dns-invalid-opcode: v2 and v3 tests

diff --git a/tests/dns/dns-invalid-opcode/test.yaml b/tests/dns/dns-invalid-opcode/test.yaml
index fc5575f53163357a51df4f887b68ceeee1318a76..3027650bb224a2ca78737990c2ab5f2500d77705 100644 (file)
--- a/tests/dns/dns-invalid-opcode/test.yaml
+++ b/tests/dns/dns-invalid-opcode/test.yaml
@@ -1,5 +1,5 @@
 requires:
-   min-version: 7
+   min-version: 8
 
 args:
 - -k none
@@ -11,14 +11,14 @@ checks:
     count: 1
     match:
       event_type: dns
-      dns.type: query
+      dns.type: request
 
 # Simple check for one answer.
 - filter:
     count: 1
     match:
       event_type: dns
-      dns.type: answer
+      dns.type: response
 
 # One alert in to_server direction.
 - filter:
@@ -132,10 +132,10 @@ checks:
       dest_port: 53
       dns.id: 1
       dns.opcode: 9
-      dns.rrname: suricata.io
-      dns.rrtype: A
+      dns.queries[0].rrname: suricata.io
+      dns.queries[0].rrtype: A
       dns.tx_id: 0
-      dns.type: query
+      dns.type: request
       event_type: dns
       pcap_cnt: 1
       pkt_src: wire/pcap
@@ -253,10 +253,10 @@ checks:
       dns.opcode: 9
       dns.qr: true
       dns.rcode: NOERROR
-      dns.rrname: suricata.io
-      dns.rrtype: A
-      dns.type: answer
-      dns.version: 2
+      dns.queries[0].rrname: suricata.io
+      dns.queries[0].rrtype: A
+      dns.type: response
+      dns.version: 3
       event_type: dns
       pcap_cnt: 2
       pkt_src: wire/pcap

diff --git a/tests/dns/v2/dns-invalid-opcode/input.pcap b/tests/dns/v2/dns-invalid-opcode/input.pcap
new file mode 100644 (file)
index 0000000..a8a010e
Binary files /dev/null and b/tests/dns/v2/dns-invalid-opcode/input.pcap differ

diff --git a/tests/dns/v2/dns-invalid-opcode/test.rules b/tests/dns/v2/dns-invalid-opcode/test.rules
new file mode 100644 (file)
index 0000000..d4c02b5
--- /dev/null
+++ b/tests/dns/v2/dns-invalid-opcode/test.rules
@@ -0,0 +1,10 @@
+# Malformed data in request. Malformed means length fields are wrong, etc.
+alert dns any any -> any any (msg:"SURICATA DNS malformed request data"; flow:to_server; app-layer-event:dns.malformed_data; classtype:protocol-command-decode; sid:2240002; rev:2;)
+alert dns any any -> any any (msg:"SURICATA DNS malformed response data"; flow:to_client; app-layer-event:dns.malformed_data; classtype:protocol-command-decode; sid:2240003; rev:2;)
+# Response flag set on to_server packet
+alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server; app-layer-event:dns.not_a_request; classtype:protocol-command-decode; sid:2240004; rev:2;)
+# Response flag not set on to_client packet
+alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; classtype:protocol-command-decode; sid:2240005; rev:2;)
+# Z flag (reserved) not 0
+alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; classtype:protocol-command-decode; sid:2240006; rev:2;)
+alert dns any any -> any any (msg:"SURICATA DNS Invalid opcode"; app-layer-event:dns.invalid_opcode; classtype:protocol-command-decode; sid:2240007; rev:1;)

