]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1b7e92d)
tests: add test for dotprefix transform
authorJeff Lucovsky <jeff@lucovsky.org>
Sun, 14 Jul 2019 18:52:09 +0000 (14:52 -0400)
committerVictor Julien <victor@inliniac.net>
Thu, 12 Sep 2019 15:34:58 +0000 (17:34 +0200)
12 files changed:
tests/detect-dotprefix-01/README.md [new file with mode: 0644] patch | blob
tests/detect-dotprefix-01/input.pcap [new file with mode: 0644] patch | blob
tests/detect-dotprefix-01/test.rules [new file with mode: 0644] patch | blob
tests/detect-dotprefix-01/test.yaml [new file with mode: 0644] patch | blob
tests/detect-dotprefix-02/README.md [new file with mode: 0644] patch | blob
tests/detect-dotprefix-02/input.pcap [new file with mode: 0644] patch | blob
tests/detect-dotprefix-02/test.rules [new file with mode: 0644] patch | blob
tests/detect-dotprefix-02/test.yaml [new file with mode: 0644] patch | blob
tests/detect-dotprefix-03/README.md [new file with mode: 0644] patch | blob
tests/detect-dotprefix-03/input.pcap [new file with mode: 0644] patch | blob
tests/detect-dotprefix-03/test.rules [new file with mode: 0644] patch | blob
tests/detect-dotprefix-03/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/detect-dotprefix-01/README.md b/tests/detect-dotprefix-01/README.md
new file mode 100644 (file)
index 0000000..2d4b515
--- /dev/null
+++ b/tests/detect-dotprefix-01/README.md
@@ -0,0 +1 @@
+Extract the domain from a DNS request
diff --git a/tests/detect-dotprefix-01/input.pcap b/tests/detect-dotprefix-01/input.pcap
new file mode 100644 (file)
index 0000000..438ae60
Binary files /dev/null and b/tests/detect-dotprefix-01/input.pcap differ
diff --git a/tests/detect-dotprefix-01/test.rules b/tests/detect-dotprefix-01/test.rules
new file mode 100644 (file)
index 0000000..4c21096
--- /dev/null
+++ b/tests/detect-dotprefix-01/test.rules
@@ -0,0 +1,2 @@
+alert dns any any -> any any (dns.query; dotprefix; content:".windowsupdate.com"; sid:1;)
+alert dns any any -> any any (dns.query; dotprefix; content:".com"; endswith; sid:2;)
diff --git a/tests/detect-dotprefix-01/test.yaml b/tests/detect-dotprefix-01/test.yaml
new file mode 100644 (file)
index 0000000..56db381
--- /dev/null
+++ b/tests/detect-dotprefix-01/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
diff --git a/tests/detect-dotprefix-02/README.md b/tests/detect-dotprefix-02/README.md
new file mode 100644 (file)
index 0000000..2d4b515
--- /dev/null
+++ b/tests/detect-dotprefix-02/README.md
@@ -0,0 +1 @@
+Extract the domain from a DNS request
diff --git a/tests/detect-dotprefix-02/input.pcap b/tests/detect-dotprefix-02/input.pcap
new file mode 100644 (file)
index 0000000..c43a2fe
Binary files /dev/null and b/tests/detect-dotprefix-02/input.pcap differ
diff --git a/tests/detect-dotprefix-02/test.rules b/tests/detect-dotprefix-02/test.rules
new file mode 100644 (file)
index 0000000..f224962
--- /dev/null
+++ b/tests/detect-dotprefix-02/test.rules
@@ -0,0 +1,2 @@
+alert dns any any -> any any (dns.query; dotprefix; content:".google.co.uk"; sid:1;)
+alert dns any any -> any any (dns.query; dotprefix; content:".co.uk"; endswith; sid:2;)
diff --git a/tests/detect-dotprefix-02/test.yaml b/tests/detect-dotprefix-02/test.yaml
new file mode 100644 (file)
index 0000000..2c911fa
--- /dev/null
+++ b/tests/detect-dotprefix-02/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
diff --git a/tests/detect-dotprefix-03/README.md b/tests/detect-dotprefix-03/README.md
new file mode 100644 (file)
index 0000000..2d4b515
--- /dev/null
+++ b/tests/detect-dotprefix-03/README.md
@@ -0,0 +1 @@
+Extract the domain from a DNS request
diff --git a/tests/detect-dotprefix-03/input.pcap b/tests/detect-dotprefix-03/input.pcap
new file mode 100644 (file)
index 0000000..d5d7989
Binary files /dev/null and b/tests/detect-dotprefix-03/input.pcap differ
diff --git a/tests/detect-dotprefix-03/test.rules b/tests/detect-dotprefix-03/test.rules
new file mode 100644 (file)
index 0000000..0f017cb
--- /dev/null
+++ b/tests/detect-dotprefix-03/test.rules
@@ -0,0 +1 @@
+alert dns any any -> any any (dns.query; dotprefix; content:".google.com"; sid:1;)
diff --git a/tests/detect-dotprefix-03/test.yaml b/tests/detect-dotprefix-03/test.yaml
new file mode 100644 (file)
index 0000000..24d2dd8
--- /dev/null
+++ b/tests/detect-dotprefix-03/test.yaml
@@ -0,0 +1,10 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1
Mirror of https://github.com/OISF/suricata-verify.git