From 5d9c7b99fbaea559f18ec70fb5e8d496c8009648 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Wed, 15 Nov 2023 11:21:24 -0600 Subject: [PATCH] test: new test for dns.query.name --- tests/dns/dns-query-name/README.md | 1 + tests/dns/dns-query-name/test.rules | 8 ++++++++ tests/dns/dns-query-name/test.yaml | 28 ++++++++++++++++++++++++++++ 3 files changed, 37 insertions(+) create mode 100644 tests/dns/dns-query-name/README.md create mode 100644 tests/dns/dns-query-name/test.rules create mode 100644 tests/dns/dns-query-name/test.yaml diff --git a/tests/dns/dns-query-name/README.md b/tests/dns/dns-query-name/README.md new file mode 100644 index 000000000..59e9c46be --- /dev/null +++ b/tests/dns/dns-query-name/README.md @@ -0,0 +1 @@ +Test the `dns.query.name` sticky buffer. diff --git a/tests/dns/dns-query-name/test.rules b/tests/dns/dns-query-name/test.rules new file mode 100644 index 000000000..3657ec7ee --- /dev/null +++ b/tests/dns/dns-query-name/test.rules @@ -0,0 +1,8 @@ +# Will alert in both directions as no direction is specified. +alert dns any any -> any any (dns.query.name; content:"suricata"; sid:1; rev:1;) + +# Only alert on requests. +alert dns any any -> any any (dns.query.name; content:"suricata"; flow:to_server; sid:2; rev:1;) + +# Only alert on responses. +alert dns any any -> any any (dns.query.name; content:"suricata"; flow:to_client; sid:3