diff --git a/tests/dns/v2/dns-invalid-opcode/test.yaml b/tests/dns/v2/dns-invalid-opcode/test.yaml
new file mode 100644 (file)
index 0000000..cdd407c
--- /dev/null
+++ b/tests/dns/v2/dns-invalid-opcode/test.yaml
@@ -0,0 +1,286 @@
+requires:
+   min-version: 7
+
+args:
+- -k none
+
+env:
+  SURICATA_EVE_DNS_VERSION: 2
+
+checks:
+
+# Simple check for one query.
+- filter:
+    count: 1
+    match:
+      event_type: dns
+      dns.type: query
+
+# Simple check for one answer.
+- filter:
+    count: 1
+    match:
+      event_type: dns
+      dns.type: answer
+
+# One alert in to_server direction.
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      direction: to_server
+
+# One alert in to_client direction.
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      direction: to_client
+
+# Generated checks below.
+      
+- filter:
+    min-version: 8
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Generic Protocol Command Decode
+      alert.gid: 1
+      alert.rev: 1
+      alert.severity: 3
+      alert.signature: SURICATA DNS Invalid opcode
+      alert.signature_id: 2240007
+      app_proto: dns
+      dest_ip: 2.2.2.2
+      dest_port: 53
+      direction: to_server
+      dns.id: 1
+      dns.opcode: 9
+      dns.queries[0].rrname: suricata.io
+      dns.queries[0].rrtype: A
+      dns.tx_id: 0
+      dns.type: request
+      event_type: alert
+      flow.bytes_toclient: 0
+      flow.bytes_toserver: 71
+      flow.dest_ip: 2.2.2.2
+      flow.dest_port: 53
+      flow.pkts_toclient: 0
+      flow.pkts_toserver: 1
+      flow.src_ip: 1.1.1.1
+      flow.src_port: 5333
+      pcap_cnt: 1
+      pkt_src: wire/pcap
+      proto: UDP
+      src_ip: 1.1.1.1
+      src_port: 5333
+      tx_id: 0
+
+- filter:
+    lt-version: 8
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Generic Protocol Command Decode
+      alert.gid: 1
+      alert.rev: 1
+      alert.severity: 3
+      alert.signature: SURICATA DNS Invalid opcode
+      alert.signature_id: 2240007
+      app_proto: dns
+      dest_ip: 2.2.2.2
+      dest_port: 53
+      direction: to_server
+      dns.query[0].id: 1
+      dns.query[0].opcode: 9
+      dns.query[0].rrname: suricata.io
+      dns.query[0].rrtype: A
+      dns.query[0].tx_id: 0
+      dns.query[0].type: query
+      event_type: alert
+      flow.bytes_toclient: 0
+      flow.bytes_toserver: 71
+      flow.dest_ip: 2.2.2.2
+      flow.dest_port: 53
+      flow.pkts_toclient: 0
+      flow.pkts_toserver: 1
+      flow.src_ip: 1.1.1.1
+      flow.src_port: 5333
+      pcap_cnt: 1
+      pkt_src: wire/pcap
+      proto: UDP
+      src_ip: 1.1.1.1
+      src_port: 5333
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: dns
+      anomaly.event: invalid_opcode
+      anomaly.layer: proto_parser
+      anomaly.type: applayer
+      dest_ip: 2.2.2.2
+      dest_port: 53
+      event_type: anomaly
+      pcap_cnt: 1
+      pkt_src: wire/pcap
+      proto: UDP
+      src_ip: 1.1.1.1
+      src_port: 5333
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 2.2.2.2
+      dest_port: 53
+      dns.id: 1
+      dns.opcode: 9
+      dns.rrname: suricata.io
+      dns.rrtype: A
+      dns.tx_id: 0
+      dns.type: query
+      event_type: dns
+      pcap_cnt: 1
+      pkt_src: wire/pcap
+      proto: UDP
+      src_ip: 1.1.1.1
+      src_port: 5333
+- filter:
+    requires:
