detect-proto: add a test for DNS detected as DCERPC by PM

author Ilya Bakhtin <ilya.bakhtin@gmail.com>

Sun, 19 May 2024 17:04:32 +0000 (19:04 +0200)

committer Victor Julien <victor@inliniac.net>

Thu, 30 Jan 2025 20:52:07 +0000 (21:52 +0100)
author Ilya Bakhtin <ilya.bakhtin@gmail.com>
Sun, 19 May 2024 17:04:32 +0000 (19:04 +0200)
committer Victor Julien <victor@inliniac.net>
Thu, 30 Jan 2025 20:52:07 +0000 (21:52 +0100)
diff --git a/tests/dns/dns-dcerpc-reversed/input.pcap b/tests/dns/dns-dcerpc-reversed/input.pcap

new file mode 100755 (executable)

index 0000000..0a71017

Binary files /dev/null and b/tests/dns/dns-dcerpc-reversed/input.pcap differ
diff --git a/tests/dns/dns-dcerpc-reversed/test.yaml b/tests/dns/dns-dcerpc-reversed/test.yaml

new file mode 100644 (file)

index 0000000..a3bf031
--- /dev/null
+++ b/tests/dns/dns-dcerpc-reversed/test.yaml
@@ -0,0 +1,39 @@
+requires:
+  min-version: 8.0.0
+
+args:
+  - --set stream.midstream=true
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: dns
+        dns.type: request
+        src_ip: "172.28.255.122"
+        src_port: 54824
+        dest_ip: "192.168.1.12"
+        dest_port: 53
+
+  - filter:
+      count: 1
+      match:
+        event_type: dns
+        dns.type: response
+        dns.answers[0].rrtype: A
+        src_ip: "172.28.255.122"
+        src_port: 54824
+        dest_ip: "192.168.1.12"
+        dest_port: 53
+
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        app_proto: dns
+        src_ip: "172.28.255.122"
+        src_port: 54824
+        dest_ip: "192.168.1.12"
+        dest_port: 53
+
author	Ilya Bakhtin <ilya.bakhtin@gmail.com>
	Sun, 19 May 2024 17:04:32 +0000 (19:04 +0200)
committer	Victor Julien <victor@inliniac.net>
	Thu, 30 Jan 2025 20:52:07 +0000 (21:52 +0100)
tests/dns/dns-dcerpc-reversed/input.pcap	[new file with mode: 0755]	patch \| blob
tests/dns/dns-dcerpc-reversed/test.yaml	[new file with mode: 0644]	patch \| blob