outputs:
- eve-log:
enabled: yes
- filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filetype: regular
filename: eve.json
- #prefix: "@cee: " # prefix to prepend to each log entry
- # the following are valid when type: syslog above
- #identity: "suricata"
- #facility: local5
- #level: Info ## possible levels: Emergency, Alert, Critical,
- ## Error, Warning, Notice, Info, Debug
- #redis:
- # server: 127.0.0.1
- # port: 6379
- # mode: list ## possible values: list (default), channel
- # key: suricata ## key or channel to use (default to suricata)
- # Redis pipelining set up. This will enable to only do a query every
- # 'batch-size' events. This should lower the latency induced by network
- # connection at the cost of some memory. There is no flushing implemented
- # so this setting as to be reserved to high traffic suricata.
- # pipelining:
- # enabled: yes ## set enable to yes to enable query pipelining
- # batch-size: 10 ## number of entry to keep in buffer
types:
- alert:
# payload: yes # enable dumping payload in Base64
# custom allows additional http fields to be included in eve-log
# the example below adds three additional fields when uncommented
#custom: [Accept-Encoding, Accept-Language, Authorization]
- - dns
+ - dns:
+ version: 1
- tls:
extended: yes # enable this for extended logging information
- files:
requires:
features:
- HAVE_LIBJANSSON
-
-skip:
- - feature: RUST
- msg: eve dns v1 not supported by rust
outputs:
- dns-json-log:
+ version: 1
enabled: yes
filename: dns.json
requires:
features:
- HAVE_LIBJANSSON
-
-skip:
- - feature: RUST
- msg: eve dns v1 not supported by rust
features:
- HAVE_LUA
-skip:
- - feature: RUST
- msg: Known issue with feature RUST
+# skip:
+# - feature: RUST
+# msg: Known issue with feature RUST
checks:
- filter:
%YAML 1.1
---
-include: ../../etc/suricata-3.1.2.yaml
-
outputs:
- eve-log:
enabled: yes
filename: eve.json
types:
- - dns
+ - dns:
+ version: 1
requires:
features:
- HAVE_LIBJANSSON
-skip:
- - feature: RUST
- msg: eve dns v1 not supported by rust
%YAML 1.1
---
-include: ../../etc/suricata-3.1.2.yaml
+outputs:
+ - eve-log:
+ enabled: yes
+ types:
+ - dns:
+ version: 1
+
requires:
features:
- HAVE_LIBJANSSON
-
-skip:
- - feature: RUST
- msg: eve dns v1 not supported by rust
+++ /dev/null
-#! /bin/sh
-
-. ${TOPDIR}/util/functions.sh
-
-# As a request was missing, we should have 2 requests, but 26
-# responses, as each request resulted in 12 responses.
-log=./eve.json
-
-n=$(cat ${log} | \
- jq -c 'select(.event_type == "dns") | select(.dns.type == "query")' | \
- wc -l | xargs)
-assert_eq 2 $n
-
-n=$(cat ${log} | \
- jq -c 'select(.event_type == "dns") | select(.dns.type == "answer")' | \
- wc -l | xargs)
-assert_eq 36 $n
-
-exit 0
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filename: eve.json
+ types:
+ - dns:
+ version: 1
features:
- HAVE_LIBJANSSON
-skip:
- - config:
- # Skip if using eve.dns version 2.
- outputs.\d.eve-log.types.\d.dns.version: 2
+checks:
+ - filter:
+ count: 2
+ match:
+ event_type: dns
+ dns.type: query
+ - filter:
+ count: 36
+ match:
+ event_type: dns
+ dns.type: answer
+++ /dev/null
-#! /bin/sh
-
-. ${TOPDIR}/util/functions.sh
-
-# One DNS request.
-n=$(jq_count eve.json 'select(.event_type == "dns") | select(.dns.type == "query")')
-assert_eq 1 $n "dns requests"
-
-# 12 DNS responses.
-n=$(jq_count eve.json 'select(.event_type == "dns") | select(.dns.type == "answer")')
-assert_eq 12 $n "dns responses"
%YAML 1.1
---
-include: ../../etc/suricata-3.1.2.yaml
-
# Remove stats logging.
stats:
enabled: no
+
+outputs:
+ - eve-log:
+ enabled: yes
+ types:
+ - dns:
+ version: 1
features:
- HAVE_LIBJANSSON
-skip:
- - feature: RUST
- msg: eve dns v1 not supported by rust
-
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: dns
+ dns.type: query
+ - filter:
+ count: 12
+ match:
+ event_type: dns
+ dns.type: answer
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - dns:
+ version: 1
features:
- HAVE_LIBJANSSON
-skip:
- - config:
- # Skip if using eve.dns version 2.
- outputs.\d.eve-log.types.\d.dns.version: 2
-
checks:
- filter:
+++ /dev/null
-#! /bin/sh
-
-# Check queries.
-c=$(cat eve.json | jq -c 'select(.dns.type == "query")' | wc -l | xargs)
-if [ "${c}" -ne 2 ]; then
- echo "error: expected 2 DNS queries, got ${c}"
- exit 1
-fi
-
-# Check answer count.
