From: Jason Ish Date: Wed, 19 Feb 2025 21:23:09 +0000 (-0600) Subject: dns tests: update for keyword name changes X-Git-Tag: suricata-7.0.9~15 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ae44e9877d14c0832ccdc7001c9a767bffc2cf49;p=thirdparty%2Fsuricata-verify.git dns tests: update for keyword name changes - dns.query.name -> dns.queries.rrname - dns.answer.name -> dns.answers.rrname --- diff --git a/tests/dns/dns-additionals-rrname/test.rules b/tests/dns/dns-additionals-rrname/test.rules index 8941fdcbc..63eabfe99 100644 --- a/tests/dns/dns-additionals-rrname/test.rules +++ b/tests/dns/dns-additionals-rrname/test.rules @@ -1,4 +1,4 @@ -alert dns any any -> any any (dns.query.name; content:"suricata.io"; sid:1; rev:1;) +alert dns any any -> any any (dns.queries.rrname; content:"suricata.io"; sid:1; rev:1;) alert dns any any -> any any (dns.authorities.rrname; content:"io"; sid:2; rev:1;) alert dns any any -> any any (dns.additionals.rrname; content:"a0.nic.io"; sid:3; rev:1;) alert dns any any -> any any (dns.additionals.rrname; content:"c0.nic.io"; sid:4; rev:1;) diff --git a/tests/dns/dns-answer-name/README.md b/tests/dns/dns-answer-name/README.md index bf5513fec..7a5117c08 100644 --- a/tests/dns/dns-answer-name/README.md +++ b/tests/dns/dns-answer-name/README.md @@ -1,4 +1,4 @@ -Test the `dns.answer.name` sticky buffer. +Test the `dns.answers.rrname` sticky buffer. The PCAP here was a request created with Scapy to include answers in the request. However the response is from a real DNS server with the diff --git a/tests/dns/dns-answer-name/test.rules b/tests/dns/dns-answer-name/test.rules index 0544ae163..e6b01526f 100644 --- a/tests/dns/dns-answer-name/test.rules +++ b/tests/dns/dns-answer-name/test.rules @@ -1,8 +1,8 @@ # Should alert in both directions as no flow is provided. -alert dns any any -> any any (dns.answer.name; content:"oisf"; sid:1; rev:1;) +alert dns any any -> any any (dns.answers.rrname; content:"oisf"; sid:1; rev:1;) # Should only alert in the request direction. -alert dns any any -> any any (dns.answer.name; content:"oisf"; flow:to_server; sid:2; rev:1;) +alert dns any any -> any any (dns.answers.rrname; content:"oisf"; flow:to_server; sid:2; rev:1;) # Should only alert in the response direction. -alert dns any any -> any any (dns.answer.name; content:"oisf"; flow:to_client; sid:3; rev:1;) +alert dns any any -> any any (dns.answers.rrname; content:"oisf"; flow:to_client; sid:3; rev:1;) diff --git a/tests/dns/dns-query-name/README.md b/tests/dns/dns-query-name/README.md index 59e9c46be..3d231f148 100644 --- a/tests/dns/dns-query-name/README.md +++ b/tests/dns/dns-query-name/README.md @@ -1 +1 @@ -Test the `dns.query.name` sticky buffer. +Test the `dns.queries.rrname` sticky buffer. diff --git a/tests/dns/dns-query-name/test.rules b/tests/dns/dns-query-name/test.rules index 3657ec7ee..756e3b895 100644 --- a/tests/dns/dns-query-name/test.rules +++ b/tests/dns/dns-query-name/test.rules @@ -1,8 +1,8 @@ # Will alert in both directions as no direction is specified. -alert dns any any -> any any (dns.query.name; content:"suricata"; sid:1; rev:1;) +alert dns any any -> any any (dns.queries.rrname; content:"suricata"; sid:1; rev:1;) # Only alert on requests. -alert dns any any -> any any (dns.query.name; content:"suricata"; flow:to_server; sid:2; rev:1;) +alert dns any any -> any any (dns.queries.rrname; content:"suricata"; flow:to_server; sid:2; rev:1;) # Only alert on responses. -alert dns any any -> any any (dns.query.name; content:"suricata"; flow:to_client; sid:3; rev:1;) +alert dns any any -> any any (dns.queries.rrname; content:"suricata"; flow:to_client; sid:3; rev:1;) diff --git a/tests/dns/task-7018-ids-dns-keywords/README.md b/tests/dns/task-7018-ids-dns-keywords/README.md index 73b7cf430..e79d52f2e 100644 --- a/tests/dns/task-7018-ids-dns-keywords/README.md +++ b/tests/dns/task-7018-ids-dns-keywords/README.md @@ -12,7 +12,7 @@ Query 1: suricata.io Query 2: oisf.net Query 3: suricata.org -We match those against a single rule with `dns.query.name` and inspecting +We match those against a single rule with `dns.queries.rrname` and inspecting content `suricata`, so the expectation is to have 4 alerts. ## Related issues diff --git a/tests/dns/task-7018-ids-dns-keywords/test.rules b/tests/dns/task-7018-ids-dns-keywords/test.rules index 4ba624ad9..aff249e7e 100644 --- a/tests/dns/task-7018-ids-dns-keywords/test.rules +++ b/tests/dns/task-7018-ids-dns-keywords/test.rules @@ -1 +1 @@ -alert dns any any -> any any (msg:"DNS suricata query.name"; dns.query.name; content:"suricata"; sid:1; rev:1;) +alert dns any any -> any any (msg:"DNS suricata query.name"; dns.queries.rrname; content:"suricata"; sid:1; rev:1;) diff --git a/tests/dns/task-7018-ips-dns-keywords/README.md b/tests/dns/task-7018-ips-dns-keywords/README.md index 0178fdac9..d88923d80 100644 --- a/tests/dns/task-7018-ips-dns-keywords/README.md +++ b/tests/dns/task-7018-ips-dns-keywords/README.md @@ -14,7 +14,7 @@ Query 1: suricata.io Query 2: oisf.net Query 3: suricata.org -We match those against a single rule with `dns.query.name` and inspecting +We match those against a single rule with `dns.queries.rrname` and inspecting content `suricata`, so the expectation is to have 4 alerts. ## Related issues diff --git a/tests/dns/task-7018-ips-dns-keywords/test.rules b/tests/dns/task-7018-ips-dns-keywords/test.rules index 4ba624ad9..aff249e7e 100644 --- a/tests/dns/task-7018-ips-dns-keywords/test.rules +++ b/tests/dns/task-7018-ips-dns-keywords/test.rules @@ -1 +1 @@ -alert dns any any -> any any (msg:"DNS suricata query.name"; dns.query.name; content:"suricata"; sid:1; rev:1;) +alert dns any any -> any any (msg:"DNS suricata query.name"; dns.queries.rrname; content:"suricata"; sid:1; rev:1;) diff --git a/tests/lua/lua-base64/test.rules b/tests/lua/lua-base64/test.rules index 23b702759..f1bf9ac73 100644 --- a/tests/lua/lua-base64/test.rules +++ b/tests/lua/lua-base64/test.rules @@ -1,3 +1,3 @@ alert dns any any -> any any (msg:"TEST DNS LUA dns.rrname"; \ - dns.query.name; content: "www.suricata-ids.org"; \ + dns.queries.rrname; content: "www.suricata-ids.org"; \ lua:rule.lua; sid:1; rev:1;) diff --git a/tests/lua/lua-hashlib/test.rules b/tests/lua/lua-hashlib/test.rules index eef4c1fac..bc91123e1 100644 --- a/tests/lua/lua-hashlib/test.rules +++ b/tests/lua/lua-hashlib/test.rules @@ -1,3 +1,3 @@ alert dns any any -> any any (msg:"TEST DNS LUA dns.rrname"; \ - dns.query.name; content: "www.suricata-ids.org"; \ + dns.queries.rrname; content: "www.suricata-ids.org"; \ lua:test-hashing.lua; sid:1; rev:1;)