--- /dev/null
+# Description
+
+Translation of unit test DetectDnsQueryTest01
+
+Positive test of keyword `dns.query` with its alias `dns_query` on a simple DNS/UDP request/query
+
+test simple google.com query matching
--- /dev/null
+alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google"; nocase; sid:1;)
--- /dev/null
+requires:
+ min-version: 8.0.0
+
+args:
+ - -k none
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
--- /dev/null
+# Description
+
+Translation of unit test DetectDnsQueryTest02
+
+Tests of keyword `dns.query` with some DNS/UDP traffic.
+Especially tests that we do not match on DNS response.
+
+test multi tx google.(com|net) query matching
--- /dev/null
+alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google.com"; nocase; sid:1;)
+alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google.net"; nocase; sid:2;)
--- /dev/null
+requires:
+ min-version: 8.0.0
+
+args:
+ - -k none
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ pcap_cnt: 1
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ pcap_cnt: 3
--- /dev/null
+# Description
+
+Translation of unit test DetectDnsQueryTest03
+
+Positive test of keyword `dns.query` with its alias `dns_query` on a simple DNS/TCP request/query
+
+test simple google.com query matching (TCP)
--- /dev/null
+alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google"; nocase; sid:1;)
--- /dev/null
+requires:
+ min-version: 8.0.0
+
+args:
+ - -k none --set stream.midstream=true --set stream.inline=true
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
--- /dev/null
+# Description
+
+Translation of unit test DetectDnsQueryTest04
+
+Test of keyword `dns.query` with pcre usage
+
+test simple google.com query matching, pcre
--- /dev/null
+alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google"; nocase; pcre:"/google\.com$/i"; sid:1;)
+alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google"; nocase; pcre:"/^\.[a-z]{2,3}$/iR"; sid:2;)
--- /dev/null
+requires:
+ min-version: 8.0.0
+
+args:
+ - -k none
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
--- /dev/null
+# Description
+
+Translation of unit test DetectDnsQueryTest05
+
+Tests of keyword `dns.query` with some DNS/UDP traffic.
+Also tests app-layer event, related to bug #839.
+
+test multi tx google.(com|net) query matching + app layer event
--- /dev/null
+alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google.com"; nocase; sid:1;)
+alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google.net"; nocase; sid:2;)
+alert dns any any -> any any (msg:"Test Z flag event"; app-layer-event:dns.z_flag_set; sid:3;)
--- /dev/null
+requires:
+ min-version: 8.0.0
+
+args:
+ - -k none
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ pcap_cnt: 1
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
+ pcap_cnt: 2
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ pcap_cnt: 3
\ No newline at end of file
projects / thirdparty / suricata-verify.git / commitdiff
