From: Jason Ish Date: Tue, 11 Mar 2025 22:58:10 +0000 (-0600) Subject: test: add test for suricata.dns lua lib X-Git-Tag: suricata-7.0.10~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F2353%2Fhead;p=thirdparty%2Fsuricata-verify.git test: add test for suricata.dns lua lib Copy existing tests to a pre8 variant for 7.0 testing. --- diff --git a/tests/datasets/datasets-lua-02/dataset-dns.lua b/tests/datasets/datasets-lua-02/dataset-dns.lua index 044cabdb5..b01a4be8d 100644 --- a/tests/datasets/datasets-lua-02/dataset-dns.lua +++ b/tests/datasets/datasets-lua-02/dataset-dns.lua @@ -1,4 +1,5 @@ local dataset = require("suricata.dataset") +local dns = require("suricata.dns") function init (args) local needs = {} @@ -17,7 +18,8 @@ end function match (args) ipver, srcip, dstip, proto, sp, dp = SCFlowTuple() - query = DnsGetDnsRrname() + local tx = dns.get_tx() + query = tx:rrname() if query == nil then return 0 end diff --git a/tests/dns-lua-rules-pre8/suricata.yaml b/tests/dns-lua-rules-pre8/suricata.yaml new file mode 100644 index 000000000..51af22dfa --- /dev/null +++ b/tests/dns-lua-rules-pre8/suricata.yaml @@ -0,0 +1,4 @@ +%YAML 1.1 +--- + +include: ../../etc/suricata-4.0.3.yaml diff --git a/tests/dns-lua-rules-pre8/test-request.lua b/tests/dns-lua-rules-pre8/test-request.lua new file mode 100644 index 000000000..281bff1e6 --- /dev/null +++ b/tests/dns-lua-rules-pre8/test-request.lua @@ -0,0 +1,52 @@ +function init (args) + local needs = {} + needs["dns.request"] = tostring(true) + return needs +end + +function count(t) + local count = 0 + for _ in pairs(t) do + count = count + 1 + end + return count +end + +function match(args) + if DnsGetTxid() ~= 36146 then + return 0 + end + + -- The requested name. + local rrname = DnsGetDnsRrname() + if rrname ~= "www.suricata-ids.org" then + return 0 + end + + -- Queries + local queries = DnsGetQueries() + if queries == nil then return 0 end + + -- There should only be one query. + if count(queries) ~= 1 then return 0 end + + local query = queries[0] + + if query["type"] ~= "A" then + return 0 + end + + if query["rrname"] ~= "www.suricata-ids.org" then + return 0 + end + + local answers = DnsGetAnswers() + if answers == nil then return 0 end + if count(answers) ~= 0 then return 0 end + + local authorities = DnsGetAuthorities() + if authorities == nil then return 0 end + if count(authorities) ~= 0 then return 0 end + + return 1 +end diff --git a/tests/dns-lua-rules-pre8/test-response.lua b/tests/dns-lua-rules-pre8/test-response.lua new file mode 100644 index 000000000..6c1c84641 --- /dev/null +++ b/tests/dns-lua-rules-pre8/test-response.lua @@ -0,0 +1,57 @@ +function init (args) + local needs = {} + needs["dns.response"] = tostring(true) + return needs +end + +function count(t) + local count = 0 + for _ in pairs(t) do + count = count + 1 + end + return count +end + +function match(args) + if DnsGetTxid() ~= 36146 then + return 0 + end + + -- The requested name. + local rrname = DnsGetDnsRrname() + if rrname ~= "www.suricata-ids.org" then + return 0 + end + + -- Queries + local queries = DnsGetQueries() + if queries == nil then return 0 end + + -- There should only be one query. + if count(queries) ~= 1 then return 0 end + + local query = queries[0] + + if query["type"] ~= "A" then + return 0 + end + + if query["rrname"] ~= "www.suricata-ids.org" then + return 0 + end + + local rcode = DnsGetRcode() + print(rcode) + + local answers = DnsGetAnswers() + if answers == nil then return 0 end + if count(answers) ~= 3 then return 0 end + + local authorities = DnsGetAuthorities() + if authorities == nil then return 0 end + if count(authorities) ~= 0 then return 0 end + + -- TODO: Look at the answers. + + return 1 +end diff --git a/tests/dns-lua-rules-pre8/test-rrname.lua b/tests/dns-lua-rules-pre8/test-rrname.lua new file mode 100644 index 000000000..f5b1059d7 --- /dev/null +++ b/tests/dns-lua-rules-pre8/test-rrname.lua @@ -0,0 +1,13 @@ +function init (args) + local needs = {} + needs["dns.rrname"] = tostring(true) + return needs +end + +function match(args) + rrname = tostring(args["dns.rrname"]) + if rrname == "www.suricata-ids.org" then + return 1 + end + return 0 +end diff --git a/tests/dns-lua-rules-pre8/test.rules b/tests/dns-lua-rules-pre8/test.rules new file mode 100644 index 000000000..7ff3f02d9 --- /dev/null +++ b/tests/dns-lua-rules-pre8/test.rules @@ -0,0 +1,7 @@ +alert dns any any -> any any (msg:"TEST DNS LUA dns.rrname"; \ + lua:test-rrname.lua; sid:1; rev:1;) +alert dns any any -> any any (msg:"TEST DNS LUA dns.request"; \ + lua:test-request.lua; sid:2; rev:1;) +alert dns any any -> any any (msg:"TEST DNS LUA dns.response"; \ + lua:test-response.lua; sid:3; rev:1;) + \ No newline at end of file diff --git a/tests/dns-lua-rules-pre8/test.yaml b/tests/dns-lua-rules-pre8/test.yaml new file mode 100644 index 000000000..e96bf9d15 --- /dev/null +++ b/tests/dns-lua-rules-pre8/test.yaml @@ -0,0 +1,23 @@ +pcap: ../cond-log-dns-dig/input.pcap + +requires: + features: + - HAVE_LUA + lt-version: 8 + +args: + - --set security.lua.allow-rules=true + +checks: + - filter: + count: 1 + match: + alert.signature_id: 1 + - filter: + count: 1 + match: + alert.signature_id: 2 + - filter: + count: 1 + match: + alert.signature_id: 3 diff --git a/tests/dns-lua-rules/test-request.lua b/tests/dns-lua-rules/test-request.lua index 281bff1e6..a4c6d09ea 100644 --- a/tests/dns-lua-rules/test-request.lua +++ b/tests/dns-lua-rules/test-request.lua @@ -1,3 +1,5 @@ +local dns = require("suricata.dns") + function init (args) local needs = {} needs["dns.request"] = tostring(true) @@ -13,18 +15,24 @@ function count(t) end function match(args) - if DnsGetTxid() ~= 36146 then + local tx, err = dns.get_tx() + if tx == nil then + print(err) + return 0 + end + + if tx:txid() ~= 36146 then return 0 end -- The requested name. - local rrname = DnsGetDnsRrname() + local rrname = tx:rrname() if rrname ~= "www.suricata-ids.org" then return 0 end -- Queries - local queries = DnsGetQueries() + local queries = tx:queries() if queries == nil then return 0 end -- There should only be one query. @@ -40,11 +48,11 @@ function match(args) return 0 end - local answers = DnsGetAnswers() + local answers = tx:answers() if answers == nil then return 0 end if count(answers) ~= 0 then return 0 end - local authorities = DnsGetAuthorities() + local authorities = tx:authorities() if authorities == nil then return 0 end if count(authorities) ~= 0 then return 0 end diff --git a/tests/dns-lua-rules/test-response.lua b/tests/dns-lua-rules/test-response.lua index 6c1c84641..bb125d21d 100644 --- a/tests/dns-lua-rules/test-response.lua +++ b/tests/dns-lua-rules/test-response.lua @@ -1,3 +1,5 @@ +local dns = require("suricata.dns") + function init (args) local needs = {} needs["dns.response"] = tostring(true) @@ -13,18 +15,20 @@ function count(t) end function match(args) - if DnsGetTxid() ~= 36146 then + local tx = dns.get_tx() + + if tx:txid() ~= 36146 then return 0 end -- The requested name. - local rrname = DnsGetDnsRrname() + local rrname = tx:rrname() if