From a9687a3aeddfae8925213ff6a843137afcb8f01c Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Thu, 24 Jan 2019 10:51:31 -0600 Subject: [PATCH] dns test: add check for dns object in alert Extend an existing test to check that the DNS object exists on a DNS alert. --- .../suricata.yaml | 1 + .../test.rules | 1 + .../test.yaml | 10 ++++++++-- 3 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/test.rules diff --git a/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/suricata.yaml b/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/suricata.yaml index 0bf62d28f..5196815b3 100644 --- a/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/suricata.yaml +++ b/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/suricata.yaml @@ -7,6 +7,7 @@ outputs: - eve-log: enabled: true types: + - alert: - dns: enabled: true version: 2 diff --git a/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/test.rules b/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/test.rules new file mode 100644 index 000000000..6d7050afa --- /dev/null +++ b/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/test.rules @@ -0,0 +1 @@ +alert dns any any -> any any (msg:"TEST dns_query"; dns_query; content:"suricata-ids.org"; sid:1; rev:1;) diff --git a/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/test.yaml b/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/test.yaml index e905bdef6..da4a87854 100644 --- a/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/test.yaml +++ b/tests/dns-eve-v2-udp-dig-a-www-suricata-ids-org/test.yaml @@ -2,8 +2,6 @@ requires: features: - HAVE_LIBJANSSON min-version: 4.1.0 - script: - - grep OutputAnswerV2 src/output-json-dns.c > /dev/null 2>&1 checks: @@ -24,3 +22,11 @@ checks: dns.answers[0].rrtype: CNAME dns.answers[1].rrtype: A dns.answers[2].rrtype: A + + # Check that the alert contains a DNS object. + - filter: + count: 1 + comment: alert with dns object + match: + event_type: alert + dns.query[0].type: query -- 2.47.2