eve/dns: test eve/dns filtering

To confirm ticket:
https://redmine.openinfosecfoundation.org/issues/3231

diff --git a/tests/dns-eve-type-filtering/suricata.yaml b/tests/dns-eve-type-filtering/suricata.yaml
new file mode 100644 (file)
index 0000000..e498af6
--- /dev/null
+++ b/tests/dns-eve-type-filtering/suricata.yaml
@@ -0,0 +1,39 @@
+%YAML 1.1
+---
+
+outputs:
+
+  - eve-log:
+      enabled: yes
+      filename: all.json
+      types:
+        - dns:
+            version: 2
+
+  - eve-log:
+      enabled: yes
+      filename: only-a.json
+      types:
+        - dns:
+            version: 2
+            types: [a]
+
+  - eve-log:
+      enabled: yes
+      filename: a-and-aaaa-requests-only.json
+      types:
+        - dns:
+            version: 2
+            requests: yes
+            responses: no
+            types: [a, aaaa]
+
+  - eve-log:
+      enabled: yes
+      filename: mx-responses-only.json
+      types:
+        - dns:
+            version: 2
+            requests: no
+            responses: yes
+            types: [mx]

diff --git a/tests/dns-eve-type-filtering/test.pcap b/tests/dns-eve-type-filtering/test.pcap
new file mode 100644 (file)
index 0000000..d53a586
Binary files /dev/null and b/tests/dns-eve-type-filtering/test.pcap differ

diff --git a/tests/dns-eve-type-filtering/test.yaml b/tests/dns-eve-type-filtering/test.yaml
new file mode 100644 (file)
index 0000000..610a490
--- /dev/null
+++ b/tests/dns-eve-type-filtering/test.yaml
@@ -0,0 +1,68 @@
+requires:
+  min-version: 4.1
+
+checks:
+
+  - filter:
+      filename: all.json
+      count: 14
+      match:
+        event_type: "dns"
+
+  # Check that we only have requests and responses for A records.
+  - filter:
+      filename: only-a.json
+      count: 4
+      match:
+        event_type: "dns"
+  - filter:
+      filename: only-a.json
+      count: 4
+      match:
+        event_type: "dns"
+        dns.rrtype: "A"
+
+  # Check that we only have A and AAAA requests.
+  - filter:
+      filename: a-and-aaaa-requests-only.json
+      count: 4
+      match:
+        event_type: "dns"
+  - filter:
+      filename: a-and-aaaa-requests-only.json
+      count: 2
+      match:
+        event_type: "dns"
+        dns.rrtype: "A"
+  - filter:
+      filename: a-and-aaaa-requests-only.json
+      count: 2
+      match:
+        event_type: "dns"
+        dns.rrtype: "AAAA"
+  - filter:
+      filename: a-and-aaaa-requests-only.json
+      count: 4
+      match:
+        event_type: "dns"
+        dns.type: "query"
+
+  # Check that we only have 3 log entries, and that they are all MX
+  # responses.
+  - filter:
+      filename: mx-responses-only.json
+      count: 3
+      match:
+        event_type: "dns"
+  - filter:
+      filename: mx-responses-only.json
+      count: 3
+      match:
+        event_type: "dns"
+        dns.type: "answer"
+  - filter:
+      filename: mx-responses-only.json
+      count: 3
+      match:
+        event_type: "dns"
+        dns.rrtype: "MX"