dns dig test: break into eve v1 and v2 tests

Replace the EVE DNS dig test with 2 tests, one for v1 and
one for v2, both with higher detail matching.

diff --git a/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/README.md b/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/README.md
deleted file mode 100644 (file)
index e6728ad..0000000
--- a/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/README.md
+++ /dev/null
@@ -1,4 +0,0 @@
-Test DNS EVE decoding/output for a basic DNS request.
-
-This test checks v2 of the eve/dns output.
-

diff --git a/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/suricata.yaml b/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/suricata.yaml
deleted file mode 100644 (file)
index 37792da..0000000
--- a/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/suricata.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-%YAML 1.1
----
-
-outputs:
-  - eve-log:
-      enabled: true
-      types:
-        - alert:
-        - dns:
-            enabled: true
-            version: 2

diff --git a/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/test.rules b/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/test.rules
deleted file mode 100644 (file)
index 6d7050a..0000000
--- a/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/test.rules
+++ /dev/null
@@ -1 +0,0 @@
-alert dns any any -> any any (msg:"TEST dns_query"; dns_query; content:"suricata-ids.org"; sid:1; rev:1;)

diff --git a/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/test.yaml b/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/test.yaml
deleted file mode 100644 (file)
index da4a878..0000000
--- a/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/test.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-requires:
-  features:
-    - HAVE_LIBJANSSON
-  min-version: 4.1.0
-
-checks:
-
-  - filter:
-      comment: request
-      count: 1
-      match:
-        event_type: dns
-        dns.type: query
-        dns.rrname: www.suricata-ids.org
-
-  - filter:
-      comment: response
-      count: 1
-      match:
-        event_type: dns
-        dns.type: answer
-        dns.answers[0].rrtype: CNAME
-        dns.answers[1].rrtype: A
-        dns.answers[2].rrtype: A
-
-  # Check that the alert contains a DNS object.
-  - filter:
-      count: 1
-      comment: alert with dns object
-      match:
-        event_type: alert
-        dns.query[0].type: query

diff --git a/tests/dns-udp-dig-a-www-suricata-ids-org/README.md b/tests/dns-udp-dig-a-www-suricata-ids-org/README.md
deleted file mode 100644 (file)
index ea42c65..0000000
--- a/tests/dns-udp-dig-a-www-suricata-ids-org/README.md
+++ /dev/null
@@ -1 +0,0 @@
-Basic DNS test running on valid data.

diff --git a/tests/dns-udp-dig-a-www-suricata-ids-org/dig-a-www.suricata-ids.org.pcap b/tests/dns-udp-dig-a-www-suricata-ids-org/dig-a-www.suricata-ids.org.pcap
deleted file mode 100644 (file)
index 663a679..0000000
Binary files a/tests/dns-udp-dig-a-www-suricata-ids-org/dig-a-www.suricata-ids.org.pcap and /dev/null differ

diff --git a/tests/dns-udp-dig-a-www-suricata-ids-org/test.yaml b/tests/dns-udp-dig-a-www-suricata-ids-org/test.yaml
deleted file mode 100644 (file)
index 23a2d96..0000000
--- a/tests/dns-udp-dig-a-www-suricata-ids-org/test.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-requires:
-  features:
-    - HAVE_LIBJANSSON
-
-checks:
-
-  - filter:
-      comment: dns query count
-      count: 1
-      match:
-        event_type: dns
-        dns.type: query
-
-  - filter:
-      comment: cname count
-      count: 1
-      match:
-        event_type: dns
-        dns.rrtype: CNAME
-
-  - filter:
-      comment: a rrtype count
-      count: 3
-      match:
-        event_type: dns
-        dns.rrtype: A
-
-  - filter:
-      comment: answer count
-      count: 3
-      match:
-        event_type: dns
-        dns.type: answer

diff --git a/tests/dns-udp-eve-v1-dig/README.md b/tests/dns-udp-eve-v1-dig/README.md
new file mode 100644 (file)
index 0000000..c4faeee
--- /dev/null
+++ b/tests/dns-udp-eve-v1-dig/README.md
@@ -0,0 +1 @@
+DNS EVE v1 test of a dig against www.suricata-ids.org.

diff --git a/tests/dns-udp-dig-a-www-suricata-ids-org/suricata.yaml b/tests/dns-udp-eve-v1-dig/suricata.yaml
similarity index 68%
rename from tests/dns-udp-dig-a-www-suricata-ids-org/suricata.yaml
rename to tests/dns-udp-eve-v1-dig/suricata.yaml
index 04fea5f3adddc6d971d941d7b8cbc75849327d6b..beab613ba49234a98518f0bf0c287f9d938a497e 100644 (file)
--- a/tests/dns-udp-dig-a-www-suricata-ids-org/suricata.yaml
+++ b/tests/dns-udp-eve-v1-dig/suricata.yaml
@@ -4,8 +4,6 @@
 outputs:
   - eve-log:
       enabled: yes
-      filetype: regular
-      filename: eve.json
       types:
         - dns:
             version: 1

