dns-opcode: test dns.opcode keyword

diff --git a/tests/dns-opcode/README.md b/tests/dns-opcode/README.md
new file mode 100644 (file)
index 0000000..5cfabb8
--- /dev/null
+++ b/tests/dns-opcode/README.md
@@ -0,0 +1,4 @@
+PCAP Source
+-----------
+
+https://www.pcapr.net/view/bortzmeyer+pcapr/2013/8/1/13/dns-notify.pcap.html

diff --git a/tests/dns-opcode/dns-notify.pcap b/tests/dns-opcode/dns-notify.pcap
new file mode 100644 (file)
index 0000000..bf3b26c
Binary files /dev/null and b/tests/dns-opcode/dns-notify.pcap differ

diff --git a/tests/dns-opcode/test.rules b/tests/dns-opcode/test.rules
new file mode 100644 (file)
index 0000000..db5a67a
--- /dev/null
+++ b/tests/dns-opcode/test.rules
@@ -0,0 +1,2 @@
+alert dns any any -> any any (msg:"TEST OPCODE MATCH"; dns.opcode:4; flow:to_server; sid:1; rev:1;)
+alert dns any any -> any any (msg:"TEST OPCODE NEGATED MATCH"; dns.opcode:!0; flow:to_server; sid:2; rev:1;)

diff --git a/tests/dns-opcode/test.yaml b/tests/dns-opcode/test.yaml
new file mode 100644 (file)
index 0000000..a1f6fb1
--- /dev/null
+++ b/tests/dns-opcode/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 5.0.0
+
+checks:
+  # Should have one event for sid 1.
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  # Should have one event for sid 2.
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  # Should have 2 events total.
+  - filter:
+      count: 2
+      match:
+        event_type: alert