tests/dns: coverage for cname, ptr and mx rdata

diff --git a/pcaps/20250221-dns-ptr.pcap b/pcaps/20250221-dns-ptr.pcap
new file mode 100644 (file)
index 0000000..9dba8d2
Binary files /dev/null and b/pcaps/20250221-dns-ptr.pcap differ

diff --git a/pcaps/20250221-dns-ptr.pcap.txt b/pcaps/20250221-dns-ptr.pcap.txt
new file mode 100644 (file)
index 0000000..399f478
--- /dev/null
+++ b/pcaps/20250221-dns-ptr.pcap.txt
@@ -0,0 +1 @@
+PCAP generated for the purpose of testing the rdata in a PTR response.

diff --git a/tests/dns/dns-ptr/README.md b/tests/dns/dns-ptr/README.md
new file mode 100644 (file)
index 0000000..328936a
--- /dev/null
+++ b/tests/dns/dns-ptr/README.md
@@ -0,0 +1 @@
+Test DNS PTR response.

diff --git a/tests/dns/dns-ptr/test.rules b/tests/dns/dns-ptr/test.rules
new file mode 100644 (file)
index 0000000..3f4ef3e
--- /dev/null
+++ b/tests/dns/dns-ptr/test.rules
@@ -0,0 +1,2 @@
+# suricata.io only exists in the rdata of a ptr record
+alert dns any any -> any any (dns.response.rrname; content:"suricata.io"; sid:1;)

diff --git a/tests/dns/dns-ptr/test.yaml b/tests/dns/dns-ptr/test.yaml
new file mode 100644 (file)
index 0000000..563f29b
--- /dev/null
+++ b/tests/dns/dns-ptr/test.yaml
@@ -0,0 +1,10 @@
+requires:
+  min-version: 8
+
+pcap: ../../../pcaps/20250221-dns-ptr.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 1

diff --git a/tests/dns/dns-query-name/test.rules b/tests/dns/dns-query-name/test.rules
index 756e3b89504f8d655271780a075e0b94b815276b..36c697177366070e34eeb85a09ed37ee67c3b02a 100644 (file)
--- a/tests/dns/dns-query-name/test.rules
+++ b/tests/dns/dns-query-name/test.rules
@@ -6,3 +6,6 @@ alert dns any any -> any any (dns.queries.rrname; content:"suricata"; flow:to_se
 
 # Only alert on responses.
 alert dns any any -> any any (dns.queries.rrname; content:"suricata"; flow:to_client; sid:3; rev:1;)
+
+alert dns any any -> any any (dns.response.rrname; content:"suricata-ids.org"; sid:4; rev:1;)
+

diff --git a/tests/dns/dns-query-name/test.yaml b/tests/dns/dns-query-name/test.yaml
index 5b8f9e4e3345868c8f9dd4c9cc210228ea1eab44..f7b53b10e0332845cc297b3c8480afdfbcaf2492 100644 (file)
--- a/tests/dns/dns-query-name/test.yaml
+++ b/tests/dns/dns-query-name/test.yaml
@@ -26,3 +26,7 @@ checks:
       match:
         alert.signature_id: 3
         direction: to_client
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 4

diff --git a/tests/dns/dns-response-mx/suricata.yaml b/tests/dns/dns-response-mx/suricata.yaml
new file mode 100644 (file)
index 0000000..8654eb0
--- /dev/null
+++ b/tests/dns/dns-response-mx/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert:
+        - dns:
+            types: [mx]

diff --git a/tests/dns/dns-response-mx/test.rules b/tests/dns/dns-response-mx/test.rules
new file mode 100644 (file)
index 0000000..da1d7ff
--- /dev/null
+++ b/tests/dns/dns-response-mx/test.rules
@@ -0,0 +1,2 @@
+# only exists in mx rdata
+alert dns any any -> any any (dns.response.rrname; content:"aspmx.l.google.com"; sid:1; rev:1;)

diff --git a/tests/dns/dns-response-mx/test.yaml b/tests/dns/dns-response-mx/test.yaml
new file mode 100644 (file)
index 0000000..3bf9a7d
--- /dev/null
+++ b/tests/dns/dns-response-mx/test.yaml
@@ -0,0 +1,10 @@
+requires:
+  min-version: 8
+
+pcap: ../../dns/dns-udp-eve-log-answer-only/dns-udp-google.com-a-aaaa-mx.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 1