+      min-version: 8
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Generic Protocol Command Decode
+      alert.gid: 1
+      alert.rev: 1
+      alert.severity: 3
+      alert.signature: SURICATA DNS Invalid opcode
+      alert.signature_id: 2240007
+      app_proto: dns
+      dest_ip: 1.1.1.1
+      dest_port: 5333
+      direction: to_client
+      dns.flags: c800
+      dns.id: 1
+      dns.opcode: 9
+      dns.qr: true
+      dns.rcode: NOERROR
+      dns.answers[0].rrname: suricata.io
+      dns.answers[0].rrtype: A
+      dns.type: response
+      dns.version: 3
+      event_type: alert
+      flow.bytes_toclient: 98
+      flow.bytes_toserver: 71
+      flow.dest_ip: 2.2.2.2
+      flow.dest_port: 53
+      flow.pkts_toclient: 1
+      flow.pkts_toserver: 1
+      flow.src_ip: 1.1.1.1
+      flow.src_port: 5333
+      pcap_cnt: 2
+      pkt_src: wire/pcap
+      proto: UDP
+      src_ip: 2.2.2.2
+      src_port: 53
+      tx_id: 1
+- filter:
+    requires:
+      lt-version: 8
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Generic Protocol Command Decode
+      alert.gid: 1
+      alert.rev: 1
+      alert.severity: 3
+      alert.signature: SURICATA DNS Invalid opcode
+      alert.signature_id: 2240007
+      app_proto: dns
+      dest_ip: 1.1.1.1
+      dest_port: 5333
+      direction: to_client
+      dns.answer.flags: c800
+      dns.answer.id: 1
+      dns.answer.opcode: 9
+      dns.answer.qr: true
+      dns.answer.rcode: NOERROR
+      dns.answer.rrname: suricata.io
+      dns.answer.rrtype: A
+      dns.answer.type: answer
+      dns.answer.version: 2
+      event_type: alert
+      flow.bytes_toclient: 98
+      flow.bytes_toserver: 71
+      flow.dest_ip: 2.2.2.2
+      flow.dest_port: 53
+      flow.pkts_toclient: 1
+      flow.pkts_toserver: 1
+      flow.src_ip: 1.1.1.1
+      flow.src_port: 5333
+      pcap_cnt: 2
+      pkt_src: wire/pcap
+      proto: UDP
+      src_ip: 2.2.2.2
+      src_port: 53
+      tx_id: 1
+- filter:
+    count: 1
+    match:
+      anomaly.app_proto: dns
+      anomaly.event: invalid_opcode
+      anomaly.layer: proto_parser
+      anomaly.type: applayer
+      dest_ip: 1.1.1.1
+      dest_port: 5333
+      event_type: anomaly
+      pcap_cnt: 2
+      pkt_src: wire/pcap
+      proto: UDP
+      src_ip: 2.2.2.2
+      src_port: 53
+      tx_id: 1
+- filter:
+    count: 1
+    match:
+      dest_ip: 2.2.2.2
+      dest_port: 53
+      dns.answers[0].rdata: 127.0.0.1
+      dns.answers[0].rrname: suricata.io
+      dns.answers[0].rrtype: A
+      dns.answers[0].ttl: 0
+      dns.flags: c800
+      dns.grouped.A[0]: 127.0.0.1
+      dns.id: 1
+      dns.opcode: 9
+      dns.qr: true
+      dns.rcode: NOERROR
+      dns.rrname: suricata.io
+      dns.rrtype: A
+      dns.type: answer
+      dns.version: 2
+      event_type: dns
+      pcap_cnt: 2
+      pkt_src: wire/pcap
+      proto: UDP
+      src_ip: 1.1.1.1
+      src_port: 5333
+- filter:
+    count: 1
+    match:
+      app_proto: dns
+      dest_ip: 2.2.2.2
+      dest_port: 53
+      event_type: flow
+      flow.age: 0
+      flow.alerted: true
+      flow.bytes_toclient: 98
+      flow.bytes_toserver: 71
+      flow.pkts_toclient: 1
+      flow.pkts_toserver: 1
+      flow.reason: shutdown
+      flow.state: established
+      proto: UDP
+      src_ip: 1.1.1.1
+      src_port: 5333