From 16c4c76d745c0b1c4c480e444f1efbf44f4ab9a9 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Mon, 24 Feb 2025 11:38:44 -0600 Subject: [PATCH] test: dns rdata match on additionals cname Also provides coverage. --- .../20250224-dns-additionals-with-cname.pcap | Bin 0 -> 258 bytes pcaps/20250224-dns-additionals-with-cname.txt | 38 ++++++++++++++++++ tests/dns/dns-additionals-rdata/README.md | 2 + tests/dns/dns-additionals-rdata/test.rules | 1 + tests/dns/dns-additionals-rdata/test.yaml | 10 +++++ 5 files changed, 51 insertions(+) create mode 100644 pcaps/20250224-dns-additionals-with-cname.pcap create mode 100644 pcaps/20250224-dns-additionals-with-cname.txt create mode 100644 tests/dns/dns-additionals-rdata/README.md create mode 100644 tests/dns/dns-additionals-rdata/test.rules create mode 100644 tests/dns/dns-additionals-rdata/test.yaml diff --git a/pcaps/20250224-dns-additionals-with-cname.pcap b/pcaps/20250224-dns-additionals-with-cname.pcap new file mode 100644 index 0000000000000000000000000000000000000000..473814b5f4d3b0ef5c14ba3134c39cd5078a2c14 GIT binary patch literal 258 zc-p&ic+)~A1{MYw`2U}Q;R%p_yJk=N!FXl{OCTGBT|pEh1A~KLd?%LxBR2;SFqi_N zs>mV+kOU({KYMCLVs1fBDsysvE=Z6OWYDVwW`>DC$%znyCPED|1Q`M{3~W%X^kxQz z)&`IspfW}bgD?bugboACffbC5?8T`?WtqvTs7hF&O5_AG^GZ^S@)C1&(beUpmM{PS D2){Sg literal 0 Hc-jL100001 diff --git a/pcaps/20250224-dns-additionals-with-cname.txt b/pcaps/20250224-dns-additionals-with-cname.txt new file mode 100644 index 000000000..d3cf5be77 --- /dev/null +++ b/pcaps/20250224-dns-additionals-with-cname.txt @@ -0,0 +1,38 @@ +``` +# Scapy script to create a DNS response with an addtional field that +# contains an rrname as these can be hard to find in the wild + +from scapy.all import * + +request = ( + IP(dst="8.8.8.8") + / UDP(dport=53) + / DNS(rd=1, qd=DNSQR(qname="example.com", qtype="A")) +) + +# Create a DNS response with an additional record +dns_response = ( + IP(dst=request[IP].src, src=request[IP].dst) + / UDP(dport=request[UDP].sport, sport=request[UDP].dport) + / DNS( + id=request[DNS].id, + qr=1, + aa=1, + rd=request[DNS].rd, + ra=1, + qd=request[DNS].qd, + an=DNSRR( + rrname=request[DNS].qd.qname.decode(), type=request[DNS].qd.qtype, ttl=300, rdata="192.168.1.1" + ), + ar=DNSRR( + rrname="service.example.com", + type="CNAME", + ttl=300, + rdata="internal-service.example.net", + ), + ) +) + +# Write to pcap. +wrpcap("scapy-dns-with-additionals-rrname.pcap", [request, dns_response]) +``` diff --git a/tests/dns/dns-additionals-rdata/README.md b/tests/dns/dns-additionals-rdata/README.md new file mode 100644 index 000000000..8470f1abd --- /dev/null +++ b/tests/dns/dns-additionals-rdata/README.md @@ -0,0 +1,2 @@ +Test matching on a DNS additionals response where the rdata is a resource name, +in this case a CNAME. diff --git a/tests/dns/dns-additionals-rdata/test.rules b/tests/dns/dns-additionals-rdata/test.rules new file mode 100644 index 000000000..074eec072 --- /dev/null +++ b/tests/dns/dns-additionals-rdata/test.rules @@ -0,0 +1 @@ +alert dns any any -> any any (dns.response.rrname; content:"internal-service.example.net"; sid:5; rev:1;) diff --git a/tests/dns/dns-additionals-rdata/test.yaml b/tests/dns/dns-additionals-rdata/test.yaml new file mode 100644 index 000000000..aa6b3a693 --- /dev/null +++ b/tests/dns/dns-additionals-rdata/test.yaml @@ -0,0 +1,10 @@ +requires: + min-version: 8 + +pcap: ../../../pcaps/20250224-dns-additionals-with-cname.pcap + +checks: + - filter: + count: 1 + match: + alert.signature_id: 5 -- 2.47.2