From: Jason Ish <ish@unx.ca>
Date: Mon, 1 May 2017 21:36:21 +0000 (-0600)
Subject: add test for issue 856
X-Git-Tag: suricata-6.0.4~590
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=16da4f10650dc43b075e77a5b5924a6ee4497524;p=thirdparty%2Fsuricata-verify.git

add test for issue 856
https://redmine.openinfosecfoundation.org/issues/856
---

diff --git a/dns-udp-z-flag-fp/README.md b/dns-udp-z-flag-fp/README.md
new file mode 100644
index 000000000..8c480cce8
--- /dev/null
+++ b/dns-udp-z-flag-fp/README.md
@@ -0,0 +1 @@
+From issue: https://redmine.openinfosecfoundation.org/issues/856
diff --git a/dns-udp-z-flag-fp/check.sh b/dns-udp-z-flag-fp/check.sh
new file mode 100644
index 000000000..5717a1d28
--- /dev/null
+++ b/dns-udp-z-flag-fp/check.sh
@@ -0,0 +1,7 @@
+#! /bin/sh
+
+. ../functions.sh
+
+# Check that there are no events.
+n=$(cat output/fast.log | wc -l)
+assert_eq 0 "$n" "no events expected"
diff --git a/dns-udp-z-flag-fp/dns-events.rules b/dns-udp-z-flag-fp/dns-events.rules
new file mode 100644
index 000000000..82ee63311
--- /dev/null
+++ b/dns-udp-z-flag-fp/dns-events.rules
@@ -0,0 +1,15 @@
+# Response (answer) we didn't see a Request for. Could be packet loss.
+alert dns any any -> any any (msg:"SURICATA DNS Unsolicited response"; flow:to_client; app-layer-event:dns.unsollicited_response; sid:2240001; rev:1;)
+# Malformed data in request. Malformed means length fields are wrong, etc.
+alert dns any any -> any any (msg:"SURICATA DNS malformed request data"; flow:to_server; app-layer-event:dns.malformed_data; sid:2240002; rev:1;)
+alert dns any any -> any any (msg:"SURICATA DNS malformed response data"; flow:to_client; app-layer-event:dns.malformed_data; sid:2240003; rev:1;)
+# Response flag set on to_server packet
+alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server; app-layer-event:dns.not_a_request; sid:2240004; rev:1;)
+# Response flag not set on to_client packet
+alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; sid:2240005; rev:1;)
+# Z flag (reserved) not 0
+alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; sid:2240006; rev:1;)
+# Request Flood Detected
+alert dns any any -> any any (msg:"SURICATA DNS request flood detected"; flow:to_server; app-layer-event:dns.flooded; sid:2240007; rev:1;)
+# Per-flow (state) memcap reached. Relates to the app-layer.protocols.dns.state-memcap setting.
+alert dns any any -> any any (msg:"SURICATA DNS flow memcap reached"; flow:to_server; app-layer-event:dns.state_memcap_reached; sid:2240008; rev:2;)
diff --git a/dns-udp-z-flag-fp/suricatafpdnsdecoder.pcap b/dns-udp-z-flag-fp/suricatafpdnsdecoder.pcap
new file mode 100644
index 000000000..6437471b0
Binary files /dev/null and b/dns-udp-z-flag-fp/suricatafpdnsdecoder.pcap differ