From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 10 Sep 2024 13:30:06 +0000 (+0200)
Subject: dns: adds test for corrupt additionals
X-Git-Tag: suricata-7.0.9~88
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=57a229798c1b0e6c50e73a11082298e1a7a417ef;p=thirdparty%2Fsuricata-verify.git

dns: adds test for corrupt additionals

Ticket: 7228
---

diff --git a/tests/dns/dns-corrupt-additionals/README.md b/tests/dns/dns-corrupt-additionals/README.md
new file mode 100644
index 000000000..180b0f40e
--- /dev/null
+++ b/tests/dns/dns-corrupt-additionals/README.md
@@ -0,0 +1,10 @@
+# Description
+
+Test logging of DNS with corrupt additionals
+
+https://redmine.openinfosecfoundation.org/issues/7228
+
+# PCAP
+
+The pcap is from https://redmine.openinfosecfoundation.org/issues/7228
+(crafted to corrupt additionals)
diff --git a/tests/dns/dns-corrupt-additionals/dns-events.rules b/tests/dns/dns-corrupt-additionals/dns-events.rules
new file mode 100644
index 000000000..9d4969cc4
--- /dev/null
+++ b/tests/dns/dns-corrupt-additionals/dns-events.rules
@@ -0,0 +1,12 @@
+# Malformed data in request. Malformed means length fields are wrong, etc.
+alert dns any any -> any any (msg:"SURICATA DNS malformed request data"; flow:to_server; app-layer-event:dns.malformed_data; classtype:protocol-command-decode; sid:2240002; rev:2;)
+alert dns any any -> any any (msg:"SURICATA DNS malformed response data"; flow:to_client; app-layer-event:dns.malformed_data; classtype:protocol-command-decode; sid:2240003; rev:2;)
+# Response flag set on to_server packet
+alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server; app-layer-event:dns.not_a_request; classtype:protocol-command-decode; sid:2240004; rev:2;)
+# Response flag not set on to_client packet
+alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; classtype:protocol-command-decode; sid:2240005; rev:2;)
+# Z flag (reserved) not 0
+alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; classtype:protocol-command-decode; sid:2240006; rev:2;)
+alert dns any any -> any any (msg:"SURICATA DNS Invalid opcode"; app-layer-event:dns.invalid_opcode; classtype:protocol-command-decode; sid:2240007; rev:1;)
+alert dns any any -> any any (msg:"SURICATA DNS invalid additionals"; app-layer-event:dns.invalid_additionals; classtype:protocol-command-decode; sid:2240008; rev:1;)
+alert dns any any -> any any (msg:"SURICATA DNS invalid authorities"; app-layer-event:dns.invalid_authorities; classtype:protocol-command-decode; sid:2240009; rev:1;)
diff --git a/tests/dns/dns-corrupt-additionals/input.pcap b/tests/dns/dns-corrupt-additionals/input.pcap
new file mode 100644
index 000000000..6afd8a392
Binary files /dev/null and b/tests/dns/dns-corrupt-additionals/input.pcap differ
diff --git a/tests/dns/dns-corrupt-additionals/test.yaml b/tests/dns/dns-corrupt-additionals/test.yaml
new file mode 100644
index 000000000..c060efd99
--- /dev/null
+++ b/tests/dns/dns-corrupt-additionals/test.yaml
@@ -0,0 +1,18 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: dns
+      dns.answers[0].rrname:  "_sip._udp.sip.voice.google.com"
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2240008
+      dns.queries[0].rrtype: SRV