From: Jason Ish <jason.ish@oisf.net>
Date: Mon, 15 Mar 2021 20:56:13 +0000 (-0600)
Subject: dns-udp-unsolicited-response: dns eve v1 and v2 tests
X-Git-Tag: suricata-6.0.4~112
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bdc3022a216e277600a85aec1a4dfa7c0dfe5b42;p=thirdparty%2Fsuricata-verify.git

dns-udp-unsolicited-response: dns eve v1 and v2 tests
---

diff --git a/tests/dns-udp-unsolicited-response-v1/README.md b/tests/dns-udp-unsolicited-response-v1/README.md
new file mode 100644
index 000000000..e202ff97b
--- /dev/null
+++ b/tests/dns-udp-unsolicited-response-v1/README.md
@@ -0,0 +1,11 @@
+Test the following sequence of DNS messages on a flow:
+
+- DNS request with ID 0x99ab.
+- DNS response with ID 0x9941 (unsolicited response).
+- DNS response with ID 0x99ab (expected response).
+
+Check that all 3 DNS message are logged, and that an unsolicted dns
+response event is logged.
+
+NOTE: Unsolicited responses do not exist with the Rust DNS parser as
+it doesn't correlate responses with requests.
diff --git a/tests/dns-udp-unsolicited-response-v1/dns-response-2x.pcap b/tests/dns-udp-unsolicited-response-v1/dns-response-2x.pcap
new file mode 100644
index 000000000..bad14f669
Binary files /dev/null and b/tests/dns-udp-unsolicited-response-v1/dns-response-2x.pcap differ
diff --git a/tests/dns-udp-unsolicited-response-v1/suricata.yaml b/tests/dns-udp-unsolicited-response-v1/suricata.yaml
new file mode 100644
index 000000000..f4b03a5c5
--- /dev/null
+++ b/tests/dns-udp-unsolicited-response-v1/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: true
+      filename: eve.json
+      types:
+        - alert
+        - dns:
+            version: 1
diff --git a/tests/dns-udp-unsolicited-response-v1/test.yaml b/tests/dns-udp-unsolicited-response-v1/test.yaml
new file mode 100644
index 000000000..60334a519
--- /dev/null
+++ b/tests/dns-udp-unsolicited-response-v1/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  lt-version: 7
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: dns
+        dns.type: query
+  - filter:
+      count: 2
+      match:
+        event_type: dns
+        dns.type: answer
diff --git a/tests/dns-udp-unsolicited-response/suricata.yaml b/tests/dns-udp-unsolicited-response/suricata.yaml
index f4b03a5c5..43de9cdb6 100644
--- a/tests/dns-udp-unsolicited-response/suricata.yaml
+++ b/tests/dns-udp-unsolicited-response/suricata.yaml
@@ -8,4 +8,3 @@ outputs:
       types:
         - alert
         - dns:
-            version: 1
diff --git a/tests/dns-udp-unsolicited-response/test.yaml b/tests/dns-udp-unsolicited-response/test.yaml
index e26348f01..b19fa65e7 100644
--- a/tests/dns-udp-unsolicited-response/test.yaml
+++ b/tests/dns-udp-unsolicited-response/test.yaml
@@ -1,7 +1,3 @@
-requires:
-  features:
-    - HAVE_LIBJANSSON
-
 checks:
   - filter:
       count: 1