From: Jason Ish Date: Thu, 4 Jul 2024 21:14:07 +0000 (-0600) Subject: dns-invalid-opcode: v2 and v3 tests X-Git-Tag: suricata-7.0.7~69 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d7fd1d739dd51e93da1dbdcdb1c9f72e350f342e;p=thirdparty%2Fsuricata-verify.git dns-invalid-opcode: v2 and v3 tests --- diff --git a/tests/dns/dns-invalid-opcode/test.yaml b/tests/dns/dns-invalid-opcode/test.yaml index fc5575f53..3027650bb 100644 --- a/tests/dns/dns-invalid-opcode/test.yaml +++ b/tests/dns/dns-invalid-opcode/test.yaml @@ -1,5 +1,5 @@ requires: - min-version: 7 + min-version: 8 args: - -k none @@ -11,14 +11,14 @@ checks: count: 1 match: event_type: dns - dns.type: query + dns.type: request # Simple check for one answer. - filter: count: 1 match: event_type: dns - dns.type: answer + dns.type: response # One alert in to_server direction. - filter: @@ -132,10 +132,10 @@ checks: dest_port: 53 dns.id: 1 dns.opcode: 9 - dns.rrname: suricata.io - dns.rrtype: A + dns.queries[0].rrname: suricata.io + dns.queries[0].rrtype: A dns.tx_id: 0 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 1 pkt_src: wire/pcap @@ -253,10 +253,10 @@ checks: dns.opcode: 9 dns.qr: true dns.rcode: NOERROR - dns.rrname: suricata.io - dns.rrtype: A - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: suricata.io + dns.queries[0].rrtype: A + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 2 pkt_src: wire/pcap diff --git a/tests/dns/v2/dns-invalid-opcode/input.pcap b/tests/dns/v2/dns-invalid-opcode/input.pcap new file mode 100644 index 000000000..a8a010e3b Binary files /dev/null and b/tests/dns/v2/dns-invalid-opcode/input.pcap differ diff --git a/tests/dns/v2/dns-invalid-opcode/test.rules b/tests/dns/v2/dns-invalid-opcode/test.rules new file mode 100644 index 000000000..d4c02b5c2 --- /dev/null +++ b/tests/dns/v2/dns-invalid-opcode/test.rules @@ -0,0 +1,10 @@ +# Malformed data in request. Malformed means length fields are wrong, etc. +alert dns any any -> any any (msg:"SURICATA DNS malformed request data"; flow:to_server; app-layer-event:dns.malformed_data; classtype:protocol-command-decode; sid:2240002; rev:2;) +alert dns any any -> any any (msg:"SURICATA DNS malformed response data"; flow:to_client; app-layer-event:dns.malformed_data; classtype:protocol-command-decode; sid:2240003; rev:2;) +# Response flag set on to_server packet +alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server; app-layer-event:dns.not_a_request; classtype:protocol-command-decode; sid:2240004; rev:2;) +# Response flag not set on to_client packet +alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; classtype:protocol-command-decode; sid:2240005; rev:2;) +# Z flag (reserved) not 0 +alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; classtype:protocol-command-decode; sid:2240006; rev:2;) +alert dns any any -> any any (msg:"SURICATA DNS Invalid opcode"; app-layer-event:dns.invalid_opcode; classtype:protocol-command-decode; sid:2240007; rev:1;) diff --git a/tests/dns/v2/dns-invalid-opcode/test.yaml b/tests/dns/v2/dns-invalid-opcode/test.yaml new file mode 100644 index 000000000..cdd407c8e --- /dev/null +++ b/tests/dns/v2/dns-invalid-opcode/test.yaml @@ -0,0 +1,286 @@ +requires: + min-version: 7 + +args: +- -k none + +env: + SURICATA_EVE_DNS_VERSION: 2 + +checks: + +# Simple check for one query. +- filter: + count: 1 + match: + event_type: dns + dns.type: query + +# Simple check for one answer. +- filter: + count: 1 + match: + event_type: dns + dns.type: answer + +# One alert in to_server direction. +- filter: + count: 1 + match: + event_type: alert + direction: to_server + +# One alert in to_client direction. +- filter: + count: 1 + match: + event_type: alert + direction: to_client + +# Generated checks below. + +- filter: + min-version: 8 + count: 1 + match: + alert.action: allowed + alert.category: Generic Protocol Command Decode + alert.gid: 1 + alert.rev: 1 + alert.severity: 3 + alert.signature: SURICATA DNS Invalid opcode + alert.signature_id: 2240007 + app_proto: dns + dest_ip: 2.2.2.2 + dest_port: 53 + direction: to_server + dns.id: 1 + dns.opcode: 9 + dns.queries[0].rrname: suricata.io + dns.queries[0].rrtype: A + dns.tx_id: 0 + dns.type: request + event_type: alert + flow.bytes_toclient: 0 + flow.bytes_toserver: 71 + flow.dest_ip: 2.2.2.2 + flow.dest_port: 53 + flow.pkts_toclient: 