From: Jeff Lucovsky Date: Sun, 14 Jul 2019 18:52:09 +0000 (-0400) Subject: tests: add test for dotprefix transform X-Git-Tag: suricata-6.0.4~396 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fde6220a60a42f15f90be7f27ebc51ccce85641f;p=thirdparty%2Fsuricata-verify.git tests: add test for dotprefix transform --- diff --git a/tests/detect-dotprefix-01/README.md b/tests/detect-dotprefix-01/README.md new file mode 100644 index 000000000..2d4b515eb --- /dev/null +++ b/tests/detect-dotprefix-01/README.md @@ -0,0 +1 @@ +Extract the domain from a DNS request diff --git a/tests/detect-dotprefix-01/input.pcap b/tests/detect-dotprefix-01/input.pcap new file mode 100644 index 000000000..438ae605f Binary files /dev/null and b/tests/detect-dotprefix-01/input.pcap differ diff --git a/tests/detect-dotprefix-01/test.rules b/tests/detect-dotprefix-01/test.rules new file mode 100644 index 000000000..4c210965f --- /dev/null +++ b/tests/detect-dotprefix-01/test.rules @@ -0,0 +1,2 @@ +alert dns any any -> any any (dns.query; dotprefix; content:".windowsupdate.com"; sid:1;) +alert dns any any -> any any (dns.query; dotprefix; content:".com"; endswith; sid:2;) diff --git a/tests/detect-dotprefix-01/test.yaml b/tests/detect-dotprefix-01/test.yaml new file mode 100644 index 000000000..56db381fa --- /dev/null +++ b/tests/detect-dotprefix-01/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 diff --git a/tests/detect-dotprefix-02/README.md b/tests/detect-dotprefix-02/README.md new file mode 100644 index 000000000..2d4b515eb --- /dev/null +++ b/tests/detect-dotprefix-02/README.md @@ -0,0 +1 @@ +Extract the domain from a DNS request diff --git a/tests/detect-dotprefix-02/input.pcap b/tests/detect-dotprefix-02/input.pcap new file mode 100644 index 000000000..c43a2fee8 Binary files /dev/null and b/tests/detect-dotprefix-02/input.pcap differ diff --git a/tests/detect-dotprefix-02/test.rules b/tests/detect-dotprefix-02/test.rules new file mode 100644 index 000000000..f224962bf --- /dev/null +++ b/tests/detect-dotprefix-02/test.rules @@ -0,0 +1,2 @@ +alert dns any any -> any any (dns.query; dotprefix; content:".google.co.uk"; sid:1;) +alert dns any any -> any any (dns.query; dotprefix; content:".co.uk"; endswith; sid:2;) diff --git a/tests/detect-dotprefix-02/test.yaml b/tests/detect-dotprefix-02/test.yaml new file mode 100644 index 000000000..2c911fafb --- /dev/null +++ b/tests/detect-dotprefix-02/test.yaml @@ -0,0 +1,16 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 diff --git a/tests/detect-dotprefix-03/README.md b/tests/detect-dotprefix-03/README.md new file mode 100644 index 000000000..2d4b515eb --- /dev/null +++ b/tests/detect-dotprefix-03/README.md @@ -0,0 +1 @@ +Extract the domain from a DNS request diff --git a/tests/detect-dotprefix-03/input.pcap b/tests/detect-dotprefix-03/input.pcap new file mode 100644 index 000000000..d5d7989ce Binary files /dev/null and b/tests/detect-dotprefix-03/input.pcap differ diff --git a/tests/detect-dotprefix-03/test.rules b/tests/detect-dotprefix-03/test.rules new file mode 100644 index 000000000..0f017cb3d --- /dev/null +++ b/tests/detect-dotprefix-03/test.rules @@ -0,0 +1 @@ +alert dns any any -> any any (dns.query; dotprefix; content:".google.com"; sid:1;) diff --git a/tests/detect-dotprefix-03/test.yaml b/tests/detect-dotprefix-03/test.yaml new file mode 100644 index 000000000..24d2dd832 --- /dev/null +++ b/tests/detect-dotprefix-03/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1