]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 43b242e)
new test for dns lua detect
authorJason Ish <ish@unx.ca>
Wed, 20 Dec 2017 20:26:31 +0000 (14:26 -0600)
committerJason Ish <ish@unx.ca>
Wed, 20 Dec 2017 20:26:31 +0000 (14:26 -0600)
Tests:
- dns.rrname
- dns.request
- dns.response

tests/dns-lua-rules/dig-a-www.suricata-ids.org.pcap [new file with mode: 0644] patch | blob
tests/dns-lua-rules/suricata.yaml [new file with mode: 0644] patch | blob
tests/dns-lua-rules/test-request.lua [new file with mode: 0644] patch | blob
tests/dns-lua-rules/test-response.lua [new file with mode: 0644] patch | blob
tests/dns-lua-rules/test-rrname.lua [new file with mode: 0644] patch | blob
tests/dns-lua-rules/test.rules [new file with mode: 0644] patch | blob
tests/dns-lua-rules/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/dns-lua-rules/dig-a-www.suricata-ids.org.pcap b/tests/dns-lua-rules/dig-a-www.suricata-ids.org.pcap
new file mode 100644 (file)
index 0000000..663a679
Binary files /dev/null and b/tests/dns-lua-rules/dig-a-www.suricata-ids.org.pcap differ
diff --git a/tests/dns-lua-rules/suricata.yaml b/tests/dns-lua-rules/suricata.yaml
new file mode 100644 (file)
index 0000000..51af22d
--- /dev/null
+++ b/tests/dns-lua-rules/suricata.yaml
@@ -0,0 +1,4 @@
+%YAML 1.1
+---
+
+include: ../../etc/suricata-4.0.3.yaml
diff --git a/tests/dns-lua-rules/test-request.lua b/tests/dns-lua-rules/test-request.lua
new file mode 100644 (file)
index 0000000..281bff1
--- /dev/null
+++ b/tests/dns-lua-rules/test-request.lua
@@ -0,0 +1,52 @@
+function init (args)
+   local needs = {}
+   needs["dns.request"] = tostring(true)
+   return needs
+end
+
+function count(t)
+   local count = 0
+   for _ in pairs(t) do
+      count = count + 1
+   end
+   return count
+end
+
+function match(args)
+   if DnsGetTxid() ~= 36146 then
+      return 0
+   end
+
+   -- The requested name.
+   local rrname = DnsGetDnsRrname()
+   if rrname ~= "www.suricata-ids.org" then
+      return 0
+   end
+
+   -- Queries
+   local queries = DnsGetQueries()
+   if queries == nil then return 0 end
+
+   -- There should only be one query.
+   if count(queries) ~= 1 then return 0 end
+
+   local query = queries[0]
+
+   if query["type"] ~= "A" then
+      return 0
+   end
+   
+   if query["rrname"] ~= "www.suricata-ids.org" then
+      return 0
+   end
+
+   local answers = DnsGetAnswers()
+   if answers == nil then return 0 end
+   if count(answers) ~= 0 then return 0 end
+
+   local authorities = DnsGetAuthorities()
+   if authorities == nil then return 0 end
+   if count(authorities) ~= 0 then return 0 end
+
+   return 1
+end
diff --git a/tests/dns-lua-rules/test-response.lua b/tests/dns-lua-rules/test-response.lua
new file mode 100644 (file)
index 0000000..ebf1304
--- /dev/null
+++ b/tests/dns-lua-rules/test-response.lua
@@ -0,0 +1,54 @@
+function init (args)
+   local needs = {}
+   needs["dns.response"] = tostring(true)
+   return needs
+end
+
+function count(t)
+   local count = 0
+   for _ in pairs(t) do
+      count = count + 1
+   end
+   return count
+end
+
+function match(args)
+   if DnsGetTxid() ~= 36146 then
+      return 0
+   end
+
+   -- The requested name.
+   local rrname = DnsGetDnsRrname()
+   if rrname ~= "www.suricata-ids.org" then
+      return 0
+   end
+
+   -- Queries
+   local queries = DnsGetQueries()
+   if queries == nil then return 0 end
+
+   -- There should only be one query.
+   if count(queries) ~= 1 then return 0 end
+
+   local query = queries[0]
+
+   if query["type"] ~= "A" then
+      return 0
+   end
+   
+   if query["rrname"] ~= "www.suricata-ids.org" then
+      return 0
+   end
+
+   local answers = DnsGetAnswers()
+   if answers == nil then return 0 end
+   if count(answers) ~= 3 then return 0 end
+
+   local authorities = DnsGetAuthorities()
+   if authorities == nil then return 0 end
+   if count(authorities) ~= 0 then return 0 end
+
+   -- TODO: Look at the answers.
+
+   return 1
+end
diff --git a/tests/dns-lua-rules/test-rrname.lua b/tests/dns-lua-rules/test-rrname.lua
new file mode 100644 (file)
index 0000000..f5b1059
--- /dev/null
+++ b/tests/dns-lua-rules/test-rrname.lua
@@ -0,0 +1,13 @@
+function init (args)
+   local needs = {}
+   needs["dns.rrname"] = tostring(true)
+   return needs
+end
+
+function match(args)
+   rrname = tostring(args["dns.rrname"])
+   if rrname == "www.suricata-ids.org" then
+      return 1
+   end
+   return 0
+end
diff --git a/tests/dns-lua-rules/test.rules b/tests/dns-lua-rules/test.rules
new file mode 100644 (file)
index 0000000..7ff3f02
--- /dev/null
+++ b/tests/dns-lua-rules/test.rules
@@ -0,0 +1,7 @@
+alert dns any any -> any any (msg:"TEST DNS LUA dns.rrname"; \
+      lua:test-rrname.lua; sid:1; rev:1;)
+alert dns any any -> any any (msg:"TEST DNS LUA dns.request"; \
+      lua:test-request.lua; sid:2; rev:1;)
+alert dns any any -> any any (msg:"TEST DNS LUA dns.response"; \
+      lua:test-response.lua; sid:3; rev:1;)
+      
\ No newline at end of file
diff --git a/tests/dns-lua-rules/test.yaml b/tests/dns-lua-rules/test.yaml
new file mode 100644 (file)
index 0000000..14a3829
--- /dev/null
+++ b/tests/dns-lua-rules/test.yaml
@@ -0,0 +1,8 @@
+requires:
+  features:
+    - HAVE_LUA
+
+checks:
+  - signature-id: 1
+  - signature-id: 2
+  - signature-id: 3
Mirror of https://github.com/OISF/suricata-verify.git