dns txt test: break into v1 and v2 tests

Eliminating the check.sh test at the same time.

diff --git a/tests/dns-udp-eve-log-txt/README.md b/tests/dns-udp-eve-log-txt/README.md
deleted file mode 100644 (file)
index 5a1c088..0000000
--- a/tests/dns-udp-eve-log-txt/README.md
+++ /dev/null
@@ -1,2 +0,0 @@
-Test that a TXT record is extracted and logged correctly to Eve.
-

diff --git a/tests/dns-udp-eve-log-txt/check.sh b/tests/dns-udp-eve-log-txt/check.sh
deleted file mode 100755 (executable)
index e9ac4b7..0000000
--- a/tests/dns-udp-eve-log-txt/check.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-#! /bin/sh
-
-set -e
-
-txt=$(cat eve.json | \
-         jq -c 'select(.dns.type == "answer") | select(.dns.rrtype == "TXT") | .dns.rdata')
-test "${txt}" = '"v=spf1 include:_spf.google.com ~all"'
-
-

diff --git a/tests/dns-udp-eve-log-txt/test.yaml b/tests/dns-udp-eve-log-txt/test.yaml
deleted file mode 100644 (file)
index 56ea9b0..0000000
--- a/tests/dns-udp-eve-log-txt/test.yaml
+++ /dev/null
@@ -1,3 +0,0 @@
-requires:
-  features:
-    - HAVE_LIBJANSSON

diff --git a/tests/dns-udp-eve-log-txt/suricata.yaml b/tests/dns-udp-eve-v1-txt/suricata.yaml
similarity index 81%
rename from tests/dns-udp-eve-log-txt/suricata.yaml
rename to tests/dns-udp-eve-v1-txt/suricata.yaml
index 5f7eded22dbe6f08572e51f398c349ce1949c786..beab613ba49234a98518f0bf0c287f9d938a497e 100644 (file)
--- a/tests/dns-udp-eve-log-txt/suricata.yaml
+++ b/tests/dns-udp-eve-v1-txt/suricata.yaml
@@ -4,7 +4,6 @@
 outputs:
   - eve-log:
       enabled: yes
-      filename: eve.json
       types:
         - dns:
             version: 1

diff --git a/tests/dns-udp-eve-v1-txt/test.yaml b/tests/dns-udp-eve-v1-txt/test.yaml
new file mode 100644 (file)
index 0000000..bca7278
--- /dev/null
+++ b/tests/dns-udp-eve-v1-txt/test.yaml
@@ -0,0 +1,79 @@
+pcap: ../dns-udp-eve-v2-txt/input.pcap
+
+checks:
+- filter:
+    count: 4
+    match:
+      event_type: dns
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.1
+      dest_port: 53
+      dns.id: 28243
+      dns.rrname: google.com
+      dns.rrtype: TXT
+      dns.tx_id: 0
+      dns.type: query
+      event_type: dns
+      pcap_cnt: 1
+      proto: UDP
+      src_ip: 10.16.1.11
+      src_port: 52345
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.1
+      dest_port: 53
+      dns.id: 39372
+      dns.rrname: textsecure-service-ca.whispersystems.org
+      dns.rrtype: A
+      dns.tx_id: 0
+      dns.type: query
+      event_type: dns
+      pcap_cnt: 3
+      proto: UDP
+      src_ip: 10.16.1.11
+      src_port: 60922
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.1
+      dest_port: 53
+      dns.flags: '8180'
+      dns.id: 28243
+      dns.qr: true
+      dns.ra: true
+      dns.rcode: NOERROR
+      dns.rd: true
+      dns.rdata: v=spf1 include:_spf.google.com ~all
+      dns.rrname: google.com
+      dns.rrtype: TXT
+      dns.ttl: 3217
+      dns.type: answer
+      event_type: dns
+      pcap_cnt: 2
+      proto: UDP
+      src_ip: 10.16.1.11
+      src_port: 52345
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.1
+      dest_port: 53
+      dns.flags: '8180'
+      dns.id: 39372
+      dns.qr: true
+      dns.ra: true
+      dns.rcode: NOERROR
+      dns.rd: true
+      dns.rdata: 34.197.178.240
+      dns.rrname: textsecure-service-ca.whispersystems.org
+      dns.rrtype: A
+      dns.ttl: 5
+      dns.type: answer
+      event_type: dns
+      pcap_cnt: 4
+      proto: UDP
+      src_ip: 10.16.1.11
+      src_port: 60922

