test: dns rdata match on additionals cname

author Jason Ish <jason.ish@oisf.net>

Mon, 24 Feb 2025 17:38:44 +0000 (11:38 -0600)

committer Victor Julien <victor@inliniac.net>

Wed, 5 Mar 2025 14:59:57 +0000 (15:59 +0100)
author Jason Ish <jason.ish@oisf.net>
Mon, 24 Feb 2025 17:38:44 +0000 (11:38 -0600)
committer Victor Julien <victor@inliniac.net>
Wed, 5 Mar 2025 14:59:57 +0000 (15:59 +0100)
diff --git a/pcaps/20250224-dns-additionals-with-cname.pcap b/pcaps/20250224-dns-additionals-with-cname.pcap

new file mode 100644 (file)

index 0000000..473814b

Binary files /dev/null and b/pcaps/20250224-dns-additionals-with-cname.pcap differ
diff --git a/pcaps/20250224-dns-additionals-with-cname.txt b/pcaps/20250224-dns-additionals-with-cname.txt

new file mode 100644 (file)

index 0000000..d3cf5be
--- /dev/null
+++ b/pcaps/20250224-dns-additionals-with-cname.txt
@@ -0,0 +1,38 @@
+```
+# Scapy script to create a DNS response with an addtional field that
+# contains an rrname as these can be hard to find in the wild
+
+from scapy.all import *
+
+request = (
+    IP(dst="8.8.8.8")
+    / UDP(dport=53)
+    / DNS(rd=1, qd=DNSQR(qname="example.com", qtype="A"))
+)
+
+# Create a DNS response with an additional record
+dns_response = (
+    IP(dst=request[IP].src, src=request[IP].dst)
+    / UDP(dport=request[UDP].sport, sport=request[UDP].dport)
+    / DNS(
+        id=request[DNS].id,
+        qr=1,
+        aa=1,
+        rd=request[DNS].rd,
+        ra=1,
+        qd=request[DNS].qd,
+        an=DNSRR(
+            rrname=request[DNS].qd.qname.decode(), type=request[DNS].qd.qtype, ttl=300, rdata="192.168.1.1"
+        ),
+        ar=DNSRR(
+            rrname="service.example.com",
+            type="CNAME",
+            ttl=300,
+            rdata="internal-service.example.net",
+        ),
+    )
+)
+
+# Write to pcap.
+wrpcap("scapy-dns-with-additionals-rrname.pcap", [request, dns_response])
+```
diff --git a/tests/dns/dns-additionals-rdata/README.md b/tests/dns/dns-additionals-rdata/README.md

new file mode 100644 (file)

index 0000000..8470f1a
--- /dev/null
+++ b/tests/dns/dns-additionals-rdata/README.md
@@ -0,0 +1,2 @@
+Test matching on a DNS additionals response where the rdata is a resource name,
+in this case a CNAME.
diff --git a/tests/dns/dns-additionals-rdata/test.rules b/tests/dns/dns-additionals-rdata/test.rules

new file mode 100644 (file)

index 0000000..074eec0
--- /dev/null
+++ b/tests/dns/dns-additionals-rdata/test.rules
@@ -0,0 +1 @@
+alert dns any any -> any any (dns.response.rrname; content:"internal-service.example.net"; sid:5; rev:1;)
diff --git a/tests/dns/dns-additionals-rdata/test.yaml b/tests/dns/dns-additionals-rdata/test.yaml

new file mode 100644 (file)

index 0000000..aa6b3a6
--- /dev/null
+++ b/tests/dns/dns-additionals-rdata/test.yaml
@@ -0,0 +1,10 @@
+requires:
+  min-version: 8
+
+pcap: ../../../pcaps/20250224-dns-additionals-with-cname.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 5
author	Jason Ish <jason.ish@oisf.net>
	Mon, 24 Feb 2025 17:38:44 +0000 (11:38 -0600)
committer	Victor Julien <victor@inliniac.net>
	Wed, 5 Mar 2025 14:59:57 +0000 (15:59 +0100)
pcaps/20250224-dns-additionals-with-cname.pcap	[new file with mode: 0644]	patch \| blob
pcaps/20250224-dns-additionals-with-cname.txt	[new file with mode: 0644]	patch \| blob
tests/dns/dns-additionals-rdata/README.md	[new file with mode: 0644]	patch \| blob
tests/dns/dns-additionals-rdata/test.rules	[new file with mode: 0644]	patch \| blob
tests/dns/dns-additionals-rdata/test.yaml	[new file with mode: 0644]	patch \| blob