From 2441fc6cdbe136086799311dfb64366c7ff5df12 Mon Sep 17 00:00:00 2001
From: Jason Ish <jason.ish@oisf.net>
Date: Thu, 4 Jul 2024 15:17:44 -0600
Subject: [PATCH] dns-z-bit: v2 and v3 tests

---
 tests/{ => dns}/dns-z-bit/dns-events.rules |   0
 tests/{ => dns}/dns-z-bit/input.pcap       | Bin
 tests/dns/dns-z-bit/test.yaml              |  72 +++++++++++++++++++++
 tests/dns/v2/dns-z-bit/dns-events.rules    |   9 +++
 tests/dns/v2/dns-z-bit/input.pcap          | Bin 0 -> 220 bytes
 tests/{ => dns/v2}/dns-z-bit/test.yaml     |   3 +
 6 files changed, 84 insertions(+)
 rename tests/{ => dns}/dns-z-bit/dns-events.rules (100%)
 rename tests/{ => dns}/dns-z-bit/input.pcap (100%)
 create mode 100644 tests/dns/dns-z-bit/test.yaml
 create mode 100644 tests/dns/v2/dns-z-bit/dns-events.rules
 create mode 100644 tests/dns/v2/dns-z-bit/input.pcap
 rename tests/{ => dns/v2}/dns-z-bit/test.yaml (97%)

diff --git a/tests/dns-z-bit/dns-events.rules b/tests/dns/dns-z-bit/dns-events.rules
similarity index 100%
rename from tests/dns-z-bit/dns-events.rules
rename to tests/dns/dns-z-bit/dns-events.rules
diff --git a/tests/dns-z-bit/input.pcap b/tests/dns/dns-z-bit/input.pcap
similarity index 100%
rename from tests/dns-z-bit/input.pcap
rename to tests/dns/dns-z-bit/input.pcap
diff --git a/tests/dns/dns-z-bit/test.yaml b/tests/dns/dns-z-bit/test.yaml
new file mode 100644
index 000000000..b92c3290f
--- /dev/null
+++ b/tests/dns/dns-z-bit/test.yaml
@@ -0,0 +1,72 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: dns
+      dns.type: request
+      dns.z: true
+- filter:
+    requires:
+      lt-version: 8
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2240006
+      dns.query[0].z: true
+- filter:
+    requires:
+      min-version: 8
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2240006
+      dns.z: true
+- filter:
+    count: 1
+    match:
+      dest_ip: 8.8.8.8
+      dest_port: 53
+      dns.answers[0].rdata: 142.251.32.68
+      dns.answers[0].rrname: www.google.com
+      dns.answers[0].rrtype: A
+      dns.answers[0].ttl: 58
+      dns.flags: '8180'
+      dns.grouped.A[0]: 142.251.32.68
+      dns.id: 1
+      dns.qr: true
+      dns.ra: true
+      dns.rcode: NOERROR
+      dns.rd: true
+      dns.queries[0].rrname: www.google.com
+      dns.queries[0].rrtype: A
+      dns.type: response
+      dns.version: 3
+      event_type: dns
+      pcap_cnt: 2
+      proto: UDP
+      src_ip: 10.16.1.11
+      src_port: 42150
+- filter:
+    count: 1
+    match:
+      app_proto: dns
+      dest_ip: 8.8.8.8
+      dest_port: 53
+      event_type: flow
+      flow.age: 0
+      flow.alerted: true
+      flow.bytes_toclient: 90
+      flow.bytes_toserver: 74
+      flow.pkts_toclient: 1
+      flow.pkts_toserver: 1
+      flow.reason: shutdown
+      flow.state: established
+      proto: UDP
+      src_ip: 10.16.1.11
+      src_port: 42150
diff --git a/tests/dns/v2/dns-z-bit/dns-events.rules b/tests/dns/v2/dns-z-bit/dns-events.rules
new file mode 100644
index 000000000..0e34dae13
--- /dev/null
+++ b/tests/dns/v2/dns-z-bit/dns-events.rules
@@ -0,0 +1,9 @@
+# Malformed data in request. Malformed means length fields are wrong, etc.
+alert dns any any -> any any (msg:"SURICATA DNS malformed request data"; flow:to_server; app-layer-event:dns.malformed_data; classtype:protocol-command-decode; sid:2240002; rev:2;)
+alert dns any any -> any any (msg:"SURICATA DNS malformed response data"; flow:to_client; app-layer-event:dns.malformed_data; classtype:protocol-command-decode; sid:2240003; rev:2;)
+# Response flag set on to_server packet
+alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server; app-layer-event:dns.not_a_request; classtype:protocol-command-decode; sid:2240004; rev:2;)
+# Response flag not set on to_client packet
+alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; classtype:protocol-command-decode; sid:2240005; rev:2;)
+# Z flag (reserved) not 0
+alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; classtype:protocol-command-decode; sid:2240006; rev:2;)
diff --git a/tests/dns/v2/dns-z-bit/input.pcap b/tests/dns/v2/dns-z-bit/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b9fe2f5fd25d05330c2996bc07285faf2bd292db
GIT binary patch
literal 220
zc-p&ic+)~A1{MYcU}0bclCvxiB?d6DGk5{nAiThAzK@T_jniFk7rJpUxH2%<EZ1;g
za1gAB;}T%x<^X~v%NR@<G&ZbfU}SUv8vz8&<>lpU>G}ETIjPLa`MC^0aYm5IQ)<{5
zqJZ)s3^5a8KG0+b2A@5r7#OMqGjc$tf=p*H1)6Pf;2;BIV*|(pTqYmjfy!Dju=M>_
GZ~*`=%Q5Q!

literal 0
Hc-jL100001

diff --git a/tests/dns-z-bit/test.yaml b/tests/dns/v2/dns-z-bit/test.yaml
similarity index 97%
rename from tests/dns-z-bit/test.yaml
rename to tests/dns/v2/dns-z-bit/test.yaml
index 5037e0497..3bd38cb80 100644
--- a/tests/dns-z-bit/test.yaml
+++ b/tests/dns/v2/dns-z-bit/test.yaml
@@ -1,6 +1,9 @@
 args:
 - -k none
 
+env:
+  SURICATA_EVE_DNS_VERSION: 2
+
 checks:
 - filter:
     count: 1
-- 
2.47.2