From: Jason Ish Date: Wed, 20 Dec 2017 20:26:31 +0000 (-0600) Subject: new test for dns lua detect X-Git-Tag: suricata-6.0.4~559 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cda6ab1d1e9a2bdd06cb76f34e889524318f144c;p=thirdparty%2Fsuricata-verify.git new test for dns lua detect Tests: - dns.rrname - dns.request - dns.response --- diff --git a/tests/dns-lua-rules/dig-a-www.suricata-ids.org.pcap b/tests/dns-lua-rules/dig-a-www.suricata-ids.org.pcap new file mode 100644 index 000000000..663a6797f Binary files /dev/null and b/tests/dns-lua-rules/dig-a-www.suricata-ids.org.pcap differ diff --git a/tests/dns-lua-rules/suricata.yaml b/tests/dns-lua-rules/suricata.yaml new file mode 100644 index 000000000..51af22dfa --- /dev/null +++ b/tests/dns-lua-rules/suricata.yaml @@ -0,0 +1,4 @@ +%YAML 1.1 +--- + +include: ../../etc/suricata-4.0.3.yaml diff --git a/tests/dns-lua-rules/test-request.lua b/tests/dns-lua-rules/test-request.lua new file mode 100644 index 000000000..281bff1e6 --- /dev/null +++ b/tests/dns-lua-rules/test-request.lua @@ -0,0 +1,52 @@ +function init (args) + local needs = {} + needs["dns.request"] = tostring(true) + return needs +end + +function count(t) + local count = 0 + for _ in pairs(t) do + count = count + 1 + end + return count +end + +function match(args) + if DnsGetTxid() ~= 36146 then + return 0 + end + + -- The requested name. + local rrname = DnsGetDnsRrname() + if rrname ~= "www.suricata-ids.org" then + return 0 + end + + -- Queries + local queries = DnsGetQueries() + if queries == nil then return 0 end + + -- There should only be one query. + if count(queries) ~= 1 then return 0 end + + local query = queries[0] + + if query["type"] ~= "A" then + return 0 + end + + if query["rrname"] ~= "www.suricata-ids.org" then + return 0 + end + + local answers = DnsGetAnswers() + if answers == nil then return 0 end + if count(answers) ~= 0 then return 0 end + + local authorities = DnsGetAuthorities() + if authorities == nil then return 0 end + if count(authorities) ~= 0 then return 0 end + + return 1 +end diff --git a/tests/dns-lua-rules/test-response.lua b/tests/dns-lua-rules/test-response.lua new file mode 100644 index 000000000..ebf13043a --- /dev/null +++ b/tests/dns-lua-rules/test-response.lua @@ -0,0 +1,54 @@ +function init (args) + local needs = {} + needs["dns.response"] = tostring(true) + return needs +end + +function count(t) + local count = 0 + for _ in pairs(t) do + count = count + 1 + end + return count +end + +function match(args) + if DnsGetTxid() ~= 36146 then + return 0 + end + + -- The requested name. + local rrname = DnsGetDnsRrname() + if rrname ~= "www.suricata-ids.org" then + return 0 + end + + -- Queries + local queries = DnsGetQueries() + if queries == nil then return 0 end + + -- There should only be one query. + if count(queries) ~= 1 then return 0 end + + local query = queries[0] + + if query["type"] ~= "A" then + return 0 + end + + if query["rrname"] ~= "www.suricata-ids.org" then + return 0 + end + + local answers = DnsGetAnswers() + if answers == nil then return 0 end + if count(answers) ~= 3 then return 0 end + + local authorities = DnsGetAuthorities() + if authorities == nil then return 0 end + if count(authorities) ~= 0 then return 0 end + + -- TODO: Look at the answers. + + return 1 +end diff --git a/tests/dns-lua-rules/test-rrname.lua b/tests/dns-lua-rules/test-rrname.lua new file mode 100644 index 000000000..f5b1059d7 --- /dev/null +++ b/tests/dns-lua-rules/test-rrname.lua @@ -0,0 +1,13 @@ +function init (args) + local needs = {} + needs["dns.rrname"] = tostring(true) + return needs +end + +function match(args) + rrname = tostring(args["dns.rrname"]) + if rrname == "www.suricata-ids.org" then + return 1 + end + return 0 +end diff --git a/tests/dns-lua-rules/test.rules b/tests/dns-lua-rules/test.rules new file mode 100644 index 000000000..7ff3f02d9 --- /dev/null +++ b/tests/dns-lua-rules/test.rules @@ -0,0 +1,7 @@ +alert dns any any -> any any (msg:"TEST DNS LUA dns.rrname"; \ + lua:test-rrname.lua; sid:1; rev:1;) +alert dns any any -> any any (msg:"TEST DNS LUA dns.request"; \ + lua:test-request.lua; sid:2; rev:1;) +alert dns any any -> any any (msg:"TEST DNS LUA dns.response"; \ + lua:test-response.lua; sid:3; rev:1;) + \ No newline at end of file diff --git a/tests/dns-lua-rules/test.yaml b/tests/dns-lua-rules/test.yaml new file mode 100644 index 000000000..14a382917 --- /dev/null +++ b/tests/dns-lua-rules/test.yaml @@ -0,0 +1,8 @@ +requires: + features: + - HAVE_LUA + +checks: + - signature-id: 1 + - signature-id: 2 + - signature-id: 3