From: Jason Ish Date: Mon, 1 May 2017 16:31:58 +0000 (-0600) Subject: dns tests: check for results instead of a file match X-Git-Tag: suricata-6.0.4~592 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=06f9851d08b97ddebc0b5c3e7b7b1fa77a544d2d;p=thirdparty%2Fsuricata-verify.git dns tests: check for results instead of a file match so we don't fail when something like the flow id is changed due to other internal suricata changes --- diff --git a/dns-json-log/check.sh b/dns-json-log/check.sh new file mode 100755 index 000000000..0937ee901 --- /dev/null +++ b/dns-json-log/check.sh @@ -0,0 +1,22 @@ +#! /bin/sh + +# Expect 9 dns records. +n=$(cat output/dns.json | jq -c 'select(.event_type == "dns")' | wc -l) +if test $n -ne 9; then + echo "failed: expected 9 dns events, got $n" + exit 1 +fi + +# 4 are queries. +n=$(cat output/dns.json | jq -c 'select(.event_type == "dns") | select(.dns.type == "query")' | wc -l) +if test $n -ne 4; then + echo "failed: expected 4 dns queries, got $n" + exit 1 +fi + +# 4 are queries. +n=$(cat output/dns.json | jq -c 'select(.event_type == "dns") | select(.dns.type == "answer")' | wc -l) +if test $n -ne 5; then + echo "failed: expected 5 dns answers, got $n" + exit 1 +fi diff --git a/dns-tcp-www-google-com/check.sh b/dns-tcp-www-google-com/check.sh new file mode 100755 index 000000000..6e4bcc9ed --- /dev/null +++ b/dns-tcp-www-google-com/check.sh @@ -0,0 +1,11 @@ +#! /bin/sh + +. ../functions.sh + +# One DNS request. +n=$(jq_count output/eve.json 'select(.event_type == "dns") | select(.dns.type == "query")') +assert_eq 1 $n "dns requests" + +# 12 DNS responses. +n=$(jq_count output/eve.json 'select(.event_type == "dns") | select(.dns.type == "answer")') +assert_eq 12 $n "dns responses" diff --git a/dns-tcp-www-google-com/expected/eve.json b/dns-tcp-www-google-com/expected/eve.json deleted file mode 100644 index c4a52d7a5..000000000 --- a/dns-tcp-www-google-com/expected/eve.json +++ /dev/null @@ -1,14 +0,0 @@ -{"timestamp":"2017-01-26T20:16:58.270700+0000","flow_id":358186737135978,"pcap_cnt":5,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"query","id":24440,"rrname":"www.google.com","rrtype":"A","tx_id":0}} -{"timestamp":"2017-01-26T20:16:58.270740+0000","flow_id":358186737135978,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"answer","id":24440,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":8,"rdata":"216.197.242.244"}} -{"timestamp":"2017-01-26T20:16:58.270740+0000","flow_id":358186737135978,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"answer","id":24440,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":8,"rdata":"216.197.242.224"}} -{"timestamp":"2017-01-26T20:16:58.270740+0000","flow_id":358186737135978,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"answer","id":24440,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":8,"rdata":"216.197.242.238"}} -{"timestamp":"2017-01-26T20:16:58.270740+0000","flow_id":358186737135978,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"answer","id":24440,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":8,"rdata":"216.197.242.210"}} -{"timestamp":"2017-01-26T20:16:58.270740+0000","flow_id":358186737135978,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"answer","id":24440,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":8,"rdata":"216.197.242.230"}} -{"timestamp":"2017-01-26T20:16:58.270740+0000","flow_id":358186737135978,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"answer","id":24440,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":8,"rdata":"216.197.242.223"}} -{"timestamp":"2017-01-26T20:16:58.270740+0000","flow_id":358186737135978,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"answer","id":24440,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":8,"rdata":"216.197.242.245"}} -{"timestamp":"2017-01-26