From 1e38cef51d2c36cf279a122a8f2a9a9c1d9f0ebe Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Thu, 4 Jul 2024 14:33:43 -0600 Subject: [PATCH] dns-eve: v2 and v3 tests --- tests/dns-eve-v1/test.yaml | 2 +- tests/{ => dns}/dns-eve/input.pcap | Bin tests/{ => dns}/dns-eve/suricata.yaml | 0 tests/dns/dns-eve/test.yaml | 12 ++++ tests/dns/v2/dns-eve/input.pcap | Bin 0 -> 876 bytes tests/dns/v2/dns-eve/suricata.yaml | 80 ++++++++++++++++++++++++++ tests/{ => dns/v2}/dns-eve/test.yaml | 0 7 files changed, 93 insertions(+), 1 deletion(-) rename tests/{ => dns}/dns-eve/input.pcap (100%) rename tests/{ => dns}/dns-eve/suricata.yaml (100%) create mode 100644 tests/dns/dns-eve/test.yaml create mode 100644 tests/dns/v2/dns-eve/input.pcap create mode 100644 tests/dns/v2/dns-eve/suricata.yaml rename tests/{ => dns/v2}/dns-eve/test.yaml (100%) diff --git a/tests/dns-eve-v1/test.yaml b/tests/dns-eve-v1/test.yaml index c10472e1f..59979e40d 100644 --- a/tests/dns-eve-v1/test.yaml +++ b/tests/dns-eve-v1/test.yaml @@ -1,4 +1,4 @@ -pcap: ../dns-eve/input.pcap +pcap: ../dns/dns-eve/input.pcap requires: features: diff --git a/tests/dns-eve/input.pcap b/tests/dns/dns-eve/input.pcap similarity index 100% rename from tests/dns-eve/input.pcap rename to tests/dns/dns-eve/input.pcap diff --git a/tests/dns-eve/suricata.yaml b/tests/dns/dns-eve/suricata.yaml similarity index 100% rename from tests/dns-eve/suricata.yaml rename to tests/dns/dns-eve/suricata.yaml diff --git a/tests/dns/dns-eve/test.yaml b/tests/dns/dns-eve/test.yaml new file mode 100644 index 000000000..d969acbae --- /dev/null +++ b/tests/dns/dns-eve/test.yaml @@ -0,0 +1,12 @@ +requires: + min-version: 8 + +checks: + - filter: + count: 4 + match: + dns.type: request + - filter: + count: 4 + match: + dns.type: response diff --git a/tests/dns/v2/dns-eve/input.pcap b/tests/dns/v2/dns-eve/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..5c9ee35b3925845257e32c31a4312dca5ccc1a3a GIT binary patch literal 876 zc-p&ic+)~A1{MYcU}0bclCFlsWL^u=;!t_JF7gqX#doRgWFSE8Go#-37?Uyzhv!JM3*3zBAZ z16mL&%F2)kR0hHjqaoISEeMX22U&2;A7nVl5(ZPC753-qXRdB+0GU9*f&)BIMfwaZ zCZPqQAPeKR@G$rSg?zF3$bOyz$ilWHn2!!A0)3<{mci?f@DXcLPJVJWhGp(R!|Qz+ z8A5?dLa`a{KJPFC(D0+%VTLzt0vc{CR6GS0sRnUdX(269Ar#*d;knCRao z2p!Oeh9U<8i>{TMBFGJ*?d%LuK%ppXZt#gy1iK*w;Rc{rEwpc}dyR-TY#xQh7vp9I zmW<|8=^j9vG=6d7Nr6k&fNZM21PjuKN{|$28A((M1X(ceHz&Rns08+k55g-zE9@2H NEh9-wfx3_s2mn|@#v=d# literal 0 Hc-jL100001 diff --git a/tests/dns/v2/dns-eve/suricata.yaml b/tests/dns/v2/dns-eve/suricata.yaml new file mode 100644 index 000000000..64245a75a --- /dev/null +++ b/tests/dns/v2/dns-eve/suricata.yaml @@ -0,0 +1,80 @@ +%YAML 1.1 +--- + +stats: + enabled: yes + # The interval field (in seconds) controls at what interval + # the loggers are invoked. + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http: yes # enable dumping of http fields + # tls: yes # enable dumping of tls fields + # ssh: yes # enable dumping of ssh fields + # smtp: yes # enable dumping of smtp fields + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + version: 2 + - tls: + extended: yes # enable this for extended logging information + - files: + force-magic: no # force logging magic on all logged files + force-md5: no # force logging of md5 checksums + #- drop: + # alerts: no # log alerts that caused drops + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + # - stats: + # totals: yes # stats for all threads merged together + # threads: no # per thread stats + # deltas: no # include delta values + # bi-directional flows + #- flow + # uni-directional flows + #- netflow + diff --git a/tests/dns-eve/test.yaml b/tests/dns/v2/dns-eve/test.yaml similarity index 100% rename from tests/dns-eve/test.yaml rename to tests/dns/v2/dns-eve/test.yaml -- 2.47.2