OISF · Aboussejra · Jan 23, 2026
diff --git a/tests/test-filter-payload-extraction/README.md b/tests/test-filter-payload-extraction/README.md
@@ -0,0 +1,18 @@
+# Test Description
+
+Tests the `payload-only-classtypes` feature which allows filtering payload extraction in EVE alerts based on the rule's classtype.
+
+The test uses three rules:
+1. Rule with classtype `extract-me` (in the filter list) - payload SHOULD be extracted
+2. Rule with classtype `dont-extract-me` (not in the filter list) - payload should NOT be extracted
+3. Rule without any classtype - payload should NOT be extracted (when filtering is enabled)
+
+## PCAP
+
+HTTP traffic with JPG file requests from two different subnets (10.1.1.x and 10.1.2.x) to trigger different rules.
+
+## Related issues
+
+Feature: Add `payload-only-classtypes` filtering to suricata.yaml to filter payload dump by classtype.
+
+https://github.com/OISF/suricata/pull/14680
diff --git a/tests/test-filter-payload-extraction/classification.config b/tests/test-filter-payload-extraction/classification.config
@@ -0,0 +1,3 @@
+# Custom classtypes for payload-only-classtypes filter testing
+config classification: extract-me,Classtype that SHOULD have payload extracted,1
+config classification: dont-extract-me,Classtype that should NOT have payload extracted,2
diff --git a/tests/test-filter-payload-extraction/input.pcap b/tests/test-filter-payload-extraction/input.pcap
diff --git a/tests/test-filter-payload-extraction/suricata.yaml b/tests/test-filter-payload-extraction/suricata.yaml
@@ -0,0 +1,14 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            payload: yes
+            payload-only-classtypes: ["extract-me"] # dump payload only on specified classtypes if list not empty
+        - flow
+        - http
diff --git a/tests/test-filter-payload-extraction/test.rules b/tests/test-filter-payload-extraction/test.rules
@@ -0,0 +1,6 @@
+# Rule 1: Triggers on 10.1.1.x flow - classtype IS in the payload-only-classtypes list (payload SHOULD be extracted)                                                                                    
+alert http 10.1.1.0/24 any -> any any (msg:"JPG request - filter-me classtype"; fileext:"jpg"; classtype:extract-me; sid:1000001; rev:1;)                                               
+# Rule 2: Triggers on 10.1.2.x flow - classtype NOT in the payload-only-classtypes list (payload should NOT be extracted)                                                                               
+alert http 10.1.2.0/24 any -> any any (msg:"JPG request - don't extract my payload classtype"; fileext:"jpg"; classtype:dont-extract-me; sid:1000002; rev:1;)
+# Rule 3: Triggers on 10.1.2.x flow - No classtype, default rules apply                                                                          
+alert http 10.1.2.0/24 any -> any any (msg:"JPG request - don't extract payload I do not have a classtype"; fileext:"jpg"; sid:1000003; rev:1;)
diff --git a/tests/test-filter-payload-extraction/test.yaml b/tests/test-filter-payload-extraction/test.yaml
@@ -0,0 +1,28 @@
+# *** Add configuration here ***
+
+requires:
+   min-version: 8.0.3
+
+command: |
+  ${SRCDIR}/src/suricata -v --set classification-file="${TEST_DIR}/classification.config" -l ${OUTPUT_DIR} -c ${SRCDIR}/suricata.yaml -S ${TEST_DIR}/test.rules -r ./input.pcap
+
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Classtype that should NOT have payload extracted
+      alert.signature: JPG request - don't extract my payload classtype
+      not-has-key: payload
+- filter:
+    count: 1
+    match:
+      alert.category: Classtype that SHOULD have payload extracted
+      alert.signature: JPG request - filter-me classtype
+      has-key: payload
+- filter:
+    count: 1
+    match:
+      alert.signature: JPG request - don't extract payload I do not have a classtype
+      not-has-key: payload