tests: add ether.hdr and arp tests

victorjulien · victorjulien · commit ad6196fe9c77 · 2026-03-30T17:01:09.000+02:00
diff --git a/tests/arp/detect-arp-01/test.rules b/tests/arp/detect-arp-01/test.rules
@@ -0,0 +1 @@
+alert arp any any -> any any (sid:1;)
diff --git a/tests/arp/detect-arp-01/test.yaml b/tests/arp/detect-arp-01/test.yaml
@@ -0,0 +1,11 @@
+requires:
+  min-version: 9
+
+pcap: ../../decode-arp-1/input.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
diff --git a/tests/arp/detect-arp-02-ethhdr/test.rules b/tests/arp/detect-arp-02-ethhdr/test.rules
@@ -0,0 +1 @@
+alert ether any any -> any any (ether.hdr; content:"|08 06|"; offset:12; depth:2; sid:1;)
diff --git a/tests/arp/detect-arp-02-ethhdr/test.yaml b/tests/arp/detect-arp-02-ethhdr/test.yaml
@@ -0,0 +1,11 @@
+requires:
+  min-version: 9
+
+pcap: ../../decode-arp-1/input.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
diff --git a/tests/arp/detect-arp-03-vlan/input.pcap b/tests/arp/detect-arp-03-vlan/input.pcap
diff --git a/tests/arp/detect-arp-03-vlan/test.rules b/tests/arp/detect-arp-03-vlan/test.rules
@@ -0,0 +1 @@
+alert arp any any -> any any (sid:1;)
diff --git a/tests/arp/detect-arp-03-vlan/test.yaml b/tests/arp/detect-arp-03-vlan/test.yaml
@@ -0,0 +1,9 @@
+requires:
+  min-version: 9
+
+checks:
+  - filter:
+      count: 3
+      match:
+        event_type: alert
+        alert.signature_id: 1
diff --git a/tests/arp/detect-arp-03-vlan/writepcap.py b/tests/arp/detect-arp-03-vlan/writepcap.py
@@ -0,0 +1,22 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+# VLAN tagged packet
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    ARP()
+
+# Double-tagged VLAN (QinQ) packet
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=1)/Dot1Q(vlan=10)/ \
+    ARP()
+
+# Triple-tagged VLAN (QinQinQ) packet
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=1)/Dot1Q(vlan=10)/Dot1Q(vlan=100)/ \
+    ARP()
+
+wrpcap('input.pcap', pkts)
+
diff --git a/tests/arp/detect-arp-04-vxlan/README.md b/tests/arp/detect-arp-04-vxlan/README.md
@@ -0,0 +1,9 @@
+# Description
+
+Test VXLAN decoding and ARP/Ethernet matching
+
+# PCAP
+
+Extracted from:
+
+https://github.com/the-tcpdump-group/tcpdump/blob/master/tests/vxlan.pcap
diff --git a/tests/arp/detect-arp-04-vxlan/test.rules b/tests/arp/detect-arp-04-vxlan/test.rules
@@ -0,0 +1,2 @@
+alert arp any any -> any any (sid:1;)
+alert ether any any -> any any (ether.hdr; content:"|08 00|"; offset:12; depth:2; sid:2;)
diff --git a/tests/arp/detect-arp-04-vxlan/test.yaml b/tests/arp/detect-arp-04-vxlan/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  min-version: 9
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        pkt_src: vxlan encapsulation
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 2
+        pkt_src: "wire/pcap"
diff --git a/tests/arp/detect-arp-04-vxlan/vxlan-arp.pcap b/tests/arp/detect-arp-04-vxlan/vxlan-arp.pcap

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+alert ether any any -> any any (ether.hdr; content:"\|08 06\|"; offset:12; depth:2; sid:1;)`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+alert arp any any -> any any (sid:1;)`
	`2`	`+alert ether any any -> any any (ether.hdr; content:"\|08 00\|"; offset:12; depth:2; sid:2;)`