From: Jason Ish <jason.ish@oisf.net>
Date: Wed, 13 Nov 2019 17:32:49 +0000 (-0600)
Subject: eve/dns: test eve/dns filtering
X-Git-Tag: suricata-6.0.4~373
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F150%2Fhead;p=thirdparty%2Fsuricata-verify.git

eve/dns: test eve/dns filtering

To confirm ticket:
https://redmine.openinfosecfoundation.org/issues/3231
---

diff --git a/tests/dns-eve-type-filtering/suricata.yaml b/tests/dns-eve-type-filtering/suricata.yaml
new file mode 100644
index 000000000..e498af61d
--- /dev/null
+++ b/tests/dns-eve-type-filtering/suricata.yaml
@@ -0,0 +1,39 @@
+%YAML 1.1
+---
+
+outputs:
+
+  - eve-log:
+      enabled: yes
+      filename: all.json
+      types:
+        - dns:
+            version: 2
+
+  - eve-log:
+      enabled: yes
+      filename: only-a.json
+      types:
+        - dns:
+            version: 2
+            types: [a]
+
+  - eve-log:
+      enabled: yes
+      filename: a-and-aaaa-requests-only.json
+      types:
+        - dns:
+            version: 2
+            requests: yes
+            responses: no
+            types: [a, aaaa]
+
+  - eve-log:
+      enabled: yes
+      filename: mx-responses-only.json
+      types:
+        - dns:
+            version: 2
+            requests: no
+            responses: yes
+            types: [mx]
diff --git a/tests/dns-eve-type-filtering/test.pcap b/tests/dns-eve-type-filtering/test.pcap
new file mode 100644
index 000000000..d53a586bc
Binary files /dev/null and b/tests/dns-eve-type-filtering/test.pcap differ
diff --git a/tests/dns-eve-type-filtering/test.yaml b/tests/dns-eve-type-filtering/test.yaml
new file mode 100644
index 000000000..610a49070
--- /dev/null
+++ b/tests/dns-eve-type-filtering/test.yaml
@@ -0,0 +1,68 @@
+requires:
+  min-version: 4.1
+
+checks:
+
+  - filter:
+      filename: all.json
+      count: 14
+      match:
+        event_type: "dns"
+
+  # Check that we only have requests and responses for A records.
+  - filter:
+      filename: only-a.json
+      count: 4
+      match:
+        event_type: "dns"
+  - filter:
+      filename: only-a.json
+      count: 4
+      match:
+        event_type: "dns"
+        dns.rrtype: "A"
+
+  # Check that we only have A and AAAA requests.
+  - filter:
+      filename: a-and-aaaa-requests-only.json
+      count: 4
+      match:
+        event_type: "dns"
+  - filter:
+      filename: a-and-aaaa-requests-only.json
+      count: 2
+      match:
+        event_type: "dns"
+        dns.rrtype: "A"
+  - filter:
+      filename: a-and-aaaa-requests-only.json
+      count: 2
+      match:
+        event_type: "dns"
+        dns.rrtype: "AAAA"
+  - filter:
+      filename: a-and-aaaa-requests-only.json
+      count: 4
+      match:
+        event_type: "dns"
+        dns.type: "query"
+
+  # Check that we only have 3 log entries, and that they are all MX
+  # responses.
+  - filter:
+      filename: mx-responses-only.json
+      count: 3
+      match:
+        event_type: "dns"
+  - filter:
+      filename: mx-responses-only.json
+      count: 3
+      match:
+        event_type: "dns"
+        dns.type: "answer"
+  - filter:
+      filename: mx-responses-only.json
+      count: 3
+      match:
+        event_type: "dns"
+        dns.rrtype: "MX"