From 8ac0adb2bd7e4905e31d7c5f721a94888b83194a Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Wed, 3 Jul 2024 08:29:59 -0400
Subject: [PATCH] tests/decode: Verify unknown ethertype event

Issue: 7129
---
 tests/decode-unknown-1/README.md     |  3 +++
 tests/decode-unknown-1/test.yaml     |  1 +
 tests/decode-unknown-2/suricata.yaml | 15 +++++++++++++++
 tests/decode-unknown-2/test.rules    |  1 +
 tests/decode-unknown-2/test.yaml     | 23 +++++++++++++++++++++++
 5 files changed, 43 insertions(+)
 create mode 100644 tests/decode-unknown-1/README.md
 create mode 100644 tests/decode-unknown-2/suricata.yaml
 create mode 100644 tests/decode-unknown-2/test.rules
 create mode 100644 tests/decode-unknown-2/test.yaml

diff --git a/tests/decode-unknown-1/README.md b/tests/decode-unknown-1/README.md
new file mode 100644
index 000000000..5b4aceb41
--- /dev/null
+++ b/tests/decode-unknown-1/README.md
@@ -0,0 +1,3 @@
+This test is for pre-8.0 deployments.
+
+In 8.0, an event is generated when an unknown ethertype is encountered.
diff --git a/tests/decode-unknown-1/test.yaml b/tests/decode-unknown-1/test.yaml
index 8e826e230..3bfc24511 100644
--- a/tests/decode-unknown-1/test.yaml
+++ b/tests/decode-unknown-1/test.yaml
@@ -1,5 +1,6 @@
 requires:
     min-version: 7
+    lt-version: 8
 
 args:
 - -k none
diff --git a/tests/decode-unknown-2/suricata.yaml b/tests/decode-unknown-2/suricata.yaml
new file mode 100644
index 000000000..6f21e50da
--- /dev/null
+++ b/tests/decode-unknown-2/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filename: eve.json
+      filetype: regular
+      ethernet: yes
+      types:
+        - anomaly:
+            types:
+                decode: yes
+        - stats:
+          totals: yes
diff --git a/tests/decode-unknown-2/test.rules b/tests/decode-unknown-2/test.rules
new file mode 100644
index 000000000..9ccfe5756
--- /dev/null
+++ b/tests/decode-unknown-2/test.rules
@@ -0,0 +1 @@
+alert udp any any -> any any (content:"data|0a 0a|"; startswith; endswith; sid:1;)
diff --git a/tests/decode-unknown-2/test.yaml b/tests/decode-unknown-2/test.yaml
new file mode 100644
index 000000000..88ecbd74d
--- /dev/null
+++ b/tests/decode-unknown-2/test.yaml
@@ -0,0 +1,23 @@
+requires:
+    min-version: 8
+
+args:
+- -k none
+
+pcap: ../decode-unknown-1/input.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+  - stats:
+      decoder.ethernet: 1
+      decoder.unknown_ethertype: 1
+  - filter:
+      count: 1
+      match:
+        event_type: anomaly
+        ether.ether_type: 47099
+        anomaly.type: decode
+        anomaly.event: decoder.ethernet.unknown_ethertype