From: Jason Ish <jason.ish@oisf.net>
Date: Mon, 24 Feb 2025 17:38:44 +0000 (-0600)
Subject: test: dns rdata match on additionals cname
X-Git-Tag: suricata-7.0.9~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F2337%2Fhead;p=thirdparty%2Fsuricata-verify.git

test: dns rdata match on additionals cname

Also provides coverage.
---

diff --git a/pcaps/20250224-dns-additionals-with-cname.pcap b/pcaps/20250224-dns-additionals-with-cname.pcap
new file mode 100644
index 000000000..473814b5f
Binary files /dev/null and b/pcaps/20250224-dns-additionals-with-cname.pcap differ
diff --git a/pcaps/20250224-dns-additionals-with-cname.txt b/pcaps/20250224-dns-additionals-with-cname.txt
new file mode 100644
index 000000000..d3cf5be77
--- /dev/null
+++ b/pcaps/20250224-dns-additionals-with-cname.txt
@@ -0,0 +1,38 @@
+```
+# Scapy script to create a DNS response with an addtional field that
+# contains an rrname as these can be hard to find in the wild
+
+from scapy.all import *
+
+request = (
+    IP(dst="8.8.8.8")
+    / UDP(dport=53)
+    / DNS(rd=1, qd=DNSQR(qname="example.com", qtype="A"))
+)
+
+# Create a DNS response with an additional record
+dns_response = (
+    IP(dst=request[IP].src, src=request[IP].dst)
+    / UDP(dport=request[UDP].sport, sport=request[UDP].dport)
+    / DNS(
+        id=request[DNS].id,
+        qr=1,
+        aa=1,
+        rd=request[DNS].rd,
+        ra=1,
+        qd=request[DNS].qd,
+        an=DNSRR(
+            rrname=request[DNS].qd.qname.decode(), type=request[DNS].qd.qtype, ttl=300, rdata="192.168.1.1"
+        ),
+        ar=DNSRR(
+            rrname="service.example.com",
+            type="CNAME",
+            ttl=300,
+            rdata="internal-service.example.net",
+        ),
+    )
+)
+
+# Write to pcap.
+wrpcap("scapy-dns-with-additionals-rrname.pcap", [request, dns_response])
+```
diff --git a/tests/dns/dns-additionals-rdata/README.md b/tests/dns/dns-additionals-rdata/README.md
new file mode 100644
index 000000000..8470f1abd
--- /dev/null
+++ b/tests/dns/dns-additionals-rdata/README.md
@@ -0,0 +1,2 @@
+Test matching on a DNS additionals response where the rdata is a resource name,
+in this case a CNAME.
diff --git a/tests/dns/dns-additionals-rdata/test.rules b/tests/dns/dns-additionals-rdata/test.rules
new file mode 100644
index 000000000..074eec072
--- /dev/null
+++ b/tests/dns/dns-additionals-rdata/test.rules
@@ -0,0 +1 @@
+alert dns any any -> any any (dns.response.rrname; content:"internal-service.example.net"; sid:5; rev:1;)
diff --git a/tests/dns/dns-additionals-rdata/test.yaml b/tests/dns/dns-additionals-rdata/test.yaml
new file mode 100644
index 000000000..aa6b3a693
--- /dev/null
+++ b/tests/dns/dns-additionals-rdata/test.yaml
@@ -0,0 +1,10 @@
+requires:
+  min-version: 8
+
+pcap: ../../../pcaps/20250224-dns-additionals-with-cname.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 5