Arkime tests

idaholab · Dec 5, 2024 · af6b7d8 · af6b7d8
1 parent b7fe328
commit af6b7d8
Showing 1 changed file with 63 additions and 1 deletion.
diff --git a/src/maltest/tests/test_arkime_api.py b/src/maltest/tests/test_arkime_api.py
@@ -10,8 +10,9 @@
     "protocols/HTTP_1.pcap",
 ]
 
+ARKIME_VIEW = "Arkime Sessions"
 EXPECTED_VIEWS = [
-    "Arkime Sessions",
+    ARKIME_VIEW,
     "Public IP Addresses",
     "Suricata Alerts",
     "Suricata Logs",
@@ -68,6 +69,67 @@ def test_arkime_sessions(
         assert sessions.get("data", [])
 
 
+@pytest.mark.pcap
+@pytest.mark.arkime
+def test_arkime_connections(
+    malcolm_url,
+    malcolm_http_auth,
+    pcap_hash_map,
+):
+    response = requests.post(
+        f"{malcolm_url}/arkime/api/connections",
+        headers={"Content-Type": "application/json"},
+        json={
+            "date": "-1",
+            "expression": f"tags == [{','.join([pcap_hash_map[x] for x in mmguero.GetIterable(UPLOAD_ARTIFACTS)])}]",
+        },
+        allow_redirects=True,
+        auth=malcolm_http_auth,
+        verify=False,
+    )
+    response.raise_for_status()
+    connections = response.json()
+    assert connections.get("links", [])
+    assert connections.get("nodes", [])
+
+
+@pytest.mark.pcap
+@pytest.mark.arkime
+def test_arkime_pcap_payload(
+    malcolm_url,
+    malcolm_http_auth,
+    pcap_hash_map,
+):
+    response = requests.post(
+        f"{malcolm_url}/arkime/api/sessions",
+        headers={"Content-Type": "application/json"},
+        json={
+            "date": "-1",
+            "order": "firstPacket:desc",
+            "view": ARKIME_VIEW,
+            "length": "10",
+            "expression": f"tags == [{','.join([pcap_hash_map[x] for x in mmguero.GetIterable(UPLOAD_ARTIFACTS)])}] && protocols == http && databytes >= 50000",
+        },
+        allow_redirects=True,
+        auth=malcolm_http_auth,
+        verify=False,
+    )
+    response.raise_for_status()
+    sessionsData = response.json().get("data")
+    assert sessionsData
+    sessionsIds = [x["id"] for x in sessionsData if "id" in x]
+    assert sessionsIds
+    response = requests.get(
+        f"{malcolm_url}/arkime/api/sessions/pcap/sessions.pcap",
+        params={"date": "-1", "ids": ','.join(sessionsIds)},
+        allow_redirects=True,
+        auth=malcolm_http_auth,
+        verify=False,
+    )
+    response.raise_for_status()
+    assert len(response.content) >= 500000
+
+
 @pytest.mark.pcap
 @pytest.mark.arkime
 def test_arkime_spiview(