From 485d82f8b6a6efd18d4b9ffb1b5939b4c6ca3847 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Thu, 4 Jul 2024 17:25:43 -0600 Subject: [PATCH] decode-teredo-01: update for dns v3 logging --- tests/decode-teredo-01/test.yaml | 275 +++++++++++++++++++++++++++++++ 1 file changed, 275 insertions(+) diff --git a/tests/decode-teredo-01/test.yaml b/tests/decode-teredo-01/test.yaml index fa107662a..26ae4484c 100644 --- a/tests/decode-teredo-01/test.yaml +++ b/tests/decode-teredo-01/test.yaml @@ -6,6 +6,25 @@ args: checks: - filter: + requires: + min-version: 8 + count: 1 + match: + dest_ip: 192.168.2.1 + dest_port: 53 + dns.id: 16995 + dns.queries[0].rrname: ipv6.google.com + dns.queries[0].rrtype: AAAA + dns.tx_id: 0 + dns.type: request + event_type: dns + pcap_cnt: 21 + proto: UDP + src_ip: 192.168.2.16 + src_port: 1920 +- filter: + requires: + lt-version: 8 count: 1 match: dest_ip: 192.168.2.1 @@ -21,6 +40,68 @@ checks: src_ip: 192.168.2.16 src_port: 1920 - filter: + requires: + min-version: 8 + count: 1 + match: + dest_ip: 192.168.2.1 + dest_port: 53 + dns.answers[0].rdata: ipv6.l.google.com + dns.answers[0].rrname: ipv6.google.com + dns.answers[0].rrtype: CNAME + dns.answers[0].ttl: 8655 + dns.answers[1].rdata: 2001:4860:0000:2001:0000:0000:0000:0068 + dns.answers[1].rrname: ipv6.l.google.com + dns.answers[1].rrtype: AAAA + dns.answers[1].ttl: 300 + dns.authorities[0].rdata: a.l.google.com + dns.authorities[0].rrname: l.google.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 77923 + dns.authorities[1].rdata: b.l.google.com + dns.authorities[1].rrname: l.google.com + dns.authorities[1].rrtype: NS + dns.authorities[1].ttl: 77923 + dns.authorities[2].rdata: c.l.google.com + dns.authorities[2].rrname: l.google.com + dns.authorities[2].rrtype: NS + dns.authorities[2].ttl: 77923 + dns.authorities[3].rdata: d.l.google.com + dns.authorities[3].rrname: l.google.com + dns.authorities[3].rrtype: NS + dns.authorities[3].ttl: 77923 + dns.authorities[4].rdata: e.l.google.com + dns.authorities[4].rrname: l.google.com + dns.authorities[4].rrtype: NS + dns.authorities[4].ttl: 77923 + dns.authorities[5].rdata: f.l.google.com + dns.authorities[5].rrname: l.google.com + dns.authorities[5].rrtype: NS + dns.authorities[5].ttl: 77923 + dns.authorities[6].rdata: g.l.google.com + dns.authorities[6].rrname: l.google.com + dns.authorities[6].rrtype: NS + dns.authorities[6].ttl: 77923 + dns.flags: '8180' + dns.grouped.AAAA[0]: 2001:4860:0000:2001:0000:0000:0000:0068 + dns.grouped.CNAME[0]: ipv6.l.google.com + dns.id: 16995 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: ipv6.google.com + dns.queries[0].rrtype: AAAA + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 22 + proto: UDP + src_ip: 192.168.2.16 + src_port: 1920 +- filter: + requires: + lt-version: 8 count: 1 match: dest_ip: 192.168.2.1 @@ -79,6 +160,25 @@ checks: src_ip: 192.168.2.16 src_port: 1920 - filter: + requires: + min-version: 8 + count: 1 + match: + dest_ip: 192.168.2.1 + dest_port: 53 + dns.id: 19995 + dns.queries[0].rrname: ipv6.google.com + dns.queries[0].rrtype: A + dns.tx_id: 2 + dns.type: request + event_type: dns + pcap_cnt: 23 + proto: UDP + src_ip: 192.168.2.16 + src_port: 1920 +- filter: + requires: + lt-version: 8 count: 1 match: dest_ip: 192.168.2.1 @@ -116,6 +216,45 @@ checks: src_ip: 192.168.2.16 src_port: 1578 - filter: + requires: + min-version: 8 + count: 1 + match: + dest_ip: 192.168.2.1 + dest_port: 53 + dns.answers[0].rdata: ipv6.l.google.com + dns.answers[0].rrname: ipv6.google.com + dns.answers[0].rrtype: CNAME + dns.answers[0].ttl: 8655 + dns.authorities[0].rrname: l.google.com + dns.authorities[0].rrtype: SOA + dns.authorities[0].soa.expire: 1800 + dns.authorities[0].soa.minimum: 