From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 9 Sep 2025 13:01:58 +0000 (+0200)
Subject: dns: add test with rrtype keyword and index
X-Git-Tag: suricata-8.0.2~43
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e0110f801dee1008d618d7edb85b6e6147803fb1;p=thirdparty%2Fsuricata-verify.git

dns: add test with rrtype keyword and index

Ticket: 7480
---

diff --git a/tests/dns/dns-rrtype-index/README.md b/tests/dns/dns-rrtype-index/README.md
new file mode 100644
index 000000000..de1e9c71f
--- /dev/null
+++ b/tests/dns/dns-rrtype-index/README.md
@@ -0,0 +1,5 @@
+Test the `dns.rrtype` keyword with index.
+
+The PCAP here was reused from ./tests/dns/dns-eve-empty-format/input.pcap
+
+Redmine ticket: https://redmine.openinfosecfoundation.org/issues/7480
diff --git a/tests/dns/dns-rrtype-index/test.rules b/tests/dns/dns-rrtype-index/test.rules
new file mode 100644
index 000000000..949e8b59c
--- /dev/null
+++ b/tests/dns/dns-rrtype-index/test.rules
@@ -0,0 +1,8 @@
+# Only alert on requests.
+alert dns any any -> any any (dns.rrtype:1,0; flow:to_client; sid:1; rev:1;)
+
+# Only alert on responses.
+alert dns any any -> any any (dns.rrtype:1,all; flow:to_client; sid:2; rev:1;)
+
+# Only alert on responses.
+alert dns any any -> any any (dns.rrtype:1,-1; flow:to_client; sid:3; rev:1;)
diff --git a/tests/dns/dns-rrtype-index/test.yaml b/tests/dns/dns-rrtype-index/test.yaml
new file mode 100644
index 000000000..7e20f1f91
--- /dev/null
+++ b/tests/dns/dns-rrtype-index/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 9
+
+pcap: ../dns-eve-empty-format/input.pcap
+
+checks:
+  - filter:
+      count: 3
+      match:
+        alert.signature_id: 1
+        event_type: alert
+  - filter:
+      count: 3
+      match:
+        alert.signature_id: 2
+        event_type: alert
+  - filter:
+      count: 4
+      match:
+        alert.signature_id: 3
+        event_type: alert