--- /dev/null
+#! /bin/sh
+
+# Expect 9 dns records.
+n=$(cat output/dns.json | jq -c 'select(.event_type == "dns")' | wc -l)
+if test $n -ne 9; then
+ echo "failed: expected 9 dns events, got $n"
+ exit 1
+fi
+
+# 4 are queries.
+n=$(cat output/dns.json | jq -c 'select(.event_type == "dns") | select(.dns.type == "query")' | wc -l)
+if test $n -ne 4; then
+ echo "failed: expected 4 dns queries, got $n"
+ exit 1
+fi
+
+# 4 are queries.
+n=$(cat output/dns.json | jq -c 'select(.event_type == "dns") | select(.dns.type == "answer")' | wc -l)
+if test $n -ne 5; then
+ echo "failed: expected 5 dns answers, got $n"
+ exit 1
+fi
--- /dev/null
+#! /bin/sh
+
+. ../functions.sh
+
+# One DNS request.
+n=$(jq_count output/eve.json 'select(.event_type == "dns") | select(.dns.type == "query")')
+assert_eq 1 $n "dns requests"
+
+# 12 DNS responses.
+n=$(jq_count output/eve.json 'select(.event_type == "dns") | select(.dns.type == "answer")')
+assert_eq 12 $n "dns responses"
+++ /dev/null
-{"timestamp":"2017-01-26T20:16:58.270700+0000","flow_id":358186737135978,"pcap_cnt":5,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"query","id":24440,"rrname":"www.google.com","rrtype":"A","tx_id":0}}
-{"timestamp":"2017-01-26T20:16:58.270740+0000","flow_id":358186737135978,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"answer","id":24440,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":8,"rdata":"216.197.242.244"}}
-{"timestamp":"2017-01-26T20:16:58.270740+0000","flow_id":358186737135978,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"answer","id":24440,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":8,"rdata":"216.197.242.224"}}
-{"timestamp":"2017-01-26T20:16:58.270740+0000","flow_id":358186737135978,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"answer","id":24440,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":8,"rdata":"216.197.242.238"}}
-{"timestamp":"2017-01-26T20:16:58.270740+0000","flow_id":358186737135978,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"answer","id":24440,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":8,"rdata":"216.197.242.210"}}
-{"timestamp":"2017-01-26T20:16:58.270740+0000","flow_id":358186737135978,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"answer","id":24440,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":8,"rdata":"216.197.242.230"}}
-{"timestamp":"2017-01-26T20:16:58.270740+0000","flow_id":358186737135978,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"answer","id":24440,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":8,"rdata":"216.197.242.223"}}
-{"timestamp":"2017-01-26T20:16:58.270740+0000","flow_id":358186737135978,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"answer","id":24440,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":8,"rdata":"216.197.242.245"}}
-{"timestamp":"2017-01-26T20:16:58.270740+0000","flow_id":358186737135978,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"answer","id":24440,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":8,"rdata":"216.197.242.231"}}
-{"timestamp":"2017-01-26T20:16:58.270740+0000","flow_id":358186737135978,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"answer","id":24440,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":8,"rdata":"216.197.242.251"}}
-{"timestamp":"2017-01-26T20:16:58.270740+0000","flow_id":358186737135978,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"answer","id":24440,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":8,"rdata":"216.197.242.237"}}
-{"timestamp":"2017-01-26T20:16:58.270740+0000","flow_id":358186737135978,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"answer","id":24440,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":8,"rdata":"216.197.242.217"}}
-{"timestamp":"2017-01-26T20:16:58.270740+0000","flow_id":358186737135978,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"answer","id":24440,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":8,"rdata":"216.197.242.216"}}
-{"timestamp":"2017-01-26T20:16:58.309492+0000","flow_id":358186737135978,"event_type":"flow","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","app_proto":"dns","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":461,"bytes_toclient":509,"start":"2017-01-26T20:16:58.192874+0000","end":"2017-01-26T20:16:58.309492+0000","age":0,"state":"closed","reason":"shutdown","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}}
#! /bin/sh
-expected='{"timestamp":"2017-01-27T16:03:18.623093+0000","flow_id":1899131178484213,"pcap_cnt":1,"event_type":"dns","src_ip":"10.16.1.11","src_port":59465,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33429,"rrname":"dne.oisf.net","rrtype":"A","tx_id":0}}
-{"timestamp":"2017-01-27T16:03:18.709160+0000","flow_id":1899131178484213,"pcap_cnt":2,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"10.16.1.11","dest_port":59465,"proto":"UDP","dns":{"type":"answer","id":33429,"rcode":"NXDOMAIN","rrname":"dne.oisf.net"}}
-{"timestamp":"2017-01-27T16:03:18.709160+0000","flow_id":1899131178484213,"pcap_cnt":2,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"10.16.1.11","dest_port":59465,"proto":"UDP","dns":{"type":"answer","id":33429,"rcode":"NXDOMAIN","rrname":"oisf.net","rrtype":"SOA","ttl":899}}'
+. ../functions.sh
-actual=$(cat output/eve.json | jq -c 'select(.event_type == "dns")')
-
-if [ "${actual}" != "${expected}" ]; then
- exit 1
-fi
+# Look for 2 responses with rcode == "NXDOMAIN".
