filterx/modules/cef: add parse_leef light test

Signed-off-by: shifter <shifter@axoflow.com>
bshifter · Oct 5, 2024 · 50115cd · 50115cd
1 parent 2cbffa0
commit 50115cd
Showing 1 changed file with 29 additions and 0 deletions.
diff --git a/tests/light/functional_tests/filterx/test_filterx.py b/tests/light/functional_tests/filterx/test_filterx.py
@@ -2366,3 +2366,32 @@ def test_parse_cef(config, syslog_ng):
         r"""}""" + "\n"
     )
     assert file_true.read_log() == exp
+
+
+def test_parse_leef(config, syslog_ng):
+    (file_true, file_false) = create_config(
+        config, r"""
+    custom_message = "LEEF:1.0|Microsoft|MSExchange|4.0 SP1|15345|src=192.0.2.0 dst=172.50.123.1 sev=5cat=anomaly srcPort=81 dstPort=21 usrName=joe.black";
+    $MSG = json(parse_leef(custom_message));
+    """,
+    )
+    syslog_ng.start(config)
+
+    assert file_true.get_stats()["processed"] == 1
+    assert "processed" not in file_false.get_stats()
+    exp = (
+        r"""{"version":"1.0","""
+        r""""vendor":"Microsoft","""
+        r""""productName":"MSExchange","""
+        r""""productVersion":"4.0 SP1","""
+        r""""eventId":"15345","""
+        r""""extensions":{"""
+            r""""src":"192.0.2.0","""
+            r""""dst":"172.50.123.1","""
+            r""""sev":"5cat=anomaly","""
+            r""""srcPort":"81","""
+            r""""dstPort":"21","""
+            r""""usrName":"joe.black"}"""
+        r"""}""" + "\n"
+    )
+    assert file_true.read_log() == exp