detect: add test for vlan.layers

Ticket: #1065

tests/detect-vlan-layers/README.md

@@ -0,0 +1,6 @@
+Test for checking the working of vlan.layers keyword.
+The packet is an ICMP packet with 3 VLAN layers.
+
+PCAP created with scapy 2.5.0.
+
+redmine ticket: https://redmine.openinfosecfoundation.org/issues/1065

tests/detect-vlan-layers/test.rules

@@ -0,0 +1,4 @@
+alert ip any any -> any any (msg:"Packet has 3 VLAN layers"; vlan.layers:3; sid:1;)
+alert ip any any -> any any (msg:"Packet has more than 2 VLAN layers"; vlan.layers:>2; sid:2;)
+alert ip any any -> any any (msg:"The number of layers in the packet is not 1"; vlan.layers:!1; sid:3;)
+alert ip any any -> any any (msg:"Packet has 0 VLAN layers"; vlan.layers:0; sid:4;)

tests/detect-vlan-layers/test.yaml

@@ -0,0 +1,33 @@
+requires:
+ min-version: 8
+
+pcap: ../detect-vlan-id/input.pcap
+
+args:
+- -k none
+
+checks:
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     pcap_cnt: 1
+     alert.signature_id: 1
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     pcap_cnt: 1
+     alert.signature_id: 2
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     pcap_cnt: 1
+     alert.signature_id: 3
+- filter:
+   count: 1
+   match:
+     event_type: alert
+     pcap_cnt: 2
+     alert.signature_id: 4