diff --git a/tests/dns-udp-eve-v1-dig/test.yaml b/tests/dns-udp-eve-v1-dig/test.yaml
new file mode 100644 (file)
index 0000000..a6562ef
--- /dev/null
+++ b/tests/dns-udp-eve-v1-dig/test.yaml
@@ -0,0 +1,85 @@
+pcap: ../dns-udp-eve-v2-dig/input.pcap
+
+checks:
+- filter:
+    count: 4
+    match:
+      event_type: dns
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.1
+      dest_port: 53
+      dns.id: 36146
+      dns.rrname: www.suricata-ids.org
+      dns.rrtype: A
+      dns.tx_id: 0
+      dns.type: query
+      event_type: dns
+      pcap_cnt: 1
+      proto: UDP
+      src_ip: 10.16.1.11
+      src_port: 41805
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.1
+      dest_port: 53
+      dns.flags: 81a0
+      dns.id: 36146
+      dns.qr: true
+      dns.ra: true
+      dns.rcode: NOERROR
+      dns.rd: true
+      dns.rdata: suricata-ids.org
+      dns.rrname: www.suricata-ids.org
+      dns.rrtype: CNAME
+      dns.ttl: 3544
+      dns.type: answer
+      event_type: dns
+      pcap_cnt: 2
+      proto: UDP
+      src_ip: 10.16.1.11
+      src_port: 41805
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.1
+      dest_port: 53
+      dns.flags: 81a0
+      dns.id: 36146
+      dns.qr: true
+      dns.ra: true
+      dns.rcode: NOERROR
+      dns.rd: true
+      dns.rdata: 192.0.78.24
+      dns.rrname: suricata-ids.org
+      dns.rrtype: A
+      dns.ttl: 244
+      dns.type: answer
+      event_type: dns
+      pcap_cnt: 2
+      proto: UDP
+      src_ip: 10.16.1.11
+      src_port: 41805
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.1
+      dest_port: 53
+      dns.flags: 81a0
+      dns.id: 36146
+      dns.qr: true
+      dns.ra: true
+      dns.rcode: NOERROR
+      dns.rd: true
+      dns.rdata: 192.0.78.25
+      dns.rrname: suricata-ids.org
+      dns.rrtype: A
+      dns.ttl: 244
+      dns.type: answer
+      event_type: dns
+      pcap_cnt: 2
+      proto: UDP
+      src_ip: 10.16.1.11
+      src_port: 41805

diff --git a/tests/dns-udp-eve-v2-dig/README.md b/tests/dns-udp-eve-v2-dig/README.md
new file mode 100644 (file)
index 0000000..b62bf50
--- /dev/null
+++ b/tests/dns-udp-eve-v2-dig/README.md
@@ -0,0 +1 @@
+DNS EVE v2 test of a dig against www.suricata-ids.org.

diff --git a/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/dig-a-www.suricata-ids.org.pcap b/tests/dns-udp-eve-v2-dig/input.pcap
similarity index 100%
rename from tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/dig-a-www.suricata-ids.org.pcap
rename to tests/dns-udp-eve-v2-dig/input.pcap

diff --git a/tests/dns-udp-eve-v2-dig/test.yaml b/tests/dns-udp-eve-v2-dig/test.yaml
new file mode 100644 (file)
index 0000000..00361e4
--- /dev/null
+++ b/tests/dns-udp-eve-v2-dig/test.yaml
@@ -0,0 +1,55 @@
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: dns
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.1
+      dest_port: 53
+      dns.id: 36146
+      dns.rrname: www.suricata-ids.org
+      dns.rrtype: A
+      dns.tx_id: 0
+      dns.type: query
+      event_type: dns
+      pcap_cnt: 1
+      proto: UDP
+      src_ip: 10.16.1.11
+      src_port: 41805
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.1
+      dest_port: 53
+      dns.answers[0].rdata: suricata-ids.org
+      dns.answers[0].rrname: www.suricata-ids.org
+      dns.answers[0].rrtype: CNAME
+      dns.answers[0].ttl: 3544
+      dns.answers[1].rdata: 192.0.78.24
+      dns.answers[1].rrname: suricata-ids.org
+      dns.answers[1].rrtype: A
+      dns.answers[1].ttl: 244
+      dns.answers[2].rdata: 192.0.78.25
+      dns.answers[2].rrname: suricata-ids.org
+      dns.answers[2].rrtype: A
+      dns.answers[2].ttl: 244
+      dns.flags: 81a0
+      dns.grouped.A[0]: 192.0.78.24
+      dns.grouped.A[1]: 192.0.78.25
+      dns.grouped.CNAME[0]: suricata-ids.org
+      dns.id: 36146
+      dns.qr: true
+      dns.ra: true
+      dns.rcode: NOERROR
+      dns.rd: true
+      dns.rrname: www.suricata-ids.org
+      dns.rrtype: A
+      dns.type: answer
+      dns.version: 2
+      event_type: dns
+      pcap_cnt: 2
+      proto: UDP
+      src_ip: 10.16.1.11
+      src_port: 41805