add tests for dns log filtering

diff --git a/dns-udp-eve-log-answer-only/check.sh b/dns-udp-eve-log-answer-only/check.sh
new file mode 100755 (executable)
index 0000000..b61a5e1
--- /dev/null
+++ b/dns-udp-eve-log-answer-only/check.sh
@@ -0,0 +1,10 @@
+#! /bin/sh
+
+. ../functions.sh
+
+# Should be no answers.
+n=$(jq_count output/eve.json 'select(.event_type == "dns") | select(.dns.type != "answer")')
+assert_eq 0 $n "only answers expected"
+
+exit 0
+

diff --git a/dns-udp-eve-log-answer-only/dns-udp-google.com-a-aaaa-mx.pcap b/dns-udp-eve-log-answer-only/dns-udp-google.com-a-aaaa-mx.pcap
new file mode 100644 (file)
index 0000000..def918f
Binary files /dev/null and b/dns-udp-eve-log-answer-only/dns-udp-google.com-a-aaaa-mx.pcap differ

diff --git a/dns-udp-eve-log-answer-only/suricata.yaml b/dns-udp-eve-log-answer-only/suricata.yaml
new file mode 100644 (file)
index 0000000..1bf5f71
--- /dev/null
+++ b/dns-udp-eve-log-answer-only/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - dns:
+            query: no
+            answer: yes
+        

diff --git a/dns-udp-eve-log-mx-only/check.sh b/dns-udp-eve-log-mx-only/check.sh
new file mode 100755 (executable)
index 0000000..639a4d4
--- /dev/null
+++ b/dns-udp-eve-log-mx-only/check.sh
@@ -0,0 +1,9 @@
+#! /bin/sh
+
+. ../functions.sh
+
+n=$(jq_count output/eve.json 'select(.dns.rrtype != "MX")')
+assert_eq 0 $n "only expected mx records"
+
+exit 0
+

diff --git a/dns-udp-eve-log-mx-only/dns-udp-google.com-a-aaaa-mx.pcap b/dns-udp-eve-log-mx-only/dns-udp-google.com-a-aaaa-mx.pcap
new file mode 100644 (file)
index 0000000..def918f
Binary files /dev/null and b/dns-udp-eve-log-mx-only/dns-udp-google.com-a-aaaa-mx.pcap differ

diff --git a/dns-udp-eve-log-mx-only/suricata.yaml b/dns-udp-eve-log-mx-only/suricata.yaml
new file mode 100644 (file)
index 0000000..af5d3f6
--- /dev/null
+++ b/dns-udp-eve-log-mx-only/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - dns:
+            custom: [mx]

diff --git a/dns-udp-eve-log-query-only/check.sh b/dns-udp-eve-log-query-only/check.sh
new file mode 100755 (executable)
index 0000000..8fffed0
--- /dev/null
+++ b/dns-udp-eve-log-query-only/check.sh
@@ -0,0 +1,10 @@
+#! /bin/sh
+
+. ../functions.sh
+
+# Should be no answers.
+n=$(jq_count output/eve.json 'select(.event_type == "dns") | select(.dns.type != "query")')
+assert_eq 0 $n "only queries expected"
+
+exit 0
+

diff --git a/dns-udp-eve-log-query-only/dns-udp-google.com-a-aaaa-mx.pcap b/dns-udp-eve-log-query-only/dns-udp-google.com-a-aaaa-mx.pcap
new file mode 100644 (file)
index 0000000..def918f
Binary files /dev/null and b/dns-udp-eve-log-query-only/dns-udp-google.com-a-aaaa-mx.pcap differ

diff --git a/dns-udp-eve-log-query-only/suricata.yaml b/dns-udp-eve-log-query-only/suricata.yaml
new file mode 100644 (file)
index 0000000..298b4f8
--- /dev/null
+++ b/dns-udp-eve-log-query-only/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - dns:
+            query: yes
+            answer: no
+