From 719a7865a92cbac8b93adde4959b99fa5938816e Mon Sep 17 00:00:00 2001
From: Jason Ish <jason.ish@oisf.net>
Date: Mon, 15 Mar 2021 15:38:57 -0600
Subject: [PATCH] dns-udp-double-request-response: add dns eve v2 test

---
 .../README.txt                                  |   8 ++++++++
 .../dns-udp-double-request-response.pcap        | Bin 0 -> 540 bytes
 .../suricata.yaml                               |  10 ++++++++++
 .../test.yaml                                   |  16 ++++++++++++++++
 .../suricata.yaml                               |   1 -
 tests/dns-udp-double-request-response/test.yaml |   2 +-
 6 files changed, 35 insertions(+), 2 deletions(-)
 create mode 100644 tests/dns-udp-double-request-response-v1/README.txt
 create mode 100644 tests/dns-udp-double-request-response-v1/dns-udp-double-request-response.pcap
 create mode 100644 tests/dns-udp-double-request-response-v1/suricata.yaml
 create mode 100644 tests/dns-udp-double-request-response-v1/test.yaml

diff --git a/tests/dns-udp-double-request-response-v1/README.txt b/tests/dns-udp-double-request-response-v1/README.txt
new file mode 100644
index 0000000..d0a46a6
--- /dev/null
+++ b/tests/dns-udp-double-request-response-v1/README.txt
@@ -0,0 +1,8 @@
+Test 2 UDP DNS requests followed back to back with no response, then
+the 2 responses being received.
+
+Prior to Suricata 3.2 the first request would be marked as having a
+reply lost when the second request was seen.
+
+Related issue:
+https://redmine.openinfosecfoundation.org/issues/1923
diff --git a/tests/dns-udp-double-request-response-v1/dns-udp-double-request-response.pcap b/tests/dns-udp-double-request-response-v1/dns-udp-double-request-response.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..43b47e68c8a6e7e5b61cd0d13fbb2708921939d7
GIT binary patch
literal 540
zc-p&ic+)~A1{MYcU}0bclG#Rl5npRK7`%XN5M~e+=VkkT<8;^Cg>D=St_%z|AY~4M
z@oiiJjNBYRz+ei58li~{j6exSh*`|#<>hSY`T6NNsm#gwxgc>ykjZDAI7v6zm4OM5
z$uba==LB*xoC3;&FvLuV`Cyaxm@zRh=m^@ff=mUO4mNqk!=((2jSWDPIdHl801t=+
zGC3GnB)+g%pz$ry_$Fw4Q#8IA8s8d?Z;r;d0{P5cn2R9|=)N>;K8tvLl7T@_uyrAd
l&s=&U7?{95W5g9^K$~R1Hfb>ksImXp;K0Sf2?=2Z767A;Uzz{_

literal 0
Hc-jL100001

diff --git a/tests/dns-udp-double-request-response-v1/suricata.yaml b/tests/dns-udp-double-request-response-v1/suricata.yaml
new file mode 100644
index 0000000..5f7eded
--- /dev/null
+++ b/tests/dns-udp-double-request-response-v1/suricata.yaml
@@ -0,0 +1,10 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filename: eve.json
+      types:
+        - dns:
+            version: 1
diff --git a/tests/dns-udp-double-request-response-v1/test.yaml b/tests/dns-udp-double-request-response-v1/test.yaml
new file mode 100644
index 0000000..f9d87cb
--- /dev/null
+++ b/tests/dns-udp-double-request-response-v1/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  lt-version: 7
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: dns
+        dns.type: query
+  - filter:
+      count: 9
+      match:
+        event_type: dns
+        dns.type: answer
diff --git a/tests/dns-udp-double-request-response/suricata.yaml b/tests/dns-udp-double-request-response/suricata.yaml
index 5f7eded..bf94909 100644
--- a/tests/dns-udp-double-request-response/suricata.yaml
+++ b/tests/dns-udp-double-request-response/suricata.yaml
@@ -7,4 +7,3 @@ outputs:
       filename: eve.json
       types:
         - dns:
-            version: 1
diff --git a/tests/dns-udp-double-request-response/test.yaml b/tests/dns-udp-double-request-response/test.yaml
index 7804b10..bd83279 100644
--- a/tests/dns-udp-double-request-response/test.yaml
+++ b/tests/dns-udp-double-request-response/test.yaml
@@ -9,7 +9,7 @@ checks:
         event_type: dns
         dns.type: query
   - filter:
-      count: 9
+      count: 2
       match:
         event_type: dns
         dns.type: answer
-- 
2.47.3