+n=$(jq_count output/eve.json 'select(.dns.rcode == "NXDOMAIN")')
+assert_eq 2 "$n" "nxdomain responses"
exit 0
--- /dev/null
+#! /bin/sh
+
+. ../functions.sh
+
+# 4 queries.
+n=$(jq_count output/eve.json 'select(.dns.type == "query")')
+assert_eq 4 "$n" "queries"
+
+# 5 answers.
+n=$(jq_count output/eve.json 'select(.dns.type == "answer")')
+assert_eq 5 "$n" "answers"
+++ /dev/null
-{"timestamp":"2016-05-24T23:27:01.960780+0000","flow_id":15684738590988,"pcap_cnt":1,"event_type":"dns","src_ip":"10.16.1.11","src_port":53679,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39339,"rrname":"client-cf.dropbox.com","rrtype":"A","tx_id":0}}
-{"timestamp":"2016-05-24T23:27:02.333141+0000","flow_id":15684738590988,"pcap_cnt":2,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":53679,"proto":"UDP","dns":{"type":"answer","id":39339,"rcode":"NOERROR","rrname":"client-cf.dropbox.com","rrtype":"A","ttl":47,"rdata":"52.85.112.21"}}
-{"timestamp":"2016-05-24T23:27:02.832606+0000","flow_id":542660046009438,"pcap_cnt":3,"event_type":"dns","src_ip":"10.16.1.11","src_port":49697,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3407,"rrname":"block.dropbox.com","rrtype":"A","tx_id":0}}
-{"timestamp":"2016-05-24T23:27:03.085375+0000","flow_id":1585332076629375,"pcap_cnt":4,"event_type":"dns","src_ip":"10.16.1.11","src_port":33458,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":44779,"rrname":"codemonkey.net","rrtype":"A","tx_id":0}}
-{"timestamp":"2016-05-24T23:27:03.213624+0000","flow_id":542660046009438,"pcap_cnt":5,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":49697,"proto":"UDP","dns":{"type":"answer","id":3407,"rcode":"NOERROR","rrname":"block.dropbox.com","rrtype":"CNAME","ttl":9,"rdata":"block.g1.dropbox.com"}}
-{"timestamp":"2016-05-24T23:27:03.213624+0000","flow_id":542660046009438,"pcap_cnt":5,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":49697,"proto":"UDP","dns":{"type":"answer","id":3407,"rcode":"NOERROR","rrname":"block.g1.dropbox.com","rrtype":"A","ttl":8,"rdata":"45.58.70.33"}}
-{"timestamp":"2016-05-24T23:27:03.493333+0000","flow_id":1585332076629375,"pcap_cnt":6,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":33458,"proto":"UDP","dns":{"type":"answer","id":44779,"rcode":"NOERROR","rrname":"codemonkey.net","rrtype":"A","ttl":435,"rdata":"104.131.202.103"}}
-{"timestamp":"2016-05-24T23:27:04.653864+0000","flow_id":848126710184488,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":57634,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":14681,"rrname":"client-cf.dropbox.com","rrtype":"A","tx_id":0}}
-{"timestamp":"2016-05-24T23:27:04.654238+0000","flow_id":848126710184488,"pcap_cnt":8,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":57634,"proto":"UDP","dns":{"type":"answer","id":14681,"rcode":"NOERROR","rrname":"client-cf.dropbox.com","rrtype":"A","ttl":45,"rdata":"52.85.112.21"}}
--- /dev/null
+jq_count() {
+ cat "$1" | jq -c "$2" | wc -l
+}
+
+assert_eq() {
+ if ! test "$1" = "$2"; then
+ echo "fail: expected $1; got $2: $3"
+ exit 1
+ fi
+}
--- /dev/null
+#! /bin/sh
+
+. ../functions.sh
+
+# One query for suricon.net.
+n=$(jq_count output/eve.json 'select(.dns.type == "query") | select(.dns.rrname == "suricon.net")')
+assert_eq 1 "$n" "request"
+
+# One answer with rdata of 181.224.138.142.
+n=$(jq_count output/eve.json 'select(.dns.type == "answer") | select(.dns.rdata == "181.224.138.142")')
+assert_eq 1 "$n" "response"
+
+++ /dev/null
-{"timestamp":"2016-10-14T15:29:08.218361+0000","flow_id":1078835550639353,"pcap_cnt":1,"event_type":"dns","src_ip":"10.16.1.11","src_port":55487,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":57403,"rrname":"suricon.net","rrtype":"A","tx_id":0}}
-{"timestamp":"2016-10-14T15:29:08.218864+0000","flow_id":1078835550639353,"pcap_cnt":2,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":55487,"proto":"UDP","dns":{"type":"answer","id":57403,"rcode":"NOERROR","rrname":"suricon.net","rrtype":"A","ttl":14379,"rdata":"181.224.138.142"}}
projects / thirdparty / suricata-verify.git / commitdiff
