tests: add test for 7414 and 7433

tests/bug-7414-decoder-event-01/README.md

@@ -0,0 +1,5 @@
+PCAP
+====
+
+Pcap from https://redmine.openinfosecfoundation.org/issues/7414
+

tests/bug-7414-decoder-event-01/decoder-event.rules

@@ -0,0 +1 @@
+drop pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option length"; decode-event:ipv4.opt_invalid_len; classtype:protocol-command-decode; sid:2200005; rev:2;)

tests/bug-7414-decoder-event-01/suricata.yaml

@@ -0,0 +1,41 @@
+%YAML 1.1
+---
+
+# Global stats configuration
+stats:
+  enabled: yes
+  # The interval field (in seconds) controls the interval at
+  # which stats are updated in the log.
+  interval: 8
+  # Add decode events to stats.
+  #decoder-events: true
+  # Decoder event prefix in stats. Has been 'decoder' before, but that leads
+  # to missing events in the eve.stats records. See issue #2225.
+  #decoder-events-prefix: "decoder.event"
+  # Add stream events as stats.
+  #stream-events: false
+  exception-policy:
+    #per-app-proto-errors: false  # default: false. True will log errors for
+                                  # each app-proto. Warning: VERY verbose
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      ethernet: true
+      pcap-file: true
+
+      types:
+        - alert:
+            packet: yes              # enable dumping of packet (without stream segments)
+            verdict: yes
+        - anomaly:
+            enabled: yes
+            types:
+              decode: true
+        - stats:
+            totals: yes       # stats for all threads merged together
+            threads: no       # per thread stats
+            deltas: no        # include delta values

tests/bug-7414-decoder-event-01/test.yaml

@@ -0,0 +1,45 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2200005
+        pcap_cnt: 3
+        pkt_src: "wire/pcap"
+        ether.src_mac: "f6:3a:04:28:26:77"
+        ether.dest_mac: "fe:2d:cf:ad:28:54"
+        alert.action: "allowed"
+        packet: "/i3PrShU9joEKCZ3CABIAABoAAEAAEARWEoeHh4eFBQUFIIC8TUAAN6tvu+qABPEE8QASB76g3Jy/3MMn6/gl+2PaHNYfvkOoBoRYsUb5ZV3mCocwk9Xbm1VI6ZMlgQ+xZbugYD/RB0xtXrOiZQ43SvBfdo36g=="
+        verdict.action: "alert"
+        pcap_filename.__endswith: "ip_secopt.pcap"
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.decoder.invalid: 1
+
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 3
+        event_type: "anomaly"
+        pkt_src: "wire/pcap"
+        ether.src_mac: "f6:3a:04:28:26:77"
+        ether.dest_mac: "fe:2d:cf:ad:28:54"
+        anomaly.type: "decode"
+        anomaly.event: "decoder.ipv4.opt_pad_required"
+        pcap_filename.__endswith: "ip_secopt.pcap"
+  - filter:
+      count: 2
+      match:
+        pcap_cnt: 3
+        event_type: "anomaly"
+        pkt_src: "wire/pcap"
+        ether.src_mac: "f6:3a:04:28:26:77"
+        ether.dest_mac: "fe:2d:cf:ad:28:54"
+        anomaly.type: "decode"
+        anomaly.event: "decoder.ipv4.opt_invalid_len"
+        pcap_filename.__endswith: "ip_secopt.pcap"

tests/bug-7414-decoder-event-02-ips/README.md

@@ -0,0 +1,5 @@
+PCAP
+====
+
+Pcap from https://redmine.openinfosecfoundation.org/issues/7414
+

tests/bug-7414-decoder-event-02-ips/decoder-event.rules

@@ -0,0 +1 @@
+drop pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option length"; decode-event:ipv4.opt_invalid_len; classtype:protocol-command-decode; sid:2200005; rev:2;)

tests/bug-7414-decoder-event-02-ips/suricata.yaml

@@ -0,0 +1,43 @@
+%YAML 1.1
+---
+
+# Global stats configuration
+stats:
+  enabled: yes
+  # The interval field (in seconds) controls the interval at
+  # which stats are updated in the log.
+  interval: 8
+  # Add decode events to stats.
+  #decoder-events: true
+  # Decoder event prefix in stats. Has been 'decoder' before, but that leads
+  # to missing events in the eve.stats records. See issue #2225.
+  #decoder-events-prefix: "decoder.event"
+  # Add stream events as stats.
+  #stream-events: false
+  exception-policy:
+    #per-app-proto-errors: false  # default: false. True will log errors for
+                                  # each app-proto. Warning: VERY verbose
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      ethernet: true
+      pcap-file: true
+
+      types:
+        - alert:
+            packet: yes              # enable dumping of packet (without stream segments)
+            verdict: yes
+        - anomaly:
+            enabled: yes
+            types:
+              decode: true
+        - stats:
+            totals: yes       # stats for all threads merged together
+            threads: no       # per thread stats
+            deltas: no        # include delta values
+        - drop:
+            alerts: yes       # log alerts that caused drops

tests/bug-7414-decoder-event-02-ips/test.yaml

@@ -0,0 +1,61 @@
+pcap: ../bug-7414-decoder-event-01/ip_secopt.pcap
+
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2200005
+        pcap_cnt: 3
+        pkt_src: "wire/pcap"
+        ether.src_mac: "f6:3a:04:28:26:77"
+        ether.dest_mac: "fe:2d:cf:ad:28:54"
+        alert.action: "blocked"
+        packet: "/i3PrShU9joEKCZ3CABIAABoAAEAAEARWEoeHh4eFBQUFIIC8TUAAN6tvu+qABPEE8QASB76g3Jy/3MMn6/gl+2PaHNYfvkOoBoRYsUb5ZV3mCocwk9Xbm1VI6ZMlgQ+xZbugYD/RB0xtXrOiZQ43SvBfdo36g=="
+        verdict.action: "drop"
+        pcap_filename.__endswith: "ip_secopt.pcap"
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.decoder.invalid: 1
+        stats.ips.accepted: 2
+        stats.ips.blocked: 1
+        stats.ips.drop_reason.rules: 1
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 3
+        event_type: "anomaly"
+        pkt_src: "wire/pcap"
+        ether.src_mac: "f6:3a:04:28:26:77"
+        ether.dest_mac: "fe:2d:cf:ad:28:54"
+        anomaly.type: "decode"
+        anomaly.event: "decoder.ipv4.opt_pad_required"
+        pcap_filename.__endswith: "ip_secopt.pcap"
+  - filter:
+      count: 2
+      match:
+        pcap_cnt: 3
+        event_type: "anomaly"
+        pkt_src: "wire/pcap"
+        ether.src_mac: "f6:3a:04:28:26:77"
+        ether.dest_mac: "fe:2d:cf:ad:28:54"
+        anomaly.type: "decode"
+        anomaly.event: "decoder.ipv4.opt_invalid_len"
+        pcap_filename.__endswith: "ip_secopt.pcap"
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        alert.signature_id: 2200005
+        pcap_cnt: 3
+        pkt_src: "wire/pcap"
+        ether.src_mac: "f6:3a:04:28:26:77"
+        ether.dest_mac: "fe:2d:cf:ad:28:54"
+        alert.action: "blocked"
+        pcap_filename.__endswith: "ip_secopt.pcap"
+        drop.reason: "rules"