dns-z-bit: v2 and v3 tests

diff --git a/tests/dns-z-bit/dns-events.rules b/tests/dns/dns-z-bit/dns-events.rules
similarity index 100%
rename from tests/dns-z-bit/dns-events.rules
rename to tests/dns/dns-z-bit/dns-events.rules

diff --git a/tests/dns-z-bit/input.pcap b/tests/dns/dns-z-bit/input.pcap
similarity index 100%
rename from tests/dns-z-bit/input.pcap
rename to tests/dns/dns-z-bit/input.pcap

diff --git a/tests/dns/dns-z-bit/test.yaml b/tests/dns/dns-z-bit/test.yaml
new file mode 100644 (file)
index 0000000..b92c329
--- /dev/null
+++ b/tests/dns/dns-z-bit/test.yaml
@@ -0,0 +1,72 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: dns
+      dns.type: request
+      dns.z: true
+- filter:
+    requires:
+      lt-version: 8
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2240006
+      dns.query[0].z: true
+- filter:
+    requires:
+      min-version: 8
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2240006
+      dns.z: true
+- filter:
+    count: 1
+    match:
+      dest_ip: 8.8.8.8
+      dest_port: 53
+      dns.answers[0].rdata: 142.251.32.68
+      dns.answers[0].rrname: www.google.com
+      dns.answers[0].rrtype: A
+      dns.answers[0].ttl: 58
+      dns.flags: '8180'
+      dns.grouped.A[0]: 142.251.32.68
+      dns.id: 1
+      dns.qr: true
+      dns.ra: true
+      dns.rcode: NOERROR
+      dns.rd: true
+      dns.queries[0].rrname: www.google.com
+      dns.queries[0].rrtype: A
+      dns.type: response
+      dns.version: 3
+      event_type: dns
+      pcap_cnt: 2
+      proto: UDP
+      src_ip: 10.16.1.11
+      src_port: 42150
+- filter:
+    count: 1
+    match:
+      app_proto: dns
+      dest_ip: 8.8.8.8
+      dest_port: 53
+      event_type: flow
+      flow.age: 0
+      flow.alerted: true
+      flow.bytes_toclient: 90
+      flow.bytes_toserver: 74
+      flow.pkts_toclient: 1
+      flow.pkts_toserver: 1
+      flow.reason: shutdown
+      flow.state: established
+      proto: UDP
+      src_ip: 10.16.1.11
+      src_port: 42150

diff --git a/tests/dns/v2/dns-z-bit/dns-events.rules b/tests/dns/v2/dns-z-bit/dns-events.rules
new file mode 100644 (file)
index 0000000..0e34dae
--- /dev/null
+++ b/tests/dns/v2/dns-z-bit/dns-events.rules
@@ -0,0 +1,9 @@
+# Malformed data in request. Malformed means length fields are wrong, etc.
+alert dns any any -> any any (msg:"SURICATA DNS malformed request data"; flow:to_server; app-layer-event:dns.malformed_data; classtype:protocol-command-decode; sid:2240002; rev:2;)
+alert dns any any -> any any (msg:"SURICATA DNS malformed response data"; flow:to_client; app-layer-event:dns.malformed_data; classtype:protocol-command-decode; sid:2240003; rev:2;)
+# Response flag set on to_server packet
+alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server; app-layer-event:dns.not_a_request; classtype:protocol-command-decode; sid:2240004; rev:2;)
+# Response flag not set on to_client packet
+alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; classtype:protocol-command-decode; sid:2240005; rev:2;)
+# Z flag (reserved) not 0
+alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; classtype:protocol-command-decode; sid:2240006; rev:2;)

diff --git a/tests/dns/v2/dns-z-bit/input.pcap b/tests/dns/v2/dns-z-bit/input.pcap
new file mode 100644 (file)
index 0000000..b9fe2f5
Binary files /dev/null and b/tests/dns/v2/dns-z-bit/input.pcap differ

diff --git a/tests/dns-z-bit/test.yaml b/tests/dns/v2/dns-z-bit/test.yaml
similarity index 97%
rename from tests/dns-z-bit/test.yaml
rename to tests/dns/v2/dns-z-bit/test.yaml
index 5037e0497a59647f5b7bd0f086d0b07b9cdc6437..3bd38cb801c304b64e53deaa71aafdbe6743f6f7 100644 (file)
--- a/tests/dns-z-bit/test.yaml
+++ b/tests/dns/v2/dns-z-bit/test.yaml
@@ -1,6 +1,9 @@
 args:
 - -k none
 
+env:
+  SURICATA_EVE_DNS_VERSION: 2
+
 checks:
 - filter:
     count: 1