From: Jason Ish <jason.ish@oisf.net>
Date: Thu, 20 Feb 2025 21:21:36 +0000 (-0600)
Subject: tests/dns: add dns.response.rrname to some tests for coverage
X-Git-Tag: suricata-7.0.9~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=07bee71960336a85c53cfb9fea61b65287b12edd;p=thirdparty%2Fsuricata-verify.git

tests/dns: add dns.response.rrname to some tests for coverage
---

diff --git a/tests/dns/dns-additionals-rrname/test.rules b/tests/dns/dns-additionals-rrname/test.rules
index 63eabfe99..92f5f2b3e 100644
--- a/tests/dns/dns-additionals-rrname/test.rules
+++ b/tests/dns/dns-additionals-rrname/test.rules
@@ -2,3 +2,8 @@ alert dns any any -> any any (dns.queries.rrname; content:"suricata.io"; sid:1;
 alert dns any any -> any any (dns.authorities.rrname; content:"io"; sid:2; rev:1;)
 alert dns any any -> any any (dns.additionals.rrname; content:"a0.nic.io"; sid:3; rev:1;)
 alert dns any any -> any any (dns.additionals.rrname; content:"c0.nic.io"; sid:4; rev:1;)
+
+# Tests use more generic dns.response.rrname
+alert dns any any -> any any (dns.response.rrname; content:"suricata.io"; sid:5; rev:1;)
+alert dns any any -> any any (dns.response.rrname; content:"a0.nic.io"; sid:6; rev:1;)
+alert dns any any -> any any (dns.response.rrname; content:"c0.nic.io"; sid:7; rev:1;)
diff --git a/tests/dns/dns-additionals-rrname/test.yaml b/tests/dns/dns-additionals-rrname/test.yaml
index 3b48d6b21..6562da946 100644
--- a/tests/dns/dns-additionals-rrname/test.yaml
+++ b/tests/dns/dns-additionals-rrname/test.yaml
@@ -20,3 +20,15 @@ checks:
       count: 1
       match:
         alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 5
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 6
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 7
diff --git a/tests/dns/dns-answer-name/test.rules b/tests/dns/dns-answer-name/test.rules
index e6b01526f..c733a7821 100644
--- a/tests/dns/dns-answer-name/test.rules
+++ b/tests/dns/dns-answer-name/test.rules
@@ -6,3 +6,6 @@ alert dns any any -> any any (dns.answers.rrname; content:"oisf"; flow:to_server
 
 # Should only alert in the response direction.
 alert dns any any -> any any (dns.answers.rrname; content:"oisf"; flow:to_client; sid:3; rev:1;)
+
+# And the more generic rrname match in a response.
+alert dns any any -> any any (dns.response.rrname; content:"oisf"; flow:to_client; sid:4; rev:1;)
diff --git a/tests/dns/dns-answer-name/test.yaml b/tests/dns/dns-answer-name/test.yaml
index 4bc24a91e..80c0b9500 100644
--- a/tests/dns/dns-answer-name/test.yaml
+++ b/tests/dns/dns-answer-name/test.yaml
@@ -41,3 +41,10 @@ checks:
         alert.signature_id: 3
         direction: to_client
         app_proto: dns
+
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 4
+        direction: to_client
+        app_proto: dns