From: Philippe Antoine <contact@catenacyber.fr>
Date: Wed, 17 Jul 2019 13:30:08 +0000 (+0200)
Subject: Adds test about DNS probing with junk request
X-Git-Tag: suricata-5.0.10~17
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=af1b9246c2b8c158225f769ce1cbc0e42ddc7743;p=thirdparty%2Fsuricata-verify.git

Adds test about DNS probing with junk request
---

diff --git a/tests/dns-udp-junkrequest-first/README.md b/tests/dns-udp-junkrequest-first/README.md
new file mode 100644
index 000000000..9160bebf6
--- /dev/null
+++ b/tests/dns-udp-junkrequest-first/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test DNS detection when first request from client is junk.
+
+# PCAP
+
+The pcap comes from running the present dummy python script client.py which first sends junk (SNMP request actually), then a regular DNS request.
diff --git a/tests/dns-udp-junkrequest-first/client.py b/tests/dns-udp-junkrequest-first/client.py
new file mode 100644
index 000000000..70482922c
--- /dev/null
+++ b/tests/dns-udp-junkrequest-first/client.py
@@ -0,0 +1,16 @@
+import socket
+import binascii
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+sock.connect(("192.168.1.1", 53))
+
+snmp = binascii.unhexlify("3040020103300f02030091c8020205dc040104020103041530130400020100020100040561646d696e04000400301304000400a00d02030091c80201000201003000")
+dns = binascii.unhexlify("c58e012000010000000000010b636174656e61637962657202467200000100010000291000000000000000")
+a = sock.send(snmp)
+data = sock.recv(2000)
+print "1", binascii.hexlify(data)
+a = sock.send(dns)
+data = sock.recv(2000)
+print "2", binascii.hexlify(data)
+
+sock.close()
diff --git a/tests/dns-udp-junkrequest-first/input.pcap b/tests/dns-udp-junkrequest-first/input.pcap
new file mode 100644
index 000000000..8b87f791e
Binary files /dev/null and b/tests/dns-udp-junkrequest-first/input.pcap differ
diff --git a/tests/dns-udp-junkrequest-first/test.yaml b/tests/dns-udp-junkrequest-first/test.yaml
new file mode 100644
index 000000000..f4860936b
--- /dev/null
+++ b/tests/dns-udp-junkrequest-first/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  min-version: 7
+  features:
+    - HAVE_LIBJANSSON
+
+checks:
+
+  # Check that there is one DNS event with specific parameters.
+  - filter:
+      count: 1
+      match:
+        event_type: dns
+        dns.type: query
+        dns.rrname: catenacyber.Fr
+  # Check that there is one flow event with DNS.
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        app_proto: dns