From 70d0f4c93fadb18d0307efaa602e1c966c29bf37 Mon Sep 17 00:00:00 2001
From: Jason Ish <ish@unx.ca>
Date: Mon, 14 Feb 2022 08:49:16 -0600
Subject: [PATCH] dns: test DNS frames

---
 tests/dns/dns-frames/input.pcap | Bin 0 -> 1196 bytes
 tests/dns/dns-frames/test.rules |   8 ++++++++
 tests/dns/dns-frames/test.yaml  |  15 +++++++++++++++
 3 files changed, 23 insertions(+)
 create mode 100644 tests/dns/dns-frames/input.pcap
 create mode 100644 tests/dns/dns-frames/test.rules
 create mode 100644 tests/dns/dns-frames/test.yaml

diff --git a/tests/dns/dns-frames/input.pcap b/tests/dns/dns-frames/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..21a29964bdb8c02361c3014c2235ec6fb6c8c30b
GIT binary patch
literal 1196
zc-o!POK1~87zglgCTn&Yqizb-28$?O6!B0=#6u3Dk3^(M1)o#{jr5Qn6yLR!Hd3hI
z$xBidv?+Kf25ZyCi_qfZBp$@jKo6n0c<4)1YI5*Wzi(DIxE(_2!Y;`U{PzF-XJ$W4
zj&jhTa%sTu`T7lyCVWmffxqca9UW<FJ23a@!MD+nfL4G&X&xZxj7_-=wpHMjUj={S
z;<FuOr1<Y2cf9~y+mh9|aGk1)?4$S0;m}Fm^|B(Hrs<;`gh25jK(Dj)9jT;)Kfn6q
zSNs*~Myhsgt#C)mNs<pIPIi%wvLM+z?t~^(n^c*7r3INeW6NxyJ`p!qxuzB~GMP6>
zGKo)7>_M$ZC3cq<rP!+!>sk5d?f*sawal=+vSM5iH*Q^zUGBWu$zxaXFTFl!nA_k6
z7l{6^pVQMXMusUz$06OCY+Yx*Vp?`KZtH9UvxIOmsL7Z)FvAdKA#ot1Lmz5=D)CD3
zy%aAg#d-#3RxELhL^#$mb1!ZVp_uHg+g#%3LEHaj>@iNt|DHI?(mbhG*|##2EkClg
z9Kt+Hv~QxpYI%_IkeJR^6}c3Lm7)j5-Rs43jiTBP<YZs>ZGA1F8b%SscdM_Dq>_02
zh^Urvr_4BL%NRy=nWom~tc=e|ohGq;8$?ixsKoa4Srk3lhJRu*34RDTGP%OW&*ZfQ
o?_ziU!W4Zi(Xkz(xDZt}ayq;R8}ZB=l}7M;L3d-Wu(@;c2cDooX8-^I

literal 0
Hc-jL100001

diff --git a/tests/dns/dns-frames/test.rules b/tests/dns/dns-frames/test.rules
new file mode 100644
index 000000000..6303c1d04
--- /dev/null
+++ b/tests/dns/dns-frames/test.rules
@@ -0,0 +1,8 @@
+# These 2 rules are trying to verify that the TCP and UDP PDU
+# frame are showing the same data for similar requests.
+alert tcp any any -> any any (msg:"DNS UDP Frame"; flow:to_server; \
+    frame:dns.pdu; content:"|01 20 00 01|"; offset:2; \
+    content:"suricata"; offset:13; sid:1; rev:1;)
+alert udp any any -> any any (msg:"DNS UDP Frame"; flow:to_server; \
+    frame:dns.pdu; content:"|01 20 00 01|"; offset:2;  \
+    content:"suricata"; offset:13; sid:2; rev:1;)
diff --git a/tests/dns/dns-frames/test.yaml b/tests/dns/dns-frames/test.yaml
new file mode 100644
index 000000000..1ba2b64fd
--- /dev/null
+++ b/tests/dns/dns-frames/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  min-version: 7
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 2
-- 
2.47.2