Copy existing tests to a pre8 variant for 7.0 testing.
local dataset = require("suricata.dataset")
+local dns = require("suricata.dns")
function init (args)
local needs = {}
function match (args)
ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
- query = DnsGetDnsRrname()
+ local tx = dns.get_tx()
+ query = tx:rrname()
if query == nil then
return 0
end
--- /dev/null
+%YAML 1.1
+---
+
+include: ../../etc/suricata-4.0.3.yaml
--- /dev/null
+function init (args)
+ local needs = {}
+ needs["dns.request"] = tostring(true)
+ return needs
+end
+
+function count(t)
+ local count = 0
+ for _ in pairs(t) do
+ count = count + 1
+ end
+ return count
+end
+
+function match(args)
+ if DnsGetTxid() ~= 36146 then
+ return 0
+ end
+
+ -- The requested name.
+ local rrname = DnsGetDnsRrname()
+ if rrname ~= "www.suricata-ids.org" then
+ return 0
+ end
+
+ -- Queries
+ local queries = DnsGetQueries()
+ if queries == nil then return 0 end
+
+ -- There should only be one query.
+ if count(queries) ~= 1 then return 0 end
+
+ local query = queries[0]
+
+ if query["type"] ~= "A" then
+ return 0
+ end
+
+ if query["rrname"] ~= "www.suricata-ids.org" then
+ return 0
+ end
+
+ local answers = DnsGetAnswers()
+ if answers == nil then return 0 end
+ if count(answers) ~= 0 then return 0 end
+
+ local authorities = DnsGetAuthorities()
+ if authorities == nil then return 0 end
+ if count(authorities) ~= 0 then return 0 end
+
+ return 1
+end
--- /dev/null
+function init (args)
+ local needs = {}
+ needs["dns.response"] = tostring(true)
+ return needs
+end
+
+function count(t)
+ local count = 0
+ for _ in pairs(t) do
+ count = count + 1
+ end
+ return count
+end
+
+function match(args)
+ if DnsGetTxid() ~= 36146 then
+ return 0
+ end
+
+ -- The requested name.
+ local rrname = DnsGetDnsRrname()
+ if rrname ~= "www.suricata-ids.org" then
+ return 0
+ end
+
+ -- Queries
+ local queries = DnsGetQueries()
+ if queries == nil then return 0 end
+
+ -- There should only be one query.
+ if count(queries) ~= 1 then return 0 end
+
+ local query = queries[0]
+
+ if query["type"] ~= "A" then
+ return 0
+ end
+
+ if query["rrname"] ~= "www.suricata-ids.org" then
+ return 0
+ end
+
+ local rcode = DnsGetRcode()
+ print(rcode)
+
+ local answers = DnsGetAnswers()
+ if answers == nil then return 0 end
+ if count(answers) ~= 3 then return 0 end
+
+ local authorities = DnsGetAuthorities()
+ if authorities == nil then return 0 end
+ if count(authorities) ~= 0 then return 0 end
+
+ -- TODO: Look at the answers.
+
+ return 1
+end
--- /dev/null
+function init (args)
+ local needs = {}
+ needs["dns.rrname"] = tostring(true)
+ return needs
+end
+
+function match(args)
+ rrname = tostring(args["dns.rrname"])
+ if rrname == "www.suricata-ids.org" then
+ return 1
+ end
+ return 0
+end
--- /dev/null
+alert dns any any -> any any (msg:"TEST DNS LUA dns.rrname"; \
+ lua:test-rrname.lua; sid:1; rev:1;)
+alert dns any any -> any any (msg:"TEST DNS LUA dns.request"; \
+ lua:test-request.lua; sid:2; rev:1;)
+alert dns any any -> any any (msg:"TEST DNS LUA dns.response"; \
+ lua:test-response.lua; sid:3; rev:1;)
+
\ No newline at end of file
--- /dev/null
+pcap: ../cond-log-dns-dig/input.pcap
+
+requires:
+ features:
+ - HAVE_LUA
+ lt-version: 8
+
+args:
+ - --set security.lua.allow-rules=true
+
+checks:
+ - filter:
+ count: 1
+ match:
+ alert.signature_id: 1
+ - filter:
+ count: 1
+ match:
+ alert.signature_id: 2
+ - filter:
+ count: 1
+ match:
+ alert.signature_id: 3
+local dns = require("suricata.dns")
+
function init (args)
local needs = {}
needs["dns.request"] = tostring(true)
end
function match(args)
- if DnsGetTxid() ~= 36146 then
+ local tx, err = dns.get_tx()
+ if tx == nil then
+ print(err)
+ return 0
+ end
+
+ if tx:txid() ~= 36146 then
return 0
end
-- The requested name.