-c=$(cat eve.json | jq -c 'select(.dns.type == "answer")' | wc -l | xargs)
-if [ "${c}" -ne 9 ]; then
- echo "error: expected 9 DNS answers, got ${c}"
- exit 1
-fi
%YAML 1.1
---
-include: ../../etc/suricata-3.1.2.yaml
+outputs:
+ - eve-log:
+ enabled: yes
+ filename: eve.json
+ types:
+ - dns:
+ version: 1
features:
- HAVE_LIBJANSSON
-skip:
- - feature: RUST
- msg: eve dns v1 not supported by rust
+checks:
+ - filter:
+ count: 2
+ match:
+ event_type: dns
+ dns.type: query
+ - filter:
+ count: 9
+ match:
+ event_type: dns
+ dns.type: answer
filename: eve.json
types:
- dns:
+ version: 1
custom: [aaaa]
requires:
features:
- HAVE_LIBJANSSON
-
-skip:
- - feature: RUST
- msg: eve dns v1 not supported by rust
filename: eve.json
types:
- dns:
+ version: 1
query: no
answer: yes
requires:
features:
- HAVE_LIBJANSSON
-
-skip:
- - feature: RUST
- msg: eve dns v1 not supported by rust
filename: eve.json
types:
- dns:
+ version: 1
custom: [mx]
requires:
features:
- HAVE_LIBJANSSON
-
-skip:
- - feature: RUST
- msg: eve dns v1 not supported by rust
filename: eve.json
types:
- dns:
+ version: 1
query: yes
answer: no
requires:
features:
- HAVE_LIBJANSSON
-
-skip:
- - feature: RUST
- msg: eve dns v1 not supported by rust
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filename: eve.json
+ types:
+ - dns:
+ version: 1
requires:
features:
- HAVE_LIBJANSSON
-
-skip:
- - config:
- # Skip if using eve.dns version 2.
- outputs.\d.eve-log.types.\d.dns.version: 2
+++ /dev/null
-#! /bin/sh
-
-. ${TOPDIR}/util/functions.sh
-
-# Look for 2 responses with rcode == "NXDOMAIN".
-n=$(jq_count eve.json 'select(.dns.rcode == "NXDOMAIN")')
-assert_eq 2 "$n" "nxdomain responses"
-
-exit 0
%YAML 1.1
---
-include: ../../etc/suricata-3.1.2.yaml
+outputs:
+ - eve-log:
+ enabled: yes
+ filename: eve.json
+ types:
+ - dns:
+ version: 1
+
features:
- HAVE_LIBJANSSON
-skip:
- - feature: RUST
- msg: eve dns v1 not supported by rust
+checks:
+ - filter:
+ count: 2
+ match:
+ event_type: dns
+ dns.rcode: NXDOMAIN
+
+++ /dev/null
-#! /bin/sh
-
-# Check for 1 DNS request.
-n=$(cat eve.json | jq -c 'select(.dns.type == "query")' | wc -l | xargs)
-if [ ${n} -ne 1 ]; then
- exit 1
-fi
-
-# Check for 1 DNS response.
-n=$(cat eve.json | jq -c 'select(.dns.type == "answer")' | wc -l | xargs)
-if [ ${n} -ne 2 ]; then
- exit 1
-fi
-
-# Check for one alert.
-n=$(cat eve.json | jq -c 'select(.event_type == "alert")' | wc -l | xargs)
-if [ ${n} -ne 1 ]; then
- exit 1
-fi
-
-exit 0
+++ /dev/null
-# Response (answer) we didn't see a Request for. Could be packet loss.
-alert dns any any -> any any (msg:"SURICATA DNS Unsolicited response"; flow:to_client; app-layer-event:dns.unsollicited_response; sid:2240001; rev:1;)
-# Malformed data in request. Malformed means length fields are wrong, etc.
-alert dns any any -> any any (msg:"SURICATA DNS malformed request data"; flow:to_server; app-layer-event:dns.malformed_data; sid:2240002; rev:1;)
-alert dns any any -> any any (msg:"SURICATA DNS malformed response data"; flow:to_client; app-layer-event:dns.malformed_data; sid:2240003; rev:1;)
-# Response flag set on to_server packet
-alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server; app-layer-event:dns.not_a_request; sid:2240004; rev:1;)
-# Response flag not set on to_client packet
-alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; sid:2240005; rev:1;)
-# Z flag (reserved) not 0
-alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; sid:2240006; rev:1;)
-# Request Flood Detected
-alert dns any any -> any any (msg:"SURICATA DNS request flood detected"; flow:to_server; app-layer-event:dns.flooded; sid:2240007; rev:1;)
-# Per-flow (state) memcap reached. Relates to the app-layer.protocols.dns.state-memcap setting.
-alert dns any any -> any any (msg:"SURICATA DNS flow memcap reached"; flow:to_server; app-layer-event:dns.state_memcap_reached; sid:2240008; rev:2;)
%YAML 1.1
---
-include: ../../etc/suricata-3.1.2.yaml
+outputs:
+ - eve-log:
+ enabled: true
+ filename: eve.json
+ types:
+ - alert
+ - dns:
+ version: 1
features:
- HAVE_LIBJANSSON
-skip:
- - feature: RUST
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: dns
+ dns.type: query
+ - filter:
+ count: 2
+ match:
+ event_type: dns
+ dns.type: answer
script:
- grep METADATA_DEFAULTS src/output-json-alert.c > /dev/null
-skip:
- - feature: RUST
- msg: eve dns v1 not supported by rust
-
checks:
- filter:
script:
- grep METADATA_DEFAULTS src/output-json-alert.c > /dev/null
-skip:
- - feature: RUST
- msg: eve dns v1 not supported by rust
-
checks:
- filter:
script:
- grep METADATA_DEFAULTS src/output-json-alert.c > /dev/null
-skip:
- - feature: RUST
- msg: eve dns v1 not supported by rust
-
checks:
- filter:
-requires:
-
- # Require that we have metadata support, checked by looking for a
- # function.
- script:
- - grep JsonAddMetadata src/output-json.h > /dev/null
-
-skip:
- - feature: RUST
- msg: eve dns v1 not supported by rust
-
checks:
- filter:
projects / thirdparty / suricata-verify.git / commitdiff
