diff --git a/tests/eve-alert-file_data/suricata.yaml b/tests/eve-alert-file_data/suricata.yaml new file mode 100644 index 000000000..0630393e2 --- /dev/null +++ b/tests/eve-alert-file_data/suricata.yaml @@ -0,0 +1,20 @@ +%YAML 1.1 +--- + +include: ../../etc/suricata-4.0.3.yaml + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + + # Enable to disable top-level metadata logging. Default: yes. + #metadata: no + + types: + - alert: + file-data: yes + payload-buffer-size: 50 + - files diff --git a/tests/eve-alert-file_data/test.rules b/tests/eve-alert-file_data/test.rules new file mode 100644 index 000000000..5754487db --- /dev/null +++ b/tests/eve-alert-file_data/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"TEST"; flow:established,to_client; file.data; content:"|50 4E 47|"; sid:1; rev:1;) diff --git a/tests/eve-alert-file_data/test.yaml b/tests/eve-alert-file_data/test.yaml new file mode 100644 index 000000000..13ed8d579 --- /dev/null +++ b/tests/eve-alert-file_data/test.yaml @@ -0,0 +1,15 @@ +pcap: ../filestore-filecontainer-http/filecontainer-http.pcap + +args: + - -k none + +requires: + script: + - grep LOG_JSON_FILE_DATA src/output-json-alert.c > /dev/null + +checks: + - filter: + count: 1 + match: + event_type: alert + files[0].data: iVBORw0KGgoAAAANSUhEUgAAACQAAAAkCAYAAADhAJiYAAAAGXRFWHRTb2Z0d2FyZQA= diff --git a/tests/filestore-v2.7-stream-depth/suricata.yaml b/tests/filestore-v2.7-stream-depth/suricata.yaml index 46a2d1c4a..11e4ba960 100644 --- a/tests/filestore-v2.7-stream-depth/suricata.yaml +++ b/tests/filestore-v2.7-stream-depth/suricata.yaml @@ -6,11 +6,12 @@ outputs: enabled: yes types: - files - - stream: - reassembly: - depth: 1000 - file-store: version: 2 enabled: yes force-filestore: yes stream-depth: 100000 + +stream: + reassembly: + depth: 1000