From: Jason Ish Date: Fri, 21 Feb 2025 21:29:54 +0000 (-0600) Subject: tests/dns: coverage for cname, ptr and mx rdata X-Git-Tag: suricata-7.0.9~13 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=424126d609a8ec885f84a22ab2d9f9a7d10c9b39;p=thirdparty%2Fsuricata-verify.git tests/dns: coverage for cname, ptr and mx rdata --- diff --git a/pcaps/20250221-dns-ptr.pcap b/pcaps/20250221-dns-ptr.pcap new file mode 100644 index 000000000..9dba8d2d3 Binary files /dev/null and b/pcaps/20250221-dns-ptr.pcap differ diff --git a/pcaps/20250221-dns-ptr.pcap.txt b/pcaps/20250221-dns-ptr.pcap.txt new file mode 100644 index 000000000..399f478c2 --- /dev/null +++ b/pcaps/20250221-dns-ptr.pcap.txt @@ -0,0 +1 @@ +PCAP generated for the purpose of testing the rdata in a PTR response. diff --git a/tests/dns/dns-ptr/README.md b/tests/dns/dns-ptr/README.md new file mode 100644 index 000000000..328936a46 --- /dev/null +++ b/tests/dns/dns-ptr/README.md @@ -0,0 +1 @@ +Test DNS PTR response. diff --git a/tests/dns/dns-ptr/test.rules b/tests/dns/dns-ptr/test.rules new file mode 100644 index 000000000..3f4ef3ecb --- /dev/null +++ b/tests/dns/dns-ptr/test.rules @@ -0,0 +1,2 @@ +# suricata.io only exists in the rdata of a ptr record +alert dns any any -> any any (dns.response.rrname; content:"suricata.io"; sid:1;) diff --git a/tests/dns/dns-ptr/test.yaml b/tests/dns/dns-ptr/test.yaml new file mode 100644 index 000000000..563f29b05 --- /dev/null +++ b/tests/dns/dns-ptr/test.yaml @@ -0,0 +1,10 @@ +requires: + min-version: 8 + +pcap: ../../../pcaps/20250221-dns-ptr.pcap + +checks: + - filter: + count: 1 + match: + alert.signature_id: 1 diff --git a/tests/dns/dns-query-name/test.rules b/tests/dns/dns-query-name/test.rules index 756e3b895..36c697177 100644 --- a/tests/dns/dns-query-name/test.rules +++ b/tests/dns/dns-query-name/test.rules @@ -6,3 +6,6 @@ alert dns any any -> any any (dns.queries.rrname; content:"suricata"; flow:to_se # Only alert on responses. alert dns any any -> any any (dns.queries.rrname; content:"suricata"; flow:to_client; sid:3; rev:1;) + +alert dns any any -> any any (dns.response.rrname; content:"suricata-ids.org"; sid:4; rev:1;) + diff --git a/tests/dns/dns-query-name/test.yaml b/tests/dns/dns-query-name/test.yaml index 5b8f9e4e3..f7b53b10e 100644 --- a/tests/dns/dns-query-name/test.yaml +++ b/tests/dns/dns-query-name/test.yaml @@ -26,3 +26,7 @@ checks: match: alert.signature_id: 3 direction: to_client + - filter: + count: 1 + match: + alert.signature_id: 4 diff --git a/tests/dns/dns-response-mx/suricata.yaml b/tests/dns/dns-response-mx/suricata.yaml new file mode 100644 index 000000000..8654eb08e --- /dev/null +++ b/tests/dns/dns-response-mx/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert: + - dns: + types: [mx] diff --git a/tests/dns/dns-response-mx/test.rules b/tests/dns/dns-response-mx/test.rules new file mode 100644 index 000000000..da1d7ffa8 --- /dev/null +++ b/tests/dns/dns-response-mx/test.rules @@ -0,0 +1,2 @@ +# only exists in mx rdata +alert dns any any -> any any (dns.response.rrname; content:"aspmx.l.google.com"; sid:1; rev:1;) diff --git a/tests/dns/dns-response-mx/test.yaml b/tests/dns/dns-response-mx/test.yaml new file mode 100644 index 000000000..3bf9a7dc5 --- /dev/null +++ b/tests/dns/dns-response-mx/test.yaml @@ -0,0 +1,10 @@ +requires: + min-version: 8 + +pcap: ../../dns/dns-udp-eve-log-answer-only/dns-udp-google.com-a-aaaa-mx.pcap + +checks: + - filter: + count: 1 + match: + alert.signature_id: 1