dns: adds test for corrupt additionals

Ticket: 7228

diff --git a/tests/dns/dns-corrupt-additionals/README.md b/tests/dns/dns-corrupt-additionals/README.md
new file mode 100644 (file)
index 0000000..180b0f4
--- /dev/null
+++ b/tests/dns/dns-corrupt-additionals/README.md
@@ -0,0 +1,10 @@
+# Description
+
+Test logging of DNS with corrupt additionals
+
+https://redmine.openinfosecfoundation.org/issues/7228
+
+# PCAP
+
+The pcap is from https://redmine.openinfosecfoundation.org/issues/7228
+(crafted to corrupt additionals)

diff --git a/tests/dns/dns-corrupt-additionals/dns-events.rules b/tests/dns/dns-corrupt-additionals/dns-events.rules
new file mode 100644 (file)
index 0000000..9d4969c
--- /dev/null
+++ b/tests/dns/dns-corrupt-additionals/dns-events.rules
@@ -0,0 +1,12 @@
+# Malformed data in request. Malformed means length fields are wrong, etc.
+alert dns any any -> any any (msg:"SURICATA DNS malformed request data"; flow:to_server; app-layer-event:dns.malformed_data; classtype:protocol-command-decode; sid:2240002; rev:2;)
+alert dns any any -> any any (msg:"SURICATA DNS malformed response data"; flow:to_client; app-layer-event:dns.malformed_data; classtype:protocol-command-decode; sid:2240003; rev:2;)
+# Response flag set on to_server packet
+alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server; app-layer-event:dns.not_a_request; classtype:protocol-command-decode; sid:2240004; rev:2;)
+# Response flag not set on to_client packet
+alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; classtype:protocol-command-decode; sid:2240005; rev:2;)
+# Z flag (reserved) not 0
+alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; classtype:protocol-command-decode; sid:2240006; rev:2;)
+alert dns any any -> any any (msg:"SURICATA DNS Invalid opcode"; app-layer-event:dns.invalid_opcode; classtype:protocol-command-decode; sid:2240007; rev:1;)
+alert dns any any -> any any (msg:"SURICATA DNS invalid additionals"; app-layer-event:dns.invalid_additionals; classtype:protocol-command-decode; sid:2240008; rev:1;)
+alert dns any any -> any any (msg:"SURICATA DNS invalid authorities"; app-layer-event:dns.invalid_authorities; classtype:protocol-command-decode; sid:2240009; rev:1;)

diff --git a/tests/dns/dns-corrupt-additionals/input.pcap b/tests/dns/dns-corrupt-additionals/input.pcap
new file mode 100644 (file)
index 0000000..6afd8a3
Binary files /dev/null and b/tests/dns/dns-corrupt-additionals/input.pcap differ

diff --git a/tests/dns/dns-corrupt-additionals/test.yaml b/tests/dns/dns-corrupt-additionals/test.yaml
new file mode 100644 (file)
index 0000000..c060efd
--- /dev/null
+++ b/tests/dns/dns-corrupt-additionals/test.yaml
@@ -0,0 +1,18 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: dns
+      dns.answers[0].rrname:  "_sip._udp.sip.voice.google.com"
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2240008
+      dns.queries[0].rrtype: SRV