From 50115cdd66d02ebda64ae130f197a91bd0f007b8 Mon Sep 17 00:00:00 2001
From: shifter <shifter@axoflow.com>
Date: Sat, 5 Oct 2024 11:02:33 +0200
Subject: [PATCH] filterx/modules/cef: add parse_leef light test

Signed-off-by: shifter <shifter@axoflow.com>
---
 .../functional_tests/filterx/test_filterx.py  | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/tests/light/functional_tests/filterx/test_filterx.py b/tests/light/functional_tests/filterx/test_filterx.py
index b11b2c4dc..2da2f12a3 100644
--- a/tests/light/functional_tests/filterx/test_filterx.py
+++ b/tests/light/functional_tests/filterx/test_filterx.py
@@ -2366,3 +2366,32 @@ def test_parse_cef(config, syslog_ng):
         r"""}""" + "\n"
     )
     assert file_true.read_log() == exp
+
+
+def test_parse_leef(config, syslog_ng):
+    (file_true, file_false) = create_config(
+        config, r"""
+    custom_message = "LEEF:1.0|Microsoft|MSExchange|4.0 SP1|15345|src=192.0.2.0 dst=172.50.123.1 sev=5cat=anomaly srcPort=81 dstPort=21 usrName=joe.black";
+    $MSG = json(parse_leef(custom_message));
+    """,
+    )
+    syslog_ng.start(config)
+
+    assert file_true.get_stats()["processed"] == 1
+    assert "processed" not in file_false.get_stats()
+    exp = (
+        r"""{"version":"1.0","""
+        r""""vendor":"Microsoft","""
+        r""""productName":"MSExchange","""
+        r""""productVersion":"4.0 SP1","""
+        r""""eventId":"15345","""
+        r""""extensions":{"""
+            r""""src":"192.0.2.0","""
+            r""""dst":"172.50.123.1","""
+            r""""sev":"5cat=anomaly","""
+            r""""srcPort":"81","""
+            r""""dstPort":"21","""
+            r""""usrName":"joe.black"}"""
+        r"""}""" + "\n"
+    )
+    assert file_true.read_log() == exp