From 5a7746474f4d95fd0c587c156e397a5010eefc91 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Wed, 13 Nov 2019 11:32:49 -0600 Subject: [PATCH] eve/dns: test eve/dns filtering To confirm ticket: https://redmine.openinfosecfoundation.org/issues/3231 --- tests/dns-eve-type-filtering/suricata.yaml | 39 ++++++++++++ tests/dns-eve-type-filtering/test.pcap | Bin 0 -> 2053 bytes tests/dns-eve-type-filtering/test.yaml | 68 +++++++++++++++++++++ 3 files changed, 107 insertions(+) create mode 100644 tests/dns-eve-type-filtering/suricata.yaml create mode 100644 tests/dns-eve-type-filtering/test.pcap create mode 100644 tests/dns-eve-type-filtering/test.yaml diff --git a/tests/dns-eve-type-filtering/suricata.yaml b/tests/dns-eve-type-filtering/suricata.yaml new file mode 100644 index 000000000..e498af61d --- /dev/null +++ b/tests/dns-eve-type-filtering/suricata.yaml @@ -0,0 +1,39 @@ +%YAML 1.1 +--- + +outputs: + + - eve-log: + enabled: yes + filename: all.json + types: + - dns: + version: 2 + + - eve-log: + enabled: yes + filename: only-a.json + types: + - dns: + version: 2 + types: [a] + + - eve-log: + enabled: yes + filename: a-and-aaaa-requests-only.json + types: + - dns: + version: 2 + requests: yes + responses: no + types: [a, aaaa] + + - eve-log: + enabled: yes + filename: mx-responses-only.json + types: + - dns: + version: 2 + requests: no + responses: yes + types: [mx] diff --git a/tests/dns-eve-type-filtering/test.pcap b/tests/dns-eve-type-filtering/test.pcap new file mode 100644 index 0000000000000000000000000000000000000000..d53a586bc4b5a19ecfc382a3b30fe1820c164768 GIT binary patch literal 2053 zc-pO%Z%7ki9LIm#ZPU$v^F^Z0LM+0p1)I*)ie_l}LK7i_io`LO&NipJtyyMh1Y*7P zMS@h$LRyqBB#`_Ams!>{iddEqL`WH>5DN7|f_~4P#~p5-zVOD4yFJfypWpYx^V@}< z5BlYx0O3%848ODTr_Ys_$3iV$le0JXZfR-er>Pr@{$tTl3~>79SpailC|;wL#YE#V zQwJs}*0onrvUK(l05Zzw^TpC$x7}*-SoHQ9nsT}EX)-dtN6YbIK?BjQn39X{Ijmc!Gz%2fBGt_y$v5rNn@E?Dso0Sn=8#$wy_^1L9-q1@Gh80rXL*Yn?F&J~ri|Df9d1 zC$GkL5Tv1313nz^MRH-kJ_~R;vA0cdfzZmnt1|}Hg?xP^dSJn_ya<^NN$~g21$p9HHKz zJ{{QPY{tk)OsZN<5(H^IT_SoEv(Rc0d5LvvRPk68~7@~!f6vF;p=f3@imyn`+7Lb z`3lZ&=qn-2S9Va_Z|~_mNU)>Z6cWA;o5^naF)#Q+aEH1hIKQE<1kry=V2gbfV&NIL zl@gsdyg+>2Z|8k23~-&7Iw#qA;jW@~mY0M?eQkg~j19DlK%Qvsva) z)w*1@4jXGkG)>J-GcbD5k4d0WvCFbG+$yKV?qCjyX2kF_jLZem&-jXG^dg=A0YInV A{Qv*} literal 0 Hc-jL100001 diff --git a/tests/dns-eve-type-filtering/test.yaml b/tests/dns-eve-type-filtering/test.yaml new file mode 100644 index 000000000..610a49070 --- /dev/null +++ b/tests/dns-eve-type-filtering/test.yaml @@ -0,0 +1,68 @@ +requires: + min-version: 4.1 + +checks: + + - filter: + filename: all.json + count: 14 + match: + event_type: "dns" + + # Check that we only have requests and responses for A records. + - filter: + filename: only-a.json + count: 4 + match: + event_type: "dns" + - filter: + filename: only-a.json + count: 4 + match: + event_type: "dns" + dns.rrtype: "A" + + # Check that we only have A and AAAA requests. + - filter: + filename: a-and-aaaa-requests-only.json + count: 4 + match: + event_type: "dns" + - filter: + filename: a-and-aaaa-requests-only.json + count: 2 + match: + event_type: "dns" + dns.rrtype: "A" + - filter: + filename: a-and-aaaa-requests-only.json + count: 2 + match: + event_type: "dns" + dns.rrtype: "AAAA" + - filter: + filename: a-and-aaaa-requests-only.json + count: 4 + match: + event_type: "dns" + dns.type: "query" + + # Check that we only have 3 log entries, and that they are all MX + # responses. + - filter: + filename: mx-responses-only.json + count: 3 + match: + event_type: "dns" + - filter: + filename: mx-responses-only.json + count: 3 + match: + event_type: "dns" + dns.type: "answer" + - filter: + filename: mx-responses-only.json + count: 3 + match: + event_type: "dns" + dns.rrtype: "MX" -- 2.47.2