decoder/tunnels: add test for tunnel ids

Ticket: 7674

Author: catenacyber

tests/decoder-tunnels-01/README.md

@@ -0,0 +1,11 @@
+# Description
+
+Test tunnel identifiers
+
+# Ticket
+
+https://redmine.openinfosecfoundation.org/issues/7674
+
+# PCAP
+
+Crafter with scapy script.py

tests/decoder-tunnels-01/script.py

@@ -0,0 +1,14 @@
+#!/usr/bin/env python
+from scapy.all import *
+from scapy.contrib.erspan import *
+
+pkts = []
+
+pkt1 = Ether()/IP(dst='192.168.1.2', src='192.168.1.3')/UDP()/VXLAN(vni=123)/Ether()/IP(dst='10.1.2.3', src='10.1.2.4')/ICMP(type=8)/"pxng"
+pkt2 = Ether()/IP(dst='192.168.1.2', src='192.168.1.4')/GRE()/ERSPAN_II(session_id=321)/Ether()/IP(dst='10.1.2.3', src='10.1.2.4')/ICMP(type=8)/"peng"
+
+
+pkts += pkt1
+pkts += pkt2
+
+wrpcap('tunnels.pcap', pkts)

tests/decoder-tunnels-01/suricata.yaml

@@ -0,0 +1,24 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - flow
+
+decoder:
+  tunnels:
+    - id: 1
+      type: erspan2
+      src: 192.168.1.4
+      dst: 192.168.1.2
+      session: 321
+    - id: 2
+      type: vxlan
+      src: 192.168.1.3
+      dst: 192.168.1.2
+      session: 123

tests/decoder-tunnels-01/test.rules

@@ -0,0 +1,2 @@
+alert icmp any any -> any any (itype:8; sid:1;)
+

tests/decoder-tunnels-01/test.yaml

@@ -0,0 +1,19 @@
+requires:
+  min-version: 8
+
+args:
+  - --set decoder.vxlan.enabled=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        proto: "ICMP"
+        tunnel_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        proto: "ICMP"
+        tunnel_id: 2