rrname ~= "www.suricata-ids.org" then return 0 end -- Queries - local queries = DnsGetQueries() + local queries = tx:queries() if queries == nil then return 0 end -- There should only be one query. @@ -40,14 +44,21 @@ function match(args) return 0 end - local rcode = DnsGetRcode() - print(rcode) + local rcode = tx:rcode() + if rcode ~= 0 then + return 0 + end + + local rcode_string = tx:rcode_string() + if rcode_string ~= "NOERROR" then + return 0 + end - local answers = DnsGetAnswers() + local answers = tx:answers() if answers == nil then return 0 end if count(answers) ~= 3 then return 0 end - local authorities = DnsGetAuthorities() + local authorities = tx:authorities() if authorities == nil then return 0 end if count(authorities) ~= 0 then return 0 end diff --git a/tests/dns-lua-rules/test.yaml b/tests/dns-lua-rules/test.yaml index 58f8d4e66..f4bf85a87 100644 --- a/tests/dns-lua-rules/test.yaml +++ b/tests/dns-lua-rules/test.yaml @@ -1,8 +1,7 @@ pcap: ../cond-log-dns-dig/input.pcap requires: - features: - - HAVE_LUA + min-version: 8 args: - --set security.lua.allow-rules=true diff --git a/tests/lua-output-dns-pre8/README.md b/tests/lua-output-dns-pre8/README.md deleted file mode 100644 index 6bbac174b..000000000 --- a/tests/lua-output-dns-pre8/README.md +++ /dev/null @@ -1,3 +0,0 @@ -Tests the output of DNS being logged by Lua. - -PCAPs created by Jason Ish. diff --git a/tests/lua-output-dns-pre8/suricata.yaml b/tests/lua-output-dns-pre8/suricata.yaml deleted file mode 100644 index c5276c0e1..000000000 --- a/tests/lua-output-dns-pre8/suricata.yaml +++ /dev/null @@ -1,13 +0,0 @@ -%YAML 1.1 ---- - -include: ../../etc/suricata-3.1.2.yaml - -rule-files: - -outputs: - - lua: - enabled: yes - scripts-dir: . - scripts: - - test.lua diff --git a/tests/lua-output-dns-pre8/test.lua b/tests/lua-output-dns-pre8/test.lua deleted file mode 100644 index d0515cc1b..000000000 --- a/tests/lua-output-dns-pre8/test.lua +++ /dev/null @@ -1,95 +0,0 @@ -filename = "lua-dns.log" - -function init (args) - local needs = {} - needs["protocol"] = "dns" - return needs -end - -function setup (args) - SCLogNotice("lua: setup()") - file = assert(io.open(SCLogPath() .. "/" .. filename, "w")) -end - -function log(args) - ts = SCPacketTimeString() - ip_ver, src_ip, dst_ip, proto, sp, dp = SCFlowTuple() - tx_id = DnsGetTxid() - - queries = DnsGetQueries() - if queries ~= nil then - for n, t in pairs(queries) do - msg = string.format( - "%s [**] Query TX %04x [**] %s [**] %s [**] %s:%d -> %s:%d", - ts, - tx_id, - t["rrname"], - t["type"], - src_ip, - sp, - dst_ip, - dp) - write(msg) - end - end - - rcode = DnsGetRcode() - if rcode ~= nil then - msg = string.format( - "%s [**] Response TX %04x [**] %s [**] %s:%d -> %s:%d", - ts, - tx_id, - rcode, - src_ip, - sp, - dst_ip, - dp) - write(msg) - end - - answers = DnsGetAnswers() - if answers ~= nil then - for n, t in pairs(answers) do - msg = string.format( - "%s [**] Response TX %04x [**] %s [**] %s [**] TTL %d [**] %s [**] %s:%d -> %s:%d", - ts, - tx_id, - t["rrname"], - t["type"], - t["ttl"], - t["addr"], - src_ip, - sp, - dst_ip, - dp); - write(msg) - end - end - - authorities = DnsGetAuthorities() - if authorities ~= nil then - for n, t in pairs(authorities) do - msg = string.format( - "%s [**] Response TX %04x [**] %s [**] %s [**] TTL %d [**] %s:%d -> %s:%d", - ts, - tx_id, - t["rrname"], - t["type"], - t["ttl"], - src_ip, - sp, - dst_ip, - dp); - write(msg) - end - end - -end - -function deinit(args) - file:close(file) -end - -function write(msg) - file:write(msg .. "\n") -end diff --git a/tests/lua-output-dns-pre8/test.yaml b/tests/lua-output-dns-pre8/test.yaml deleted file mode 100644 index 417c53014..000000000 --- a/tests/lua-output-dns-pre8/test.yaml +++ /dev/null @@ -1,19 +0,0 @@ -requires: - features: - - HAVE_LUA - lt-version: 8 - -pcap: ../lua-output-dns/test.pcap - -checks: - - shell: - args: grep -q "Query TX 0d4f \[\*\*\] block.dropbox.com \[\*\*\] A \[\*\*\] 10.16.1.11:49697 -> 10.16.1.1:53" lua-dns.log - - shell: - args: cat lua-dns.log | grep Response | grep client-cf.dropbox.com | wc -l - expect: 2 - - shell: - args: cat lua-dns.log | grep "Response TX 62b2" | grep NXDOMAIN | wc -l - expect: 1 - - shell: - args: grep SOA lua-dns.log | wc -l - expect: 1 diff --git a/tests/lua-output-dns/test.lua b/tests/lua-output-dns/test.lua index 2a50609b7..8645d1947 100644 --- a/tests/lua-output-dns/test.lua +++ b/tests/lua-output-dns/test.lua @@ -1,4 +1,5 @@ local packet = require "suricata.packet" +local dns = require "suricata.dns" filename = "lua-dns.log" @@ -17,9 +18,10 @@ function log(args) p = packet.get() ts = p:timestring_legacy() ip_ver, src_ip, dst_ip, proto, sp, dp = SCFlowTuple() - tx_id = DnsGetTxid() + local tx = dns.get_tx() + tx_id = tx:txid() - queries = DnsGetQueries() + queries = tx:queries() if queries ~= nil then for n, t in pairs(queries) do msg = string.format( @@ -36,13 +38,13 @@ function log(args) end end - rcode = DnsGetRcode() - if rcode ~= nil then + rcode_string = tx:rcode_string() + if rcode_string ~= nil then msg = string.format( "%s [**] Response TX %04x [**] %s [**] %s:%d -> %s:%d", ts, tx_id, - rcode, + rcode_string, src_ip, sp, dst_ip, @@ -50,7 +52,7 @@ function log(args) write(msg) end - answers = DnsGetAnswers() + answers = tx:answers() if answers ~= nil then for n, t in pairs(answers) do msg = string.format( @@ -69,7 +71,7 @@ function log(args) end end - authorities = DnsGetAuthorities() + authorities = tx:authorities() if authorities ~= nil then for n, t in pairs(authorities) do msg = string.format( diff --git a/tests/lua-output-dns/test.yaml b/tests/lua-output-dns/test.yaml index 5d86e3239..698eb6187 100644 --- a/tests/lua-output-dns/test.yaml +++ b/tests/lua-output-dns/test.yaml @@ -1,7 +1,5 @@ requires: min-version: 8 - features: - - HAVE_LUA checks: - shell: diff --git a/tests/lua/lua-base64/output.lua b/tests/lua/lua-base64/output.lua index 4782019ec..1ac52028e 100644 --- a/tests/lua/lua-base64/output.lua +++ b/tests/lua/lua-base64/output.lua @@ -2,6 +2,7 @@ -- script. More thourough testing of base64 in rule.lua. local base64 = require("suricata.base64") +local dns = require("suricata.dns") local expected_base64 = "d3d3LnN1cmljYXRhLWlkcy5vcmc=" @@ -19,7 +20,8 @@ function setup (args) end function log(args) - queries = DnsGetQueries() + local tx = dns.get_tx() + queries = tx:queries() if queries ~= nil then for n, t in pairs(queries) do diff --git a/tests/lua/lua-hashlib-output/test.lua b/tests/lua/lua-hashlib-output/test.lua index d356f1cc1..524892842 100644 --- a/tests/lua/lua-hashlib-output/test.lua +++ b/tests/lua/lua-hashlib-output/test.lua @@ -1,4 +1,5 @@ local hashlib = require("suricata.hashlib") +local dns = require("suricata.dns") -- We don't actually use, but the script will fail to run if it fails -- to "require". @@ -21,7 +22,8 @@ function setup (args) end function log(args) - queries = DnsGetQueries() + local tx = dns.get_tx() + queries = tx:queries() if queries ~= nil then for n, t in pairs(queries) do if hashlib.md5_hexdigest(t["rrname"]) == expected_md5 then