Feature #2923

suricata-verify: eve2test util

Added by Victor Julien 6 months ago. Updated about 2 months ago.

Target version:


The suricata-verify test.yaml contains a great way to create regression tests. However creating the test files is tedious. It usually involves taking a eve.json record and then manually creating a matching test.yaml.

I would like to have a small util script in python, that converts an eve.json to the test.yaml format.

Something like:

eve2test eve.json > test.yaml



Updated by Shivani Bhardwaj 5 months ago

  • Status changed from New to Assigned

Updated by Shivani Bhardwaj 5 months ago

If I understand correctly, only the verification filters are run over `eve.json` so this utility should actually create just the `filter` block and write it in a test file. Developer may then provide all other options like min-version of Suricata, requires, etc. Please let me know.


Updated by Victor Julien 5 months ago

Lets start that way, yes. We can consider adding more logic later, but this is the most valuable first step I think.


Updated by Shivani Bhardwaj 4 months ago

  • Status changed from Assigned to Feedback

Updated by Peter Manev 4 months ago

Some very good reassembly/defrag/vlan corner cases could be found here - with the actual pcaps and rules located here - . I think the utility would make it much easier to add those form the respective resulting eve.jsons into the suricata-verify.


Updated by Shivani Bhardwaj 3 months ago

Unmerged, open for testing:


Updated by Victor Julien about 2 months ago

  • Target version changed from TBD to QA

Also available in: Atom PDF