T20:16:58.270740+0000","flow_id":358186737135978,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"answer","id":24440,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":8,"rdata":"216.197.242.231"}} -{"timestamp":"2017-01-26T20:16:58.270740+0000","flow_id":358186737135978,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"answer","id":24440,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":8,"rdata":"216.197.242.251"}} -{"timestamp":"2017-01-26T20:16:58.270740+0000","flow_id":358186737135978,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"answer","id":24440,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":8,"rdata":"216.197.242.237"}} -{"timestamp":"2017-01-26T20:16:58.270740+0000","flow_id":358186737135978,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"answer","id":24440,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":8,"rdata":"216.197.242.217"}} -{"timestamp":"2017-01-26T20:16:58.270740+0000","flow_id":358186737135978,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","dns":{"type":"answer","id":24440,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":8,"rdata":"216.197.242.216"}} -{"timestamp":"2017-01-26T20:16:58.309492+0000","flow_id":358186737135978,"event_type":"flow","src_ip":"10.16.1.11","src_port":38195,"dest_ip":"8.8.4.4","dest_port":53,"proto":"TCP","app_proto":"dns","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":461,"bytes_toclient":509,"start":"2017-01-26T20:16:58.192874+0000","end":"2017-01-26T20:16:58.309492+0000","age":0,"state":"closed","reason":"shutdown","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} diff --git a/dns-udp-nxdomain-soa/check.sh b/dns-udp-nxdomain-soa/check.sh old mode 100644 new mode 100755 index f1cdf9871..4f9582758 --- a/dns-udp-nxdomain-soa/check.sh +++ b/dns-udp-nxdomain-soa/check.sh @@ -1,13 +1,9 @@ #! /bin/sh -expected='{"timestamp":"2017-01-27T16:03:18.623093+0000","flow_id":1899131178484213,"pcap_cnt":1,"event_type":"dns","src_ip":"10.16.1.11","src_port":59465,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33429,"rrname":"dne.oisf.net","rrtype":"A","tx_id":0}} -{"timestamp":"2017-01-27T16:03:18.709160+0000","flow_id":1899131178484213,"pcap_cnt":2,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"10.16.1.11","dest_port":59465,"proto":"UDP","dns":{"type":"answer","id":33429,"rcode":"NXDOMAIN","rrname":"dne.oisf.net"}} -{"timestamp":"2017-01-27T16:03:18.709160+0000","flow_id":1899131178484213,"pcap_cnt":2,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"10.16.1.11","dest_port":59465,"proto":"UDP","dns":{"type":"answer","id":33429,"rcode":"NXDOMAIN","rrname":"oisf.net","rrtype":"SOA","ttl":899}}' +. ../functions.sh -actual=$(cat output/eve.json | jq -c 'select(.event_type == "dns")') - -if [ "${actual}" != "${expected}" ]; then - exit 1 -fi +# Look for 2 responses with rcode == "NXDOMAIN". +n=$(jq_count output/eve.json 'select(.dns.rcode == "NXDOMAIN")') +assert_eq 2 "$n" "nxdomain responses" exit 0 diff --git a/eve-dns/check.sh b/eve-dns/check.sh new file mode 100755 index 000000000..d0998c400 --- /dev/null +++ b/eve-dns/check.sh @@ -0,0 +1,11 @@ +#! /bin/sh + +. ../functions.sh + +# 4 queries. +n=$(jq_count output/eve.json 'select(.dns.type == "query")') +assert_eq 4 "$n" "queries" + +# 5 answers. +n=$(jq_count output/eve.json 'select(.dns.type == "answer")') +assert_eq 5 "$n" "answers" diff --git a/eve-dns/expected/eve.json b/eve-dns/expected/eve.json deleted file mode 100644 index afec32e8f..000000000 --- a/eve-dns/expected/eve.json +++ /dev/null @@ -1,9 +0,0 @@ -{"timestamp":"2016-05-24T23:27:01.960780+0000","flow_id":15684738590988,"pcap_cnt":1,"event_type":"dns","src_ip":"10.16.1.11","src_port":53679,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39339,"rrname":"client-cf.dropbox.com","rrtype":"A","tx_id":0}} -{"timestamp":"2016-05-24T23:27:02.333141+0000","flow_id":15684738590988,"pcap_cnt":2,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":53679,"proto":"UDP","dns":{"type":"answer","id":39339,"rcode":"NOERROR","rrname":"client-cf.dropbox.com","rrtype":"A","ttl":47,"rdata":"52.85.112.21"}} -{"timestamp":"2016-05-24T23:27:02.832606+0000","flow_id":542660046009438,"pcap_cnt":3,"event_type":"dns","src_ip":"10.16.1.11","src_port":49697,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3407,"rrname":"block.dropbox.com","rrtype":"A","tx_id":0}} -{"timestamp":"2016-05-24T23:27:03.085375+0000","flow_id":1585332076629375,"pcap_cnt":4,"event_type":"dns","src_ip":"10.16.1.11","src_port":33458,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":44779,"rrname":"codemonkey.net","rrtype":"A","tx_id":0}} -{"timestamp":"2016-05-24T23:27:03.213624+0000","flow_id":542660046009438,"pcap_cnt":5,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":49697,"proto":"UDP","dns":{"type":"answer","id":3407,"rcode":"NOERROR","rrname":"block.dropbox.com","rrtype":"CNAME","ttl":9,"rdata":"block.g1.dropbox.com"}} -{"timestamp":"2016-05-24T23:27:03.213624+0000","flow_id":542660046009438,"pcap_cnt":5,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":49697,"proto":"UDP","dns":{"type":"answer","id":3407,"rcode":"NOERROR","rrname":"block.g1.dropbox.com","rrtype":"A","ttl":8,"rdata":"45.58.70.33"}} -{"timestamp":"2016-05-24T23:27:03.493333+0000","flow_id":1585332076629375,"pcap_cnt":6,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":33458,"proto":"UDP","dns":{"type":"answer","id":44779,"rcode":"NOERROR","rrname":"codemonkey.net","rrtype":"A","ttl":435,"rdata":"104.131.202.103"}} -{"timestamp":"2016-05-24T23:27:04.653864+0000","flow_id":848126710184488,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":57634,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":14681,"rrname":"client-cf.dropbox.com","rrtype":"A","tx_id":0}} -{"timestamp":"2016-05-24T23:27:04.654238+0000","flow_id":848126710184488,"pcap_cnt":8,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":57634,"proto":"UDP","dns":{"type":"answer","id":14681,"rcode":"NOERROR","rrname":"client-cf.dropbox.com","rrtype":"A","ttl":45,"rdata":"52.85.112.21"}} diff --git a/functions.sh b/functions.sh new file mode 100644 index 000000000..f6eb66c24 --- /dev/null +++ b/functions.sh @@ -0,0 +1,10 @@ +jq_count() { + cat "$1" | jq -c "$2" | wc -l +} + +assert_eq() { + if ! test "$1" = "$2"; then + echo "fail: expected $1; got $2: $3" + exit 1 + fi +} diff --git a/single-dns-request/check.sh b/single-dns-request/check.sh new file mode 100755 index 000000000..98038eb2d --- /dev/null +++ b/single-dns-request/check.sh @@ -0,0 +1,12 @@ +#! /bin/sh + +. ../functions.sh + +# One query for suricon.net. +n=$(jq_count output/eve.json 'select(.dns.type == "query") | select(.dns.rrname == "suricon.net")') +assert_eq 1 "$n" "request" + +# One answer with rdata of 181.224.138.142. +n=$(jq_count output/eve.json 'select(.dns.type == "answer") | select(.dns.rdata == "181.224.138.142")') +assert_eq 1 "$n" "response" + diff --git a/single-dns-request/expected/eve.json b/single-dns-request/expected/eve.json deleted file mode 100644 index a245f1e85..000000000 --- a/single-dns-request/expected/eve.json +++ /dev/null @@ -1,2 +0,0 @@ -{"timestamp":"2016-10-14T15:29:08.218361+0000","flow_id":1078835550639353,"pcap_cnt":1,"event_type":"dns","src_ip":"10.16.1.11","src_port":55487,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":57403,"rrname":"suricon.net","rrtype":"A","tx_id":0}} -{"timestamp":"2016-10-14T15:29:08.218864+0000","flow_id":1078835550639353,"pcap_cnt":2,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":55487,"proto":"UDP","dns":{"type":"answer","id":57403,"rcode":"NOERROR","rrname":"suricon.net","rrtype":"A","ttl":14379,"rdata":"181.224.138.142"}}