--- /dev/null
+Test the `dns.rcode` header value.
+
+The PCAP here used the pcap from test dns-eve-v2-udp-nxdomain-soa with
+hex editing header flags to have the DNS query have something in the `rcode`
+section.
+
+Redmine ticket: https://redmine.openinfosecfoundation.org/issues/6621
--- /dev/null
+# Should alert in client direction.
+alert dns any any -> any any (dns.rcode:3; flow:to_client; sid:1; rev:1;)
+
+# Should only alert in client direction.
+alert dns any any -> any any (dns.rcode:!2; flow:to_client; sid:2; rev:1;)
+
+# Should only alert in server direction.
+alert dns any any -> any any (dns.rcode:3; flow:to_server; sid:3; rev:1;)
--- /dev/null
+requires:
+ min-version: 8
+
+checks:
+ - filter:
+ count: 1
+ match:
+ alert.signature_id: 1
+ dest_ip: 10.16.1.11
+ dest_port: 59465
+ direction: to_client
+ app_proto: dns
+ event_type: alert
+ dns.answer.rcode: NXDOMAIN
+ src_ip: 8.8.4.4
+ src_port: 53
+ - filter:
+ count: 1
+ match:
+ alert.signature_id: 2
+ dest_ip: 10.16.1.11
+ dest_port: 59465
+ direction: to_client
+ app_proto: dns
+ event_type: alert
+ dns.answer.rcode: NXDOMAIN
+ src_ip: 8.8.4.4
+ src_port: 53
+ - filter:
+ count: 1
+ match:
+ alert.signature_id: 3
+ direction: to_server
+ app_proto: dns
+ event_type: alert
projects / thirdparty / suricata-verify.git / commitdiff
