From: Jason Ish <jason.ish@oisf.net>
Date: Thu, 27 Jun 2024 23:30:50 +0000 (-0600)
Subject: tests: update dns checks for v3 format in alerts
X-Git-Tag: suricata-7.0.7~73
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=65977e7d1fa2bdd5095a981b3b702dd3a0633b06;p=thirdparty%2Fsuricata-verify.git

tests: update dns checks for v3 format in alerts
---

diff --git a/tests/dns-z-bit/test.yaml b/tests/dns-z-bit/test.yaml
index bb5c377dd..5037e0497 100644
--- a/tests/dns-z-bit/test.yaml
+++ b/tests/dns-z-bit/test.yaml
@@ -9,11 +9,21 @@ checks:
       dns.type: query
       dns.z: true
 - filter:
+    requires:
+      lt-version: 8
     count: 1
     match:
       event_type: alert
       alert.signature_id: 2240006
       dns.query[0].z: true
+- filter:
+    requires:
+      min-version: 8
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2240006
+      dns.z: true
 - filter:
     count: 1
     match:
diff --git a/tests/dns/dns-invalid-opcode/test.yaml b/tests/dns/dns-invalid-opcode/test.yaml
index de64bae65..fc5575f53 100644
--- a/tests/dns/dns-invalid-opcode/test.yaml
+++ b/tests/dns/dns-invalid-opcode/test.yaml
@@ -37,6 +37,44 @@ checks:
 # Generated checks below.
       
 - filter:
+    min-version: 8
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Generic Protocol Command Decode
+      alert.gid: 1
+      alert.rev: 1
+      alert.severity: 3
+      alert.signature: SURICATA DNS Invalid opcode
+      alert.signature_id: 2240007
+      app_proto: dns
+      dest_ip: 2.2.2.2
+      dest_port: 53
+      direction: to_server
+      dns.id: 1
+      dns.opcode: 9
+      dns.queries[0].rrname: suricata.io
+      dns.queries[0].rrtype: A
+      dns.tx_id: 0
+      dns.type: request
+      event_type: alert
+      flow.bytes_toclient: 0
+      flow.bytes_toserver: 71
+      flow.dest_ip: 2.2.2.2
+      flow.dest_port: 53
+      flow.pkts_toclient: 0
+      flow.pkts_toserver: 1
+      flow.src_ip: 1.1.1.1
+      flow.src_port: 5333
+      pcap_cnt: 1
+      pkt_src: wire/pcap
+      proto: UDP
+      src_ip: 1.1.1.1
+      src_port: 5333
+      tx_id: 0
+
+- filter:
+    lt-version: 8
     count: 1
     match:
       alert.action: allowed
@@ -105,6 +143,48 @@ checks:
       src_ip: 1.1.1.1
       src_port: 5333
 - filter:
+    requires:
+      min-version: 8
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Generic Protocol Command Decode
+      alert.gid: 1
+      alert.rev: 1
+      alert.severity: 3
+      alert.signature: SURICATA DNS Invalid opcode
+      alert.signature_id: 2240007
+      app_proto: dns
+      dest_ip: 1.1.1.1
+      dest_port: 5333
+      direction: to_client
+      dns.flags: c800
+      dns.id: 1
+      dns.opcode: 9
+      dns.qr: true
+      dns.rcode: NOERROR
+      dns.answers[0].rrname: suricata.io
+      dns.answers[0].rrtype: A
+      dns.type: response
+      dns.version: 3
+      event_type: alert
+      flow.bytes_toclient: 98
+      flow.bytes_toserver: 71
+      flow.dest_ip: 2.2.2.2
+      flow.dest_port: 53
+      flow.pkts_toclient: 1
+      flow.pkts_toserver: 1
+      flow.src_ip: 1.1.1.1
+      flow.src_port: 5333
+      pcap_cnt: 2
+      pkt_src: wire/pcap
+      proto: UDP
+      src_ip: 2.2.2.2
+      src_port: 53
+      tx_id: 1
+- filter:
+    requires:
+      lt-version: 8
     count: 1
     match:
       alert.action: allowed
diff --git a/tests/dns/dns-rcode/test.yaml b/tests/dns/dns-rcode/test.yaml
index 412f042e3..c07a83661 100644
--- a/tests/dns/dns-rcode/test.yaml
+++ b/tests/dns/dns-rcode/test.yaml
@@ -11,7 +11,7 @@ checks:
         direction: to_client
         app_proto: dns
         event_type: alert
-        dns.answer.rcode: NXDOMAIN
+        dns.rcode: NXDOMAIN
         src_ip: 8.8.4.4
         src_port: 53
   - filter:
@@ -23,7 +23,7 @@ checks:
         direction: to_client
         app_proto: dns
         event_type: alert
-        dns.answer.rcode: NXDOMAIN
+        dns.rcode: NXDOMAIN
         src_ip: 8.8.4.4
         src_port: 53
   - filter:
diff --git a/tests/dns/dns-rrtype/README.md b/tests/dns/dns-rrtype/README.md
index 24b8c574f..4bb5647fc 100644
--- a/tests/dns/dns-rrtype/README.md
+++ b/tests/dns/dns-rrtype/README.md
@@ -2,4 +2,4 @@ Test the `dns.rrtype` value.
 
 The PCAP here was reused from ./tests/dns/dns-eve-empty-format/input.pcap
 
-Redmine ticket: https://redmine.openinfosecfoundation.org/issues/6666
\ No newline at end of file
+Redmine ticket: https://redmine.openinfosecfoundation.org/issues/6666
diff --git a/tests/dns/dns-rrtype/test.yaml b/tests/dns/dns-rrtype/test.yaml
index ca8b156f0..d706bfcd6 100644
--- a/tests/dns/dns-rrtype/test.yaml
+++ b/tests/dns/dns-rrtype/test.yaml
@@ -5,6 +5,22 @@ pcap: ../dns-eve-empty-format/input.pcap
 
 checks:
   - filter:
+      requires:
+        min-version: 8
+      count: 1
+      match:
+        alert.signature_id: 1
+        dest_ip: 10.16.1.1
+        dest_port: 53
+        direction: to_server
+        app_proto: dns
+        event_type: alert
+        dns.queries[0].rrtype: A
+        src_ip: 10.16.1.11
+        src_port: 57634
+  - filter:
+      requires:
+        lt-version: 8
       count: 1
       match:
         alert.signature_id: 1
@@ -25,7 +41,7 @@ checks:
         direction: to_client
         app_proto: dns
         event_type: alert
-        dns.answer.rrtype: A
+        dns.answers[0].rrtype: A
         src_ip: 10.16.1.1
         src_port: 53
   - filter:
@@ -37,6 +53,6 @@ checks:
         direction: to_client
         app_proto: dns
         event_type: alert
-        dns.answer.rrtype: A
+        dns.answers[0].rrtype: A
         src_ip: 10.16.1.1
         src_port: 53