tests: add test for 7012

diff --git a/tests/dns/dns-response-sticky-buffer/README.md b/tests/dns/dns-response-sticky-buffer/README.md
new file mode 100644 (file)
index 0000000..413a47f
--- /dev/null
+++ b/tests/dns/dns-response-sticky-buffer/README.md
@@ -0,0 +1,4 @@
+Test the 'dns.response' sticky buffer.
+
+This test verifies that data in a name field or an rdata field 
+of a DNS response will trigger a signature.
\ No newline at end of file

diff --git a/tests/dns/dns-response-sticky-buffer/test.rules b/tests/dns/dns-response-sticky-buffer/test.rules
new file mode 100644 (file)
index 0000000..7b042d9
--- /dev/null
+++ b/tests/dns/dns-response-sticky-buffer/test.rules
@@ -0,0 +1,5 @@
+# Will alert on name field of Query section in response 
+alert dns any any -> any any (dns.response; content: "dne.oisf.net"; sid:1; rev:1;)
+
+# Will alert on rdata field of Authority section in response 
+alert dns any any -> any any (dns.response; content: "ns-110.awsdns-13.com"; sid:2; rev:1;)

diff --git a/tests/dns/dns-response-sticky-buffer/test.yaml b/tests/dns/dns-response-sticky-buffer/test.yaml
new file mode 100644 (file)
index 0000000..eda8c52
--- /dev/null
+++ b/tests/dns/dns-response-sticky-buffer/test.yaml
@@ -0,0 +1,19 @@
+requires:
+  min-version: 8
+
+pcap: ../../dns-eve-v2-udp-nxdomain-soa/dns-udp-nxdomain-soa.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 1
+        direction: to_client
+        app_proto: dns
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 2
+        direction: to_client
+        app_proto: dns
+