From 07bee71960336a85c53cfb9fea61b65287b12edd Mon Sep 17 00:00:00 2001
From: Jason Ish <jason.ish@oisf.net>
Date: Thu, 20 Feb 2025 15:21:36 -0600
Subject: [PATCH] tests/dns: add dns.response.rrname to some tests for coverage

---
 tests/dns/dns-additionals-rrname/test.rules |  5 +++++
 tests/dns/dns-additionals-rrname/test.yaml  | 12 ++++++++++++
 tests/dns/dns-answer-name/test.rules        |  3 +++
 tests/dns/dns-answer-name/test.yaml         |  7 +++++++
 4 files changed, 27 insertions(+)

diff --git a/tests/dns/dns-additionals-rrname/test.rules b/tests/dns/dns-additionals-rrname/test.rules
index 63eabfe99..92f5f2b3e 100644
--- a/tests/dns/dns-additionals-rrname/test.rules
+++ b/tests/dns/dns-additionals-rrname/test.rules
@@ -2,3 +2,8 @@ alert dns any any -> any any (dns.queries.rrname; content:"suricata.io"; sid:1;
 alert dns any any -> any any (dns.authorities.rrname; content:"io"; sid:2; rev:1;)
 alert dns any any -> any any (dns.additionals.rrname; content:"a0.nic.io"; sid:3; rev:1;)
 alert dns any any -> any any (dns.additionals.rrname; content:"c0.nic.io"; sid:4; rev:1;)
+
+# Tests use more generic dns.response.rrname
+alert dns any any -> any any (dns.response.rrname; content:"suricata.io"; sid:5; rev:1;)
+alert dns any any -> any any (dns.response.rrname; content:"a0.nic.io"; sid:6; rev:1;)
+alert dns any any -> any any (dns.response.rrname; content:"c0.nic.io"; sid:7; rev:1;)
diff --git a/tests/dns/dns-additionals-rrname/test.yaml b/tests/dns/dns-additionals-rrname/test.yaml
index 3b48d6b21..6562da946 100644
--- a/tests/dns/dns-additionals-rrname/test.yaml
+++ b/tests/dns/dns-additionals-rrname/test.yaml
@@ -20,3 +20,15 @@ checks:
       count: 1
       match:
         alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 5
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 6
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 7
diff --git a/tests/dns/dns-answer-name/test.rules b/tests/dns/dns-answer-name/test.rules
index e6b01526f..c733a7821 100644
--- a/tests/dns/dns-answer-name/test.rules
+++ b/tests/dns/dns-answer-name/test.rules
@@ -6,3 +6,6 @@ alert dns any any -> any any (dns.answers.rrname; content:"oisf"; flow:to_server
 
 # Should only alert in the response direction.
 alert dns any any -> any any (dns.answers.rrname; content:"oisf"; flow:to_client; sid:3; rev:1;)
+
+# And the more generic rrname match in a response.
+alert dns any any -> any any (dns.response.rrname; content:"oisf"; flow:to_client; sid:4; rev:1;)
diff --git a/tests/dns/dns-answer-name/test.yaml b/tests/dns/dns-answer-name/test.yaml
index 4bc24a91e..80c0b9500 100644
--- a/tests/dns/dns-answer-name/test.yaml
+++ b/tests/dns/dns-answer-name/test.yaml
@@ -41,3 +41,10 @@ checks:
         alert.signature_id: 3
         direction: to_client
         app_proto: dns
+
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 4
+        direction: to_client
+        app_proto: dns
-- 
2.47.2