]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2f18df0)
Adds test about DNS probing with junk request
authorPhilippe Antoine <contact@catenacyber.fr>
Wed, 17 Jul 2019 13:30:08 +0000 (15:30 +0200)
committerVictor Julien <victor@inliniac.net>
Mon, 13 Jun 2022 06:25:43 +0000 (08:25 +0200)
tests/dns-udp-junkrequest-first/README.md [new file with mode: 0644] patch | blob
tests/dns-udp-junkrequest-first/client.py [new file with mode: 0644] patch | blob
tests/dns-udp-junkrequest-first/input.pcap [new file with mode: 0644] patch | blob
tests/dns-udp-junkrequest-first/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/dns-udp-junkrequest-first/README.md b/tests/dns-udp-junkrequest-first/README.md
new file mode 100644 (file)
index 0000000..9160beb
--- /dev/null
+++ b/tests/dns-udp-junkrequest-first/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test DNS detection when first request from client is junk.
+
+# PCAP
+
+The pcap comes from running the present dummy python script client.py which first sends junk (SNMP request actually), then a regular DNS request.
diff --git a/tests/dns-udp-junkrequest-first/client.py b/tests/dns-udp-junkrequest-first/client.py
new file mode 100644 (file)
index 0000000..7048292
--- /dev/null
+++ b/tests/dns-udp-junkrequest-first/client.py
@@ -0,0 +1,16 @@
+import socket
+import binascii
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+sock.connect(("192.168.1.1", 53))
+
+snmp = binascii.unhexlify("3040020103300f02030091c8020205dc040104020103041530130400020100020100040561646d696e04000400301304000400a00d02030091c80201000201003000")
+dns = binascii.unhexlify("c58e012000010000000000010b636174656e61637962657202467200000100010000291000000000000000")
+a = sock.send(snmp)
+data = sock.recv(2000)
+print "1", binascii.hexlify(data)
+a = sock.send(dns)
+data = sock.recv(2000)
+print "2", binascii.hexlify(data)
+
+sock.close()
diff --git a/tests/dns-udp-junkrequest-first/input.pcap b/tests/dns-udp-junkrequest-first/input.pcap
new file mode 100644 (file)
index 0000000..8b87f79
Binary files /dev/null and b/tests/dns-udp-junkrequest-first/input.pcap differ
diff --git a/tests/dns-udp-junkrequest-first/test.yaml b/tests/dns-udp-junkrequest-first/test.yaml
new file mode 100644 (file)
index 0000000..f486093
--- /dev/null
+++ b/tests/dns-udp-junkrequest-first/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  min-version: 7
+  features:
+    - HAVE_LIBJANSSON
+
+checks:
+
+  # Check that there is one DNS event with specific parameters.
+  - filter:
+      count: 1
+      match:
+        event_type: dns
+        dns.type: query
+        dns.rrname: catenacyber.Fr
+  # Check that there is one flow event with DNS.
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        app_proto: dns
Mirror of https://github.com/OISF/suricata-verify.git