From ad257b4d6953abeda4f74471113b8dd8c0aa867c Mon Sep 17 00:00:00 2001
From: Jason Ish <jason.ish@oisf.net>
Date: Mon, 15 Mar 2021 14:50:50 -0600
Subject: [PATCH] dns-udp-nxdomain-soa: v1 and v2 dns eve tests

---
 tests/dns-udp-nxdomain-soa-v1/README.md           |   2 ++
 .../dns-udp-nxdomain-soa.pcap                     | Bin 0 -> 315 bytes
 tests/dns-udp-nxdomain-soa-v1/suricata.yaml       |  11 +++++++++++
 tests/dns-udp-nxdomain-soa-v1/test.yaml           |  12 ++++++++++++
 tests/dns-udp-nxdomain-soa/suricata.yaml          |   1 -
 tests/dns-udp-nxdomain-soa/test.yaml              |   2 +-
 6 files changed, 26 insertions(+), 2 deletions(-)
 create mode 100644 tests/dns-udp-nxdomain-soa-v1/README.md
 create mode 100644 tests/dns-udp-nxdomain-soa-v1/dns-udp-nxdomain-soa.pcap
 create mode 100644 tests/dns-udp-nxdomain-soa-v1/suricata.yaml
 create mode 100644 tests/dns-udp-nxdomain-soa-v1/test.yaml

diff --git a/tests/dns-udp-nxdomain-soa-v1/README.md b/tests/dns-udp-nxdomain-soa-v1/README.md
new file mode 100644
index 000000000..1dd7a6d95
--- /dev/null
+++ b/tests/dns-udp-nxdomain-soa-v1/README.md
@@ -0,0 +1,2 @@
+Verify the eve output for a DNS request resulting in an NXDOMAIN error
+and an SOA record.
diff --git a/tests/dns-udp-nxdomain-soa-v1/dns-udp-nxdomain-soa.pcap b/tests/dns-udp-nxdomain-soa-v1/dns-udp-nxdomain-soa.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..eb47badda678a57946f7b1e0ff4d3b66ee7ed630
GIT binary patch
literal 315
zc-p&ic+)~A1{MYcU}0bcl5Y9k5nmfQ8RCI#5M~e+=VkkT<8;^Cg>D=St_%!;iTMl+
z4uVYVTmp>T92_hxFFYAc8EkiLZ<@-e05*bwfsr{SFO?-fvp9`8FSP{72Z?J6K<wdR
z;9}rd@>QuP;+O;%$U2QnTntNq5+Dq*2x2MNx@k8%85k@DCoBh91+tRC6lh^n)~Tkc
zjm==|7_nJ*K!AY_B+J~);L4U)tZQg!z?oQHoC0DRGbiWgG6+Js8TrK}xrxOksYPsw
gxrtTzc?Yb)hBC+~0JXO;2$cePfek?SGeH9i08nN{o&W#<

literal 0
Hc-jL100001

diff --git a/tests/dns-udp-nxdomain-soa-v1/suricata.yaml b/tests/dns-udp-nxdomain-soa-v1/suricata.yaml
new file mode 100644
index 000000000..ea4c8d626
--- /dev/null
+++ b/tests/dns-udp-nxdomain-soa-v1/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filename: eve.json
+      types:
+        - dns:
+            version: 1
+            
diff --git a/tests/dns-udp-nxdomain-soa-v1/test.yaml b/tests/dns-udp-nxdomain-soa-v1/test.yaml
new file mode 100644
index 000000000..8e8bee430
--- /dev/null
+++ b/tests/dns-udp-nxdomain-soa-v1/test.yaml
@@ -0,0 +1,12 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  lt-version: 7
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: dns
+        dns.rcode: NXDOMAIN
+    
diff --git a/tests/dns-udp-nxdomain-soa/suricata.yaml b/tests/dns-udp-nxdomain-soa/suricata.yaml
index ea4c8d626..d65eee5d1 100644
--- a/tests/dns-udp-nxdomain-soa/suricata.yaml
+++ b/tests/dns-udp-nxdomain-soa/suricata.yaml
@@ -7,5 +7,4 @@ outputs:
       filename: eve.json
       types:
         - dns:
-            version: 1
             
diff --git a/tests/dns-udp-nxdomain-soa/test.yaml b/tests/dns-udp-nxdomain-soa/test.yaml
index fd8ea68f0..c5c46a86e 100644
--- a/tests/dns-udp-nxdomain-soa/test.yaml
+++ b/tests/dns-udp-nxdomain-soa/test.yaml
@@ -4,7 +4,7 @@ requires:
 
 checks:
   - filter:
-      count: 2
+      count: 1
       match:
         event_type: dns
         dns.rcode: NXDOMAIN
-- 
2.47.2