From: Jason Ish <ish@unx.ca>
Date: Tue, 9 May 2017 21:20:56 +0000 (-0600)
Subject: add tests for dns log filtering
X-Git-Tag: suricata-6.0.4~584
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=24e29d924f95c3b4f1e9b16f7b6da0d8c9b5cf5d;p=thirdparty%2Fsuricata-verify.git

add tests for dns log filtering
---

diff --git a/dns-udp-eve-log-answer-only/check.sh b/dns-udp-eve-log-answer-only/check.sh
new file mode 100755
index 000000000..b61a5e149
--- /dev/null
+++ b/dns-udp-eve-log-answer-only/check.sh
@@ -0,0 +1,10 @@
+#! /bin/sh
+
+. ../functions.sh
+
+# Should be no answers.
+n=$(jq_count output/eve.json 'select(.event_type == "dns") | select(.dns.type != "answer")')
+assert_eq 0 $n "only answers expected"
+
+exit 0
+
diff --git a/dns-udp-eve-log-answer-only/dns-udp-google.com-a-aaaa-mx.pcap b/dns-udp-eve-log-answer-only/dns-udp-google.com-a-aaaa-mx.pcap
new file mode 100644
index 000000000..def918f21
Binary files /dev/null and b/dns-udp-eve-log-answer-only/dns-udp-google.com-a-aaaa-mx.pcap differ
diff --git a/dns-udp-eve-log-answer-only/suricata.yaml b/dns-udp-eve-log-answer-only/suricata.yaml
new file mode 100644
index 000000000..1bf5f71d8
--- /dev/null
+++ b/dns-udp-eve-log-answer-only/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - dns:
+            query: no
+            answer: yes
+        
diff --git a/dns-udp-eve-log-mx-only/check.sh b/dns-udp-eve-log-mx-only/check.sh
new file mode 100755
index 000000000..639a4d436
--- /dev/null
+++ b/dns-udp-eve-log-mx-only/check.sh
@@ -0,0 +1,9 @@
+#! /bin/sh
+
+. ../functions.sh
+
+n=$(jq_count output/eve.json 'select(.dns.rrtype != "MX")')
+assert_eq 0 $n "only expected mx records"
+
+exit 0
+
diff --git a/dns-udp-eve-log-mx-only/dns-udp-google.com-a-aaaa-mx.pcap b/dns-udp-eve-log-mx-only/dns-udp-google.com-a-aaaa-mx.pcap
new file mode 100644
index 000000000..def918f21
Binary files /dev/null and b/dns-udp-eve-log-mx-only/dns-udp-google.com-a-aaaa-mx.pcap differ
diff --git a/dns-udp-eve-log-mx-only/suricata.yaml b/dns-udp-eve-log-mx-only/suricata.yaml
new file mode 100644
index 000000000..af5d3f6fe
--- /dev/null
+++ b/dns-udp-eve-log-mx-only/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - dns:
+            custom: [mx]
diff --git a/dns-udp-eve-log-query-only/check.sh b/dns-udp-eve-log-query-only/check.sh
new file mode 100755
index 000000000..8fffed0ee
--- /dev/null
+++ b/dns-udp-eve-log-query-only/check.sh
@@ -0,0 +1,10 @@
+#! /bin/sh
+
+. ../functions.sh
+
+# Should be no answers.
+n=$(jq_count output/eve.json 'select(.event_type == "dns") | select(.dns.type != "query")')
+assert_eq 0 $n "only queries expected"
+
+exit 0
+
diff --git a/dns-udp-eve-log-query-only/dns-udp-google.com-a-aaaa-mx.pcap b/dns-udp-eve-log-query-only/dns-udp-google.com-a-aaaa-mx.pcap
new file mode 100644
index 000000000..def918f21
Binary files /dev/null and b/dns-udp-eve-log-query-only/dns-udp-google.com-a-aaaa-mx.pcap differ
diff --git a/dns-udp-eve-log-query-only/suricata.yaml b/dns-udp-eve-log-query-only/suricata.yaml
new file mode 100644
index 000000000..298b4f802
--- /dev/null
+++ b/dns-udp-eve-log-query-only/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - dns:
+            query: yes
+            answer: no
+