OISF · victorjulien · Feb 25, 2026 · Mar 5, 2026 · catenacyber · Mar 29, 2026
diff --git a/tests/arp/detect-arp-01/test.rules b/tests/arp/detect-arp-01/test.rules
@@ -0,0 +1 @@
+alert arp any any -> any any (sid:1;)
diff --git a/tests/arp/detect-arp-01/test.yaml b/tests/arp/detect-arp-01/test.yaml
@@ -0,0 +1,11 @@
+requires:
+  min-version: 9
+
+pcap: ../../decode-arp-1/input.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
diff --git a/tests/arp/detect-arp-02-ethhdr/test.rules b/tests/arp/detect-arp-02-ethhdr/test.rules
@@ -0,0 +1 @@
+alert ether any any -> any any (ether.hdr; content:"|08 06|"; offset:12; depth:2; sid:1;)
diff --git a/tests/arp/detect-arp-02-ethhdr/test.yaml b/tests/arp/detect-arp-02-ethhdr/test.yaml
@@ -0,0 +1,11 @@
+requires:
+  min-version: 9
+
+pcap: ../../decode-arp-1/input.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
diff --git a/tests/arp/detect-arp-03-vlan/input.pcap b/tests/arp/detect-arp-03-vlan/input.pcap
diff --git a/tests/arp/detect-arp-03-vlan/test.rules b/tests/arp/detect-arp-03-vlan/test.rules
@@ -0,0 +1 @@
+alert arp any any -> any any (sid:1;)
diff --git a/tests/arp/detect-arp-03-vlan/test.yaml b/tests/arp/detect-arp-03-vlan/test.yaml
@@ -0,0 +1,9 @@
+requires:
+  min-version: 9
+
+checks:
+  - filter:
+      count: 3
+      match:
+        event_type: alert
+        alert.signature_id: 1
diff --git a/tests/arp/detect-arp-03-vlan/writepcap.py b/tests/arp/detect-arp-03-vlan/writepcap.py
@@ -0,0 +1,22 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+# VLAN tagged packet
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    ARP()
+
+# Double-tagged VLAN (QinQ) packet
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=1)/Dot1Q(vlan=10)/ \
+    ARP()
+
+# Triple-tagged VLAN (QinQinQ) packet
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=1)/Dot1Q(vlan=10)/Dot1Q(vlan=100)/ \
+    ARP()
+
+wrpcap('input.pcap', pkts)
+
diff --git a/tests/arp/detect-arp-04-vxlan/README.md b/tests/arp/detect-arp-04-vxlan/README.md
@@ -0,0 +1,9 @@
+# Description
+
+Test VXLAN decoding and ARP/Ethernet matching
+
+# PCAP
+
+Extracted from:
+
+https://github.com/the-tcpdump-group/tcpdump/blob/master/tests/vxlan.pcap
diff --git a/tests/arp/detect-arp-04-vxlan/test.rules b/tests/arp/detect-arp-04-vxlan/test.rules
@@ -0,0 +1,2 @@
+alert arp any any -> any any (sid:1;)
+alert ether any any -> any any (ether.hdr; content:"|08 00|"; offset:12; depth:2; sid:2;)
diff --git a/tests/arp/detect-arp-04-vxlan/test.yaml b/tests/arp/detect-arp-04-vxlan/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  min-version: 9
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        pkt_src: vxlan encapsulation
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 2
+        pkt_src: "wire/pcap"
diff --git a/tests/arp/detect-arp-04-vxlan/vxlan-arp.pcap b/tests/arp/detect-arp-04-vxlan/vxlan-arp.pcap
diff --git a/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/test.rules b/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/test.rules
@@ -1 +1 @@
-alert pkthdr any any -> any any (msg:"SURICATA IPv6 atomic fragment"; icmpv6.mtu:<1280; sid:1;)
+alert ipv6 any any -> any any (msg:"SURICATA IPv6 atomic fragment"; icmpv6.mtu:<1280; sid:1;)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		alert arp any any -> any any (sid:1;)
Copy link Copy Markdown Collaborator catenacyber Mar 29, 2026 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. Should we test that `alert ip` does not alert on ARP packets ?
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		alert ether any any -> any any (ether.hdr; content:"\|08 06\|"; offset:12; depth:2; sid:1;)
Copy link Copy Markdown Collaborator catenacyber Mar 29, 2026 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. Is there a ticket for the ether.type keyword ?
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		alert arp any any -> any any (sid:1;)
		alert ether any any -> any any (ether.hdr; content:"\|08 00\|"; offset:12; depth:2; sid:2;)
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		alert pkthdr any any -> any any (msg:"SURICATA IPv6 atomic fragment"; icmpv6.mtu:<1280; sid:1;)
		alert ipv6 any any -> any any (msg:"SURICATA IPv6 atomic fragment"; icmpv6.mtu:<1280; sid:1;)