From: Jason Ish Date: Thu, 24 Jan 2019 16:51:31 +0000 (-0600) Subject: dns test: add check for dns object in alert X-Git-Tag: suricata-6.0.4~479 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a9687a3aeddfae8925213ff6a843137afcb8f01c;p=thirdparty%2Fsuricata-verify.git dns test: add check for dns object in alert Extend an existing test to check that the DNS object exists on a DNS alert. --- diff --git a/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/suricata.yaml b/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/suricata.yaml index 0bf62d28f..5196815b3 100644 --- a/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/suricata.yaml +++ b/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/suricata.yaml @@ -7,6 +7,7 @@ outputs: - eve-log: enabled: true types: + - alert: - dns: enabled: true version: 2 diff --git a/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/test.rules b/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/test.rules new file mode 100644 index 000000000..6d7050afa --- /dev/null +++ b/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/test.rules @@ -0,0 +1 @@ +alert dns any any -> any any (msg:"TEST dns_query"; dns_query; content:"suricata-ids.org"; sid:1; rev:1;) diff --git a/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/test.yaml b/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/test.yaml index e905bdef6..da4a87854 100644 --- a/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/test.yaml +++ b/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/test.yaml @@ -2,8 +2,6 @@ requires: features: - HAVE_LIBJANSSON min-version: 4.1.0 - script: - - grep OutputAnswerV2 src/output-json-dns.c > /dev/null 2>&1 checks: @@ -24,3 +22,11 @@ checks: dns.answers[0].rrtype: CNAME dns.answers[1].rrtype: A dns.answers[2].rrtype: A + + # Check that the alert contains a DNS object. + - filter: + count: 1 + comment: alert with dns object + match: + event_type: alert + dns.query[0].type: query