> any any (msg:"Last Vlan ID is equal to 400"; vlan.id:400,-1; sid:3;)
+alert ip any any -> any any (msg:"Vlan ID is equal to 300 with specific layer"; vlan.id:0x12C,1; sid:4;)
+alert ip any any -> any any (msg:"Vlan ID at layer 1 is not equal to 200"; vlan.id:!200,1; sid:5;)
+alert ip any any -> any any (msg:"There is no VLAN ID equal to 500"; vlan.id:!500; sid:6;)
+alert ip any any -> any any (msg:"VLAN ID at layer 2 is between 100 and 600"; vlan.id:100-600,2; sid:7;)
+alert ip any any -> any any (msg:"VLAN ID at layer 1 is less than 400"; vlan.id:<400,1; sid:8;)
+alert ip any any -> any any (msg:"One Vlan ID is greater than or equal to 200"; vlan.id:>=0xC8; sid:9;)
diff --git a/tests/detect-vlan-id/test.yaml b/tests/detect-vlan-id/test.yaml
@@ -0,0 +1,56 @@
+requires:
+ min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     vlan[0]: 200
+     alert.signature_id: 1
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     vlan[1]: 300
+     alert.signature_id: 2
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     vlan[2]: 400
+     alert.signature_id: 3
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     vlan[1]: 300
+     alert.signature_id: 4
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     alert.signature_id: 5
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     alert.signature_id: 6
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     alert.signature_id: 7
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     alert.signature_id: 8
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     alert.signature_id: 9
diff --git a/tests/detect-vlan-id/writepcap.py b/tests/detect-vlan-id/writepcap.py
@@ -0,0 +1,17 @@
+#! /usr/bin/env python3
+from scapy.all import *
+
+CLIENT_MAC = "11:11:11:11:11:11"
+SERVER_MAC = "22:22:22:22:22:22"
+
+CLIENT_IP = "1.1.1.1"
+SERVER_IP = "2.2.2.2"
+
+request = (Ether(src=CLIENT_MAC, dst=SERVER_MAC) /
+               Dot1Q(vlan=200) /
+               Dot1Q(vlan=300) /
+               Dot1Q(vlan=400) /
+               IP(src=CLIENT_IP, dst=SERVER_IP) /
+               ICMP(type=8))
+
+wrpcap("input.pcap", request, append=False)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		Test for checking the working of vlan.id keyword by creating rules and matching a crafted packet against them. The packet is an ICMP packet with 3 different VLAN ids [200,300,400].

		PCAP created with scapy 2.5.0.