test: add test for dns.rrtype

author Hadiqa Alamdar Bukhari <hadiqaalamdar@gmail.com>

Fri, 2 Feb 2024 13:38:49 +0000 (18:38 +0500)

committer Victor Julien <victor@inliniac.net>

Thu, 29 Feb 2024 15:47:10 +0000 (16:47 +0100)
author Hadiqa Alamdar Bukhari <hadiqaalamdar@gmail.com>
Fri, 2 Feb 2024 13:38:49 +0000 (18:38 +0500)
committer Victor Julien <victor@inliniac.net>
Thu, 29 Feb 2024 15:47:10 +0000 (16:47 +0100)
diff --git a/tests/dns/dns-rrtype/README.md b/tests/dns/dns-rrtype/README.md

new file mode 100644 (file)

index 0000000..24b8c57
--- /dev/null
+++ b/tests/dns/dns-rrtype/README.md
@@ -0,0 +1,5 @@
+Test the `dns.rrtype` value.
+
+The PCAP here was reused from ./tests/dns/dns-eve-empty-format/input.pcap
+
+Redmine ticket: https://redmine.openinfosecfoundation.org/issues/6666
+\ No newline at end of file
diff --git a/tests/dns/dns-rrtype/test.rules b/tests/dns/dns-rrtype/test.rules

new file mode 100644 (file)

index 0000000..a40941b
--- /dev/null
+++ b/tests/dns/dns-rrtype/test.rules
@@ -0,0 +1,8 @@
+# Only alert on requests.
+alert dns any any -> any any (dns.rrtype:1; flow:to_server; sid:1; rev:1;)
+
+# Only alert on responses.
+alert dns any any -> any any (dns.rrtype:1; flow:to_client; sid:2; rev:1;)
+
+# Negated rrtype value
+alert dns any any -> any any (dns.rrtype:!2; flow:to_client; sid:3; rev:1;)
+\ No newline at end of file
diff --git a/tests/dns/dns-rrtype/test.yaml b/tests/dns/dns-rrtype/test.yaml

new file mode 100644 (file)

index 0000000..ca8b156
--- /dev/null
+++ b/tests/dns/dns-rrtype/test.yaml
@@ -0,0 +1,42 @@
+requires:
+  min-version: 8
+
+pcap: ../dns-eve-empty-format/input.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 1
+        dest_ip: 10.16.1.1
+        dest_port: 53
+        direction: to_server
+        app_proto: dns
+        event_type: alert
+        dns.query[0].rrtype: A
+        src_ip: 10.16.1.11
+        src_port: 57634
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 2
+        dest_ip: 10.16.1.11
+        dest_port: 33458
+        direction: to_client
+        app_proto: dns
+        event_type: alert
+        dns.answer.rrtype: A
+        src_ip: 10.16.1.1
+        src_port: 53
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 3
+        dest_ip: 10.16.1.11
+        dest_port: 33458
+        direction: to_client
+        app_proto: dns
+        event_type: alert
+        dns.answer.rrtype: A
+        src_ip: 10.16.1.1
+        src_port: 53
author	Hadiqa Alamdar Bukhari <hadiqaalamdar@gmail.com>
	Fri, 2 Feb 2024 13:38:49 +0000 (18:38 +0500)
committer	Victor Julien <victor@inliniac.net>
	Thu, 29 Feb 2024 15:47:10 +0000 (16:47 +0100)
tests/dns/dns-rrtype/README.md	[new file with mode: 0644]	patch \| blob
tests/dns/dns-rrtype/test.rules	[new file with mode: 0644]	patch \| blob
tests/dns/dns-rrtype/test.yaml	[new file with mode: 0644]	patch \| blob