From: Nathan Scrivens <nathan.scrivens21@gmail.com>
Date: Tue, 20 Aug 2024 00:40:31 +0000 (-0400)
Subject: tests: add test for 7012
X-Git-Tag: suricata-7.0.9~18
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9e4f21f06769b31b86e4d98e71931466f3fb34e9;p=thirdparty%2Fsuricata-verify.git

tests: add test for 7012
---

diff --git a/tests/dns/dns-response-sticky-buffer/README.md b/tests/dns/dns-response-sticky-buffer/README.md
new file mode 100644
index 000000000..413a47f9b
--- /dev/null
+++ b/tests/dns/dns-response-sticky-buffer/README.md
@@ -0,0 +1,4 @@
+Test the 'dns.response' sticky buffer.
+
+This test verifies that data in a name field or an rdata field 
+of a DNS response will trigger a signature.
\ No newline at end of file
diff --git a/tests/dns/dns-response-sticky-buffer/test.rules b/tests/dns/dns-response-sticky-buffer/test.rules
new file mode 100644
index 000000000..7b042d98b
--- /dev/null
+++ b/tests/dns/dns-response-sticky-buffer/test.rules
@@ -0,0 +1,5 @@
+# Will alert on name field of Query section in response 
+alert dns any any -> any any (dns.response; content: "dne.oisf.net"; sid:1; rev:1;)
+
+# Will alert on rdata field of Authority section in response 
+alert dns any any -> any any (dns.response; content: "ns-110.awsdns-13.com"; sid:2; rev:1;)
diff --git a/tests/dns/dns-response-sticky-buffer/test.yaml b/tests/dns/dns-response-sticky-buffer/test.yaml
new file mode 100644
index 000000000..eda8c5289
--- /dev/null
+++ b/tests/dns/dns-response-sticky-buffer/test.yaml
@@ -0,0 +1,19 @@
+requires:
+  min-version: 8
+
+pcap: ../../dns-eve-v2-udp-nxdomain-soa/dns-udp-nxdomain-soa.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 1
+        direction: to_client
+        app_proto: dns
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 2
+        direction: to_client
+        app_proto: dns
+