0 + flow.pkts_toserver: 1 + flow.src_ip: 1.1.1.1 + flow.src_port: 5333 + pcap_cnt: 1 + pkt_src: wire/pcap + proto: UDP + src_ip: 1.1.1.1 + src_port: 5333 + tx_id: 0 + +- filter: + lt-version: 8 + count: 1 + match: + alert.action: allowed + alert.category: Generic Protocol Command Decode + alert.gid: 1 + alert.rev: 1 + alert.severity: 3 + alert.signature: SURICATA DNS Invalid opcode + alert.signature_id: 2240007 + app_proto: dns + dest_ip: 2.2.2.2 + dest_port: 53 + direction: to_server + dns.query[0].id: 1 + dns.query[0].opcode: 9 + dns.query[0].rrname: suricata.io + dns.query[0].rrtype: A + dns.query[0].tx_id: 0 + dns.query[0].type: query + event_type: alert + flow.bytes_toclient: 0 + flow.bytes_toserver: 71 + flow.dest_ip: 2.2.2.2 + flow.dest_port: 53 + flow.pkts_toclient: 0 + flow.pkts_toserver: 1 + flow.src_ip: 1.1.1.1 + flow.src_port: 5333 + pcap_cnt: 1 + pkt_src: wire/pcap + proto: UDP + src_ip: 1.1.1.1 + src_port: 5333 + tx_id: 0 +- filter: + count: 1 + match: + anomaly.app_proto: dns + anomaly.event: invalid_opcode + anomaly.layer: proto_parser + anomaly.type: applayer + dest_ip: 2.2.2.2 + dest_port: 53 + event_type: anomaly + pcap_cnt: 1 + pkt_src: wire/pcap + proto: UDP + src_ip: 1.1.1.1 + src_port: 5333 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 2.2.2.2 + dest_port: 53 + dns.id: 1 + dns.opcode: 9 + dns.rrname: suricata.io + dns.rrtype: A + dns.tx_id: 0 + dns.type: query + event_type: dns + pcap_cnt: 1 + pkt_src: wire/pcap + proto: UDP + src_ip: 1.1.1.1 + src_port: 5333 +- filter: + requires: + min-version: 8 + count: 1 + match: + alert.action: allowed + alert.category: Generic Protocol Command Decode + alert.gid: 1 + alert.rev: 1 + alert.severity: 3 + alert.signature: SURICATA DNS Invalid opcode + alert.signature_id: 2240007 + app_proto: dns + dest_ip: 1.1.1.1 + dest_port: 5333 + direction: to_client + dns.flags: c800 + dns.id: 1 + dns.opcode: 9 + dns.qr: true + dns.rcode: NOERROR + dns.answers[0].rrname: suricata.io + dns.answers[0].rrtype: A + dns.type: response + dns.version: 3 + event_type: alert + flow.bytes_toclient: 98 + flow.bytes_toserver: 71 + flow.dest_ip: 2.2.2.2 + flow.dest_port: 53 + flow.pkts_toclient: 1 + flow.pkts_toserver: 1 + flow.src_ip: 1.1.1.1 + flow.src_port: 5333 + pcap_cnt: 2 + pkt_src: wire/pcap + proto: UDP + src_ip: 2.2.2.2 + src_port: 53 + tx_id: 1 +- filter: + requires: + lt-version: 8 + count: 1 + match: + alert.action: allowed + alert.category: Generic Protocol Command Decode + alert.gid: 1 + alert.rev: 1 + alert.severity: 3 + alert.signature: SURICATA DNS Invalid opcode + alert.signature_id: 2240007 + app_proto: dns + dest_ip: 1.1.1.1 + dest_port: 5333 + direction: to_client + dns.answer.flags: c800 + dns.answer.id: 1 + dns.answer.opcode: 9 + dns.answer.qr: true + dns.answer.rcode: NOERROR + dns.answer.rrname: suricata.io + dns.answer.rrtype: A + dns.answer.type: answer + dns.answer.version: 2 + event_type: alert + flow.bytes_toclient: 98 + flow.bytes_toserver: 71 + flow.dest_ip: 2.2.2.2 + flow.dest_port: 53 + flow.pkts_toclient: 1 + flow.pkts_toserver: 1 + flow.src_ip: 1.1.1.1 + flow.src_port: 5333 + pcap_cnt: 2 + pkt_src: wire/pcap + proto: UDP + src_ip: 2.2.2.2 + src_port: 53 + tx_id: 1 +- filter: + count: 1 + match: + anomaly.app_proto: dns + anomaly.event: invalid_opcode + anomaly.layer: proto_parser + anomaly.type: applayer + dest_ip: 1.1.1.1 + dest_port: 5333 + event_type: anomaly + pcap_cnt: 2 + pkt_src: wire/pcap + proto: UDP + src_ip: 2.2.2.2 + src_port: 53 + tx_id: 1 +- filter: + count: 1 + match: + dest_ip: 2.2.2.2 + dest_port: 53 + dns.answers[0].rdata: 127.0.0.1 + dns.answers[0].rrname: suricata.io + dns.answers[0].rrtype: A + dns.answers[0].ttl: 0 + dns.flags: c800 + dns.grouped.A[0]: 127.0.0.1 + dns.id: 1 + dns.opcode: 9 + dns.qr: true + dns.rcode: NOERROR + dns.rrname: suricata.io + dns.rrtype: A + dns.type: answer + dns.version: 2 + event_type: dns + pcap_cnt: 2 + pkt_src: wire/pcap + proto: UDP + src_ip: 1.1.1.1 + src_port: 5333 +- filter: + count: 1 + match: + app_proto: dns + dest_ip: 2.2.2.2 + dest_port: 53 + event_type: flow + flow.age: 0 + flow.alerted: true + flow.bytes_toclient: 98 + flow.bytes_toserver: 71 + flow.pkts_toclient: 1 + flow.pkts_toserver: 1 + flow.reason: shutdown + flow.state: established + proto: UDP + src_ip: 1.1.1.1 + src_port: 5333