tests/dns: add dns.response.rrname to some tests for coverage

author Jason Ish <jason.ish@oisf.net>

Thu, 20 Feb 2025 21:21:36 +0000 (15:21 -0600)

committer Victor Julien <victor@inliniac.net>

Wed, 5 Mar 2025 14:59:57 +0000 (15:59 +0100)
author Jason Ish <jason.ish@oisf.net>
Thu, 20 Feb 2025 21:21:36 +0000 (15:21 -0600)
committer Victor Julien <victor@inliniac.net>
Wed, 5 Mar 2025 14:59:57 +0000 (15:59 +0100)
diff --git a/tests/dns/dns-additionals-rrname/test.rules b/tests/dns/dns-additionals-rrname/test.rules

index 63eabfe99f7882736a699f608833db068678a941..92f5f2b3e5d50caa757b70fbf6a7d3fd64747464 100644 (file)
--- a/tests/dns/dns-additionals-rrname/test.rules
+++ b/tests/dns/dns-additionals-rrname/test.rules
@@ -2,3 +2,8 @@ alert dns any any -> any any (dns.queries.rrname; content:"suricata.io"; sid:1;
  alert dns any any -> any any (dns.authorities.rrname; content:"io"; sid:2; rev:1;)
  alert dns any any -> any any (dns.additionals.rrname; content:"a0.nic.io"; sid:3; rev:1;)
  alert dns any any -> any any (dns.additionals.rrname; content:"c0.nic.io"; sid:4; rev:1;)
+
+# Tests use more generic dns.response.rrname
+alert dns any any -> any any (dns.response.rrname; content:"suricata.io"; sid:5; rev:1;)
+alert dns any any -> any any (dns.response.rrname; content:"a0.nic.io"; sid:6; rev:1;)
+alert dns any any -> any any (dns.response.rrname; content:"c0.nic.io"; sid:7; rev:1;)
diff --git a/tests/dns/dns-additionals-rrname/test.yaml b/tests/dns/dns-additionals-rrname/test.yaml

index 3b48d6b21a63c24c4e9a798afa311c2ea37b2a4c..6562da946a7a2e8812e6216ff99308d6ccf88c6d 100644 (file)
--- a/tests/dns/dns-additionals-rrname/test.yaml
+++ b/tests/dns/dns-additionals-rrname/test.yaml
@@ -20,3 +20,15 @@ checks:
        count: 1
        match:
          alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 5
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 6
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 7
diff --git a/tests/dns/dns-answer-name/test.rules b/tests/dns/dns-answer-name/test.rules

index e6b01526f030a9972bd322182b3b0647d8e2b7fb..c733a7821e2e823fabbb58769c28806748440b69 100644 (file)
--- a/tests/dns/dns-answer-name/test.rules
+++ b/tests/dns/dns-answer-name/test.rules
@@ -6,3 +6,6 @@ alert dns any any -> any any (dns.answers.rrname; content:"oisf"; flow:to_server
  
  # Should only alert in the response direction.
  alert dns any any -> any any (dns.answers.rrname; content:"oisf"; flow:to_client; sid:3; rev:1;)
+
+# And the more generic rrname match in a response.
+alert dns any any -> any any (dns.response.rrname; content:"oisf"; flow:to_client; sid:4; rev:1;)
diff --git a/tests/dns/dns-answer-name/test.yaml b/tests/dns/dns-answer-name/test.yaml

index 4bc24a91e96646a672d0d1e05ca44074352af2d1..80c0b95004ba8e7becc2628698742894e14ab8ed 100644 (file)
--- a/tests/dns/dns-answer-name/test.yaml
+++ b/tests/dns/dns-answer-name/test.yaml
@@ -41,3 +41,10 @@ checks:
          alert.signature_id: 3
          direction: to_client
          app_proto: dns
+
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 4
+        direction: to_client
+        app_proto: dns
author	Jason Ish <jason.ish@oisf.net>
	Thu, 20 Feb 2025 21:21:36 +0000 (15:21 -0600)
committer	Victor Julien <victor@inliniac.net>
	Wed, 5 Mar 2025 14:59:57 +0000 (15:59 +0100)
tests/dns/dns-additionals-rrname/test.rules		patch \| blob \| blame \| history
tests/dns/dns-additionals-rrname/test.yaml		patch \| blob \| blame \| history
tests/dns/dns-answer-name/test.rules		patch \| blob \| blame \| history
tests/dns/dns-answer-name/test.yaml		patch \| blob \| blame \| history