60 + dns.authorities[0].soa.mname: c.l.google.com + dns.authorities[0].soa.refresh: 900 + dns.authorities[0].soa.retry: 900 + dns.authorities[0].soa.rname: dns-admin.google.com + dns.authorities[0].soa.serial: 1345503 + dns.authorities[0].ttl: 60 + dns.flags: '8180' + dns.grouped.CNAME[0]: ipv6.l.google.com + dns.id: 19995 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: ipv6.google.com + dns.queries[0].rrtype: A + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 24 + proto: UDP + src_ip: 192.168.2.16 + src_port: 1920 +- filter: + requires: + lt-version: 8 count: 1 match: dest_ip: 192.168.2.1 @@ -151,6 +290,25 @@ checks: src_ip: 192.168.2.16 src_port: 1920 - filter: + requires: + min-version: 8 + count: 1 + match: + dest_ip: 192.168.2.1 + dest_port: 53 + dns.id: 38477 + dns.queries[0].rrname: www.wireshark.org + dns.queries[0].rrtype: AAAA + dns.tx_id: 4 + dns.type: request + event_type: dns + pcap_cnt: 58 + proto: UDP + src_ip: 192.168.2.16 + src_port: 1920 +- filter: + requires: + lt-version: 8 count: 1 match: dest_ip: 192.168.2.1 @@ -166,6 +324,31 @@ checks: src_ip: 192.168.2.16 src_port: 1920 - filter: + requires: + min-version: 8 + count: 1 + match: + dest_ip: 192.168.2.1 + dest_port: 53 + dns.aa: true + dns.flags: '8580' + dns.id: 38477 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: www.wireshark.org + dns.queries[0].rrtype: AAAA + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 59 + proto: UDP + src_ip: 192.168.2.16 + src_port: 1920 +- filter: + requires: + lt-version: 8 count: 1 match: dest_ip: 192.168.2.1 @@ -206,6 +389,25 @@ checks: src_port: 1578 tx_id: 0 - filter: + requires: + min-version: 8 + count: 1 + match: + dest_ip: 192.168.2.1 + dest_port: 53 + dns.id: 26746 + dns.queries[0].rrname: www.wireshark.org.gateway.2wire.net + dns.queries[0].rrtype: AAAA + dns.tx_id: 6 + dns.type: request + event_type: dns + pcap_cnt: 60 + proto: UDP + src_ip: 192.168.2.16 + src_port: 1920 +- filter: + requires: + lt-version: 8 count: 1 match: dest_ip: 192.168.2.1 @@ -221,6 +423,30 @@ checks: src_ip: 192.168.2.16 src_port: 1920 - filter: + requires: + min-version: 8 + count: 1 + match: + dest_ip: 192.168.2.1 + dest_port: 53 + dns.aa: true + dns.flags: '8505' + dns.id: 26746 + dns.qr: true + dns.rcode: REFUSED + dns.rd: true + dns.queries[0].rrname: www.wireshark.org.gateway.2wire.net + dns.queries[0].rrtype: AAAA + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 61 + proto: UDP + src_ip: 192.168.2.16 + src_port: 1920 +- filter: + requires: + lt-version: 8 count: 1 match: dest_ip: 192.168.2.1 @@ -241,6 +467,25 @@ checks: src_ip: 192.168.2.16 src_port: 1920 - filter: + requires: + min-version: 8 + count: 1 + match: + dest_ip: 192.168.2.1 + dest_port: 53 + dns.id: 34278 + dns.queries[0].rrname: www.wireshark.org + dns.queries[0].rrtype: A + dns.tx_id: 8 + dns.type: request + event_type: dns + pcap_cnt: 62 + proto: UDP + src_ip: 192.168.2.16 + src_port: 1920 +- filter: + requires: + lt-version: 8 count: 1 match: dest_ip: 192.168.2.1 @@ -256,6 +501,36 @@ checks: src_ip: 192.168.2.16 src_port: 1920 - filter: + requires: + min-version: 8 + count: 1 + match: + dest_ip: 192.168.2.1 + dest_port: 53 + dns.aa: true + dns.answers[0].rdata: 67.228.110.120 + dns.answers[0].rrname: www.wireshark.org + dns.answers[0].rrtype: A + dns.answers[0].ttl: 14400 + dns.flags: '8580' + dns.grouped.A[0]: 67.228.110.120 + dns.id: 34278 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.queries[0].rrname: www.wireshark.org + dns.queries[0].rrtype: A + dns.type: response + dns.version: 3 + event_type: dns + pcap_cnt: 63 + proto: UDP + src_ip: 192.168.2.16 + src_port: 1920 +- filter: + requires: + lt-version: 8 count: 1 match: dest_ip: 192.168.2.1 -- 2.47.2