- local rrname = DnsGetDnsRrname()
+ local rrname = tx:rrname()
if rrname ~= "www.suricata-ids.org" then
return 0
end
-- Queries
- local queries = DnsGetQueries()
+ local queries = tx:queries()
if queries == nil then return 0 end
-- There should only be one query.
return 0
end
- local answers = DnsGetAnswers()
+ local answers = tx:answers()
if answers == nil then return 0 end
if count(answers) ~= 0 then return 0 end
- local authorities = DnsGetAuthorities()
+ local authorities = tx:authorities()
if authorities == nil then return 0 end
if count(authorities) ~= 0 then return 0 end
+local dns = require("suricata.dns")
+
function init (args)
local needs = {}
needs["dns.response"] = tostring(true)
end
function match(args)
- if DnsGetTxid() ~= 36146 then
+ local tx = dns.get_tx()
+
+ if tx:txid() ~= 36146 then
return 0
end
-- The requested name.
- local rrname = DnsGetDnsRrname()
+ local rrname = tx:rrname()
if rrname ~= "www.suricata-ids.org" then
return 0
end
-- Queries
- local queries = DnsGetQueries()
+ local queries = tx:queries()
if queries == nil then return 0 end
-- There should only be one query.
return 0
end
- local rcode = DnsGetRcode()
- print(rcode)
+ local rcode = tx:rcode()
+ if rcode ~= 0 then
+ return 0
+ end
+
+ local rcode_string = tx:rcode_string()
+ if rcode_string ~= "NOERROR" then
+ return 0
+ end
- local answers = DnsGetAnswers()
+ local answers = tx:answers()
if answers == nil then return 0 end
if count(answers) ~= 3 then return 0 end
- local authorities = DnsGetAuthorities()
+ local authorities = tx:authorities()
if authorities == nil then return 0 end
if count(authorities) ~= 0 then return 0 end
pcap: ../cond-log-dns-dig/input.pcap
requires:
- features:
- - HAVE_LUA
+ min-version: 8
args:
- --set security.lua.allow-rules=true
+++ /dev/null
-Tests the output of DNS being logged by Lua.
-
-PCAPs created by Jason Ish.
+++ /dev/null
-%YAML 1.1
----
-
-include: ../../etc/suricata-3.1.2.yaml
-
-rule-files:
-
-outputs:
- - lua:
- enabled: yes
- scripts-dir: .
- scripts:
- - test.lua
+++ /dev/null
-filename = "lua-dns.log"
-
-function init (args)
- local needs = {}
- needs["protocol"] = "dns"
- return needs
-end
-
-function setup (args)
- SCLogNotice("lua: setup()")
- file = assert(io.open(SCLogPath() .. "/" .. filename, "w"))
-end
-
-function log(args)
- ts = SCPacketTimeString()
- ip_ver, src_ip, dst_ip, proto, sp, dp = SCFlowTuple()
- tx_id = DnsGetTxid()
-
- queries = DnsGetQueries()
- if queries ~= nil then
- for n, t in pairs(queries) do
- msg = string.format(
- "%s [**] Query TX %04x [**] %s [**] %s [**] %s:%d -> %s:%d",
- ts,
- tx_id,
- t["rrname"],
- t["type"],
- src_ip,
- sp,
- dst_ip,
- dp)
- write(msg)
- end
- end
-
- rcode = DnsGetRcode()
- if rcode ~= nil then
- msg = string.format(
- "%s [**] Response TX %04x [**] %s [**] %s:%d -> %s:%d",
- ts,
- tx_id,
- rcode,
- src_ip,
- sp,
- dst_ip,
- dp)
- write(msg)
- end
-
- answers = DnsGetAnswers()
- if answers ~= nil then
- for n, t in pairs(answers) do
- msg = string.format(
- "%s [**] Response TX %04x [**] %s [**] %s [**] TTL %d [**] %s [**] %s:%d -> %s:%d",
- ts,
- tx_id,
- t["rrname"],
- t["type"],
- t["ttl"],
- t["addr"],
- src_ip,
- sp,
- dst_ip,
- dp);
- write(msg)
- end
- end
-
- authorities = DnsGetAuthorities()
- if authorities ~= nil then
- for n, t in pairs(authorities) do
- msg = string.format(
- "%s [**] Response TX %04x [**] %s [**] %s [**] TTL %d [**] %s:%d -> %s:%d",
- ts,
- tx_id,
- t["rrname"],
- t["type"],
- t["ttl"],
- src_ip,
- sp,
- dst_ip,
- dp);
- write(msg)
- end
- end
-
-end
-
-function deinit(args)
- file:close(file)
-end
-
-function write(msg)
- file:write(msg .. "\n")
-end
+++ /dev/null
-requires:
- features:
- - HAVE_LUA
- lt-version: 8
-
-pcap: ../lua-output-dns/test.pcap
-
-checks:
- - shell:
- args: grep -q "Query TX 0d4f \[\*\*\] block.dropbox.com \[\*\*\] A \[\*\*\] 10.16.1.11:49697 -> 10.16.1.1:53" lua-dns.log
- - shell:
- args: cat lua-dns.log | grep Response | grep client-cf.dropbox.com | wc -l
- expect: 2
- - shell:
- args: cat lua-dns.log | grep "Response TX 62b2" | grep NXDOMAIN | wc -l
- expect: 1
- - shell:
- args: grep SOA lua-dns.log | wc -l
- expect: 1
local packet = require "suricata.packet"
+local dns = require "suricata.dns"
filename = "lua-dns.log"
p = packet.get()
ts = p:timestring_legacy()
ip_ver, src_ip, dst_ip, proto, sp, dp = SCFlowTuple()
- tx_id = DnsGetTxid()
+ local tx = dns.get_tx()
+ tx_id = tx:txid()
- queries = DnsGetQueries()
+ queries = tx:queries()
if queries ~= nil then
for n, t in pairs(queries) do
msg = string.format(
end
end
- rcode = DnsGetRcode()
- if rcode ~= nil then
+ rcode_string = tx:rcode_string()
+ if rcode_string ~= nil then
msg = string.format(
"%s [**] Response TX %04x [**] %s [**] %s:%d -> %s:%d",
ts,
tx_id,
- rcode,
+ rcode_string,
src_ip,
sp,
dst_ip,
write(msg)
end
- answers = DnsGetAnswers()
+ answers = tx:answers()
if answers ~= nil then
for n, t in pairs(answers) do
msg = string.format(
end
end
- authorities = DnsGetAuthorities()
+ authorities = tx:authorities()
if authorities ~= nil then
for n, t in pairs(authorities) do
msg = string.format(
requires:
min-version: 8
- features:
- - HAVE_LUA
checks:
- shell:
-- script. More thourough testing of base64 in rule.lua.
local base64 = require("suricata.base64")
+local dns = require("suricata.dns")
local expected_base64 = "d3d3LnN1cmljYXRhLWlkcy5vcmc="
end
function log(args)
- queries = DnsGetQueries()
+ local tx = dns.get_tx()
+ queries = tx:queries()
if queries ~= nil then
for n, t in pairs(queries) do
local hashlib = require("suricata.hashlib")
+local dns = require("suricata.dns")
-- We don't actually use, but the script will fail to run if it fails
-- to "require".
end
function log(args)
- queries = DnsGetQueries()
+ local tx = dns.get_tx()
+ queries = tx:queries()
if queries ~= nil then
for n, t in pairs(queries) do
if hashlib.md5_hexdigest(t["rrname"]) == expected_md5 then
projects / thirdparty / suricata-verify.git / commitdiff
