As this is a DNS test move into dns/.
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+- filter:
+ count: 1
+ match:
+ dest_ip: 192.38.129.234
+ dest_port: 53
+ dns.id: 28390
+ dns.queries[0].rrname: code.msdn.microsoft.com
+ dns.queries[0].rrtype: A
+ dns.tx_id: 0
+ dns.type: request
+ event_type: dns
+ pcap_cnt: 1
+ proto: UDP
+ src_ip: 192.168.69.156
+ src_port: 49379
+- filter:
+ count: 1
+ match:
+ app_proto: dns
+ dest_ip: 192.38.129.234
+ dest_port: 53
+ event_type: flow
+ flow.age: 0
+ flow.alerted: false
+ flow.bytes_toclient: 0
+ flow.bytes_toserver: 83
+ flow.pkts_toclient: 0
+ flow.pkts_toserver: 1
+ flow.reason: shutdown
+ flow.state: new
+ proto: UDP
+ src_ip: 192.168.69.156
+ src_port: 49379
--- /dev/null
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:8;)
+alert ip any any -> any any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:8;)
args:
- -k none
+env:
+ SURICATA_EVE_DNS_VERSION: 2
+
+pcap: ../../bug-990/input.pcap
+
checks:
- filter:
count: 0
projects / thirdparty / suricata-verify.git / commitdiff