diff --git a/tests/dns-udp-eve-log-txt/dns-txt-google.com.pcap b/tests/dns-udp-eve-v2-txt/input.pcap
similarity index 100%
rename from tests/dns-udp-eve-log-txt/dns-txt-google.com.pcap
rename to tests/dns-udp-eve-v2-txt/input.pcap

diff --git a/tests/dns-udp-eve-v2-txt/test.yaml b/tests/dns-udp-eve-v2-txt/test.yaml
new file mode 100644 (file)
index 0000000..5f7461f
--- /dev/null
+++ b/tests/dns-udp-eve-v2-txt/test.yaml
@@ -0,0 +1,123 @@
+# *** Add configuration here ***
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.1
+      dest_port: 53
+      dns.id: 39372
+      dns.rrname: textsecure-service-ca.whispersystems.org
+      dns.rrtype: A
+      dns.tx_id: 0
+      dns.type: query
+      event_type: dns
+      pcap_cnt: 3
+      proto: UDP
+      src_ip: 10.16.1.11
+      src_port: 60922
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.1
+      dest_port: 53
+      dns.id: 28243
+      dns.rrname: google.com
+      dns.rrtype: TXT
+      dns.tx_id: 0
+      dns.type: query
+      event_type: dns
+      pcap_cnt: 1
+      proto: UDP
+      src_ip: 10.16.1.11
+      src_port: 52345
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.1
+      dest_port: 53
+      dns.answers[0].rdata: 34.197.178.240
+      dns.answers[0].rrname: textsecure-service-ca.whispersystems.org
+      dns.answers[0].rrtype: A
+      dns.answers[0].ttl: 5
+      dns.flags: '8180'
+      dns.grouped.A[0]: 34.197.178.240
+      dns.id: 39372
+      dns.qr: true
+      dns.ra: true
+      dns.rcode: NOERROR
+      dns.rd: true
+      dns.rrname: textsecure-service-ca.whispersystems.org
+      dns.rrtype: A
+      dns.type: answer
+      dns.version: 2
+      event_type: dns
+      pcap_cnt: 4
+      proto: UDP
+      src_ip: 10.16.1.11
+      src_port: 60922
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.1
+      dest_port: 53
+      dns.answers[0].rdata: v=spf1 include:_spf.google.com ~all
+      dns.answers[0].rrname: google.com
+      dns.answers[0].rrtype: TXT
+      dns.answers[0].ttl: 3217
+      dns.flags: '8180'
+      dns.grouped.TXT[0]: v=spf1 include:_spf.google.com ~all
+      dns.id: 28243
+      dns.qr: true
+      dns.ra: true
+      dns.rcode: NOERROR
+      dns.rd: true
+      dns.rrname: google.com
+      dns.rrtype: TXT
+      dns.type: answer
+      dns.version: 2
+      event_type: dns
+      pcap_cnt: 2
+      proto: UDP
+      src_ip: 10.16.1.11
+      src_port: 52345
+- filter:
+    count: 1
+    match:
+      app_proto: dns
+      dest_ip: 10.16.1.1
+      dest_port: 53
+      event_type: flow
+      flow.age: 0
+      flow.alerted: false
+      flow.bytes_toclient: 116
+      flow.bytes_toserver: 100
+      flow.end: 2017-06-08T15:45:58.525601+0000
+      flow.pkts_toclient: 1
+      flow.pkts_toserver: 1
+      flow.reason: shutdown
+      flow.start: 2017-06-08T15:45:58.520996+0000
+      flow.state: established
+      proto: UDP
+      src_ip: 10.16.1.11
+      src_port: 60922
+- filter:
+    count: 1
+    match:
+      app_proto: dns
+      dest_ip: 10.16.1.1
+      dest_port: 53
+      event_type: flow
+      flow.age: 0
+      flow.alerted: false
+      flow.bytes_toclient: 129
+      flow.bytes_toserver: 81
+      flow.end: 2017-06-08T15:45:57.833020+0000
+      flow.pkts_toclient: 1
+      flow.pkts_toserver: 1
+      flow.reason: shutdown
+      flow.start: 2017-06-08T15:45:57.828730+0000
+      flow.state: established
+      proto: UDP
+      src_ip: 10.16.1.11
+      src_port: 52345