From cda6ab1d1e9a2bdd06cb76f34e889524318f144c Mon Sep 17 00:00:00 2001
From: Jason Ish <ish@unx.ca>
Date: Wed, 20 Dec 2017 14:26:31 -0600
Subject: [PATCH] new test for dns lua detect

Tests:
- dns.rrname
- dns.request
- dns.response
---
 .../dig-a-www.suricata-ids.org.pcap           | Bin 0 -> 289 bytes
 tests/dns-lua-rules/suricata.yaml             |   4 ++
 tests/dns-lua-rules/test-request.lua          |  52 +++++++++++++++++
 tests/dns-lua-rules/test-response.lua         |  54 ++++++++++++++++++
 tests/dns-lua-rules/test-rrname.lua           |  13 +++++
 tests/dns-lua-rules/test.rules                |   7 +++
 tests/dns-lua-rules/test.yaml                 |   8 +++
 7 files changed, 138 insertions(+)
 create mode 100644 tests/dns-lua-rules/dig-a-www.suricata-ids.org.pcap
 create mode 100644 tests/dns-lua-rules/suricata.yaml
 create mode 100644 tests/dns-lua-rules/test-request.lua
 create mode 100644 tests/dns-lua-rules/test-response.lua
 create mode 100644 tests/dns-lua-rules/test-rrname.lua
 create mode 100644 tests/dns-lua-rules/test.rules
 create mode 100644 tests/dns-lua-rules/test.yaml

diff --git a/tests/dns-lua-rules/dig-a-www.suricata-ids.org.pcap b/tests/dns-lua-rules/dig-a-www.suricata-ids.org.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..663a6797f0c7745903a83210be27c39049b8eaf9
GIT binary patch
literal 289
zc-p&ic+)~A1{MYcU}0bcl6<N^BVu*98KQw~5M~e+=VkkT<8;^Cg>D=St_%#m%7P3G
z4uXy;Tmp>TK+L$<m%)_5a?|EsBSr<V5ey8B%;n|fJjJC&naPPIiMp97#mxCd=|FLi
zyruxuLXcIv^|%@OfNT(kSOT#SY*j<5p99dUeV;+rfUILM1zMKV+tX{*xBzGrGsqO&
iRvqABU<FyodxJp;Q^f%zh;taeFt8k8@RLB}O9B8i?>}Au

literal 0
Hc-jL100001

diff --git a/tests/dns-lua-rules/suricata.yaml b/tests/dns-lua-rules/suricata.yaml
new file mode 100644
index 000000000..51af22dfa
--- /dev/null
+++ b/tests/dns-lua-rules/suricata.yaml
@@ -0,0 +1,4 @@
+%YAML 1.1
+---
+
+include: ../../etc/suricata-4.0.3.yaml
diff --git a/tests/dns-lua-rules/test-request.lua b/tests/dns-lua-rules/test-request.lua
new file mode 100644
index 000000000..281bff1e6
--- /dev/null
+++ b/tests/dns-lua-rules/test-request.lua
@@ -0,0 +1,52 @@
+function init (args)
+   local needs = {}
+   needs["dns.request"] = tostring(true)
+   return needs
+end
+
+function count(t)
+   local count = 0
+   for _ in pairs(t) do
+      count = count + 1
+   end
+   return count
+end
+
+function match(args)
+   if DnsGetTxid() ~= 36146 then
+      return 0
+   end
+
+   -- The requested name.
+   local rrname = DnsGetDnsRrname()
+   if rrname ~= "www.suricata-ids.org" then
+      return 0
+   end
+
+   -- Queries
+   local queries = DnsGetQueries()
+   if queries == nil then return 0 end
+
+   -- There should only be one query.
+   if count(queries) ~= 1 then return 0 end
+
+   local query = queries[0]
+
+   if query["type"] ~= "A" then
+      return 0
+   end
+   
+   if query["rrname"] ~= "www.suricata-ids.org" then
+      return 0
+   end
+
+   local answers = DnsGetAnswers()
+   if answers == nil then return 0 end
+   if count(answers) ~= 0 then return 0 end
+
+   local authorities = DnsGetAuthorities()
+   if authorities == nil then return 0 end
+   if count(authorities) ~= 0 then return 0 end
+
+   return 1
+end
diff --git a/tests/dns-lua-rules/test-response.lua b/tests/dns-lua-rules/test-response.lua
new file mode 100644
index 000000000..ebf13043a
--- /dev/null
+++ b/tests/dns-lua-rules/test-response.lua
@@ -0,0 +1,54 @@
+function init (args)
+   local needs = {}
+   needs["dns.response"] = tostring(true)
+   return needs
+end
+
+function count(t)
+   local count = 0
+   for _ in pairs(t) do
+      count = count + 1
+   end
+   return count
+end
+
+function match(args)
+   if DnsGetTxid() ~= 36146 then
+      return 0
+   end
+
+   -- The requested name.
+   local rrname = DnsGetDnsRrname()
+   if rrname ~= "www.suricata-ids.org" then
+      return 0
+   end
+
+   -- Queries
+   local queries = DnsGetQueries()
+   if queries == nil then return 0 end
+
+   -- There should only be one query.
+   if count(queries) ~= 1 then return 0 end
+
+   local query = queries[0]
+
+   if query["type"] ~= "A" then
+      return 0
+   end
+   
+   if query["rrname"] ~= "www.suricata-ids.org" then
+      return 0
+   end
+
+   local answers = DnsGetAnswers()
+   if answers == nil then return 0 end
+   if count(answers) ~= 3 then return 0 end
+
+   local authorities = DnsGetAuthorities()
+   if authorities == nil then return 0 end
+   if count(authorities) ~= 0 then return 0 end
+
+   -- TODO: Look at the answers.
+
+   return 1
+end
diff --git a/tests/dns-lua-rules/test-rrname.lua b/tests/dns-lua-rules/test-rrname.lua
new file mode 100644
index 000000000..f5b1059d7
--- /dev/null
+++ b/tests/dns-lua-rules/test-rrname.lua
@@ -0,0 +1,13 @@
+function init (args)
+   local needs = {}
+   needs["dns.rrname"] = tostring(true)
+   return needs
+end
+
+function match(args)
+   rrname = tostring(args["dns.rrname"])
+   if rrname == "www.suricata-ids.org" then
+      return 1
+   end
+   return 0
+end
diff --git a/tests/dns-lua-rules/test.rules b/tests/dns-lua-rules/test.rules
new file mode 100644
index 000000000..7ff3f02d9
--- /dev/null
+++ b/tests/dns-lua-rules/test.rules
@@ -0,0 +1,7 @@
+alert dns any any -> any any (msg:"TEST DNS LUA dns.rrname"; \
+      lua:test-rrname.lua; sid:1; rev:1;)
+alert dns any any -> any any (msg:"TEST DNS LUA dns.request"; \
+      lua:test-request.lua; sid:2; rev:1;)
+alert dns any any -> any any (msg:"TEST DNS LUA dns.response"; \
+      lua:test-response.lua; sid:3; rev:1;)
+      
\ No newline at end of file
diff --git a/tests/dns-lua-rules/test.yaml b/tests/dns-lua-rules/test.yaml
new file mode 100644
index 000000000..14a382917
--- /dev/null
+++ b/tests/dns-lua-rules/test.yaml
@@ -0,0 +1,8 @@
+requires:
+  features:
+    - HAVE_LUA
+
+checks:
+  - signature-id: 1
+  - signature-id: 2
+  - signature-id: 3
-- 
2.47.2