From af1b9246c2b8c158225f769ce1cbc0e42ddc7743 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Wed, 17 Jul 2019 15:30:08 +0200
Subject: [PATCH] Adds test about DNS probing with junk request

---
 tests/dns-udp-junkrequest-first/README.md  |   7 +++++++
 tests/dns-udp-junkrequest-first/client.py  |  16 ++++++++++++++++
 tests/dns-udp-junkrequest-first/input.pcap | Bin 0 -> 431 bytes
 tests/dns-udp-junkrequest-first/test.yaml  |  20 ++++++++++++++++++++
 4 files changed, 43 insertions(+)
 create mode 100644 tests/dns-udp-junkrequest-first/README.md
 create mode 100644 tests/dns-udp-junkrequest-first/client.py
 create mode 100644 tests/dns-udp-junkrequest-first/input.pcap
 create mode 100644 tests/dns-udp-junkrequest-first/test.yaml

diff --git a/tests/dns-udp-junkrequest-first/README.md b/tests/dns-udp-junkrequest-first/README.md
new file mode 100644
index 000000000..9160bebf6
--- /dev/null
+++ b/tests/dns-udp-junkrequest-first/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test DNS detection when first request from client is junk.
+
+# PCAP
+
+The pcap comes from running the present dummy python script client.py which first sends junk (SNMP request actually), then a regular DNS request.
diff --git a/tests/dns-udp-junkrequest-first/client.py b/tests/dns-udp-junkrequest-first/client.py
new file mode 100644
index 000000000..70482922c
--- /dev/null
+++ b/tests/dns-udp-junkrequest-first/client.py
@@ -0,0 +1,16 @@
+import socket
+import binascii
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+sock.connect(("192.168.1.1", 53))
+
+snmp = binascii.unhexlify("3040020103300f02030091c8020205dc040104020103041530130400020100020100040561646d696e04000400301304000400a00d02030091c80201000201003000")
+dns = binascii.unhexlify("c58e012000010000000000010b636174656e61637962657202467200000100010000291000000000000000")
+a = sock.send(snmp)
+data = sock.recv(2000)
+print "1", binascii.hexlify(data)
+a = sock.send(dns)
+data = sock.recv(2000)
+print "2", binascii.hexlify(data)
+
+sock.close()
diff --git a/tests/dns-udp-junkrequest-first/input.pcap b/tests/dns-udp-junkrequest-first/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..8b87f791e15f3a368a8775f7d2cbe675df95787c
GIT binary patch
literal 431
zc-p&ic+)~A1{MYcU}0bck~c2v#U9n-Wyk@tLHNe<ur&>=R}$w6e_z1C;L5-dw|yG}
zgM*-b?SU1HTtLkD>@b5VgO{77fddmGvjIO7GsDCaOiZkISQuG=0xY5i!Ym9-j3C6q
znwXNCna2XO3M9zFuz(k$8Z2wTa0_U6&=OV#8=$=)46zmB0<hg0K%0SfZ_fnT3$mZV
z6llB1ll2A;4UI5=C={pWrNo2GidfFd5DF9t#pVxp&v=kO*1ksZhq2t6qkW7D;Gke&
zVB}6tEJ@8vOs-5yEn;#j0*ZiSGzFkmfh^f@fR!N%$d1D1U>~T1T~Qot!9MS3U*iIZ
WVGIn|EIGgfk>yolVA-?ObSD7t`)qgs

literal 0
Hc-jL100001

diff --git a/tests/dns-udp-junkrequest-first/test.yaml b/tests/dns-udp-junkrequest-first/test.yaml
new file mode 100644
index 000000000..f4860936b
--- /dev/null
+++ b/tests/dns-udp-junkrequest-first/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  min-version: 7
+  features:
+    - HAVE_LIBJANSSON
+
+checks:
+
+  # Check that there is one DNS event with specific parameters.
+  - filter:
+      count: 1
+      match:
+        event_type: dns
+        dns.type: query
+        dns.rrname: catenacyber.Fr
+  # Check that there is one flow event with DNS.
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        app_proto: dns
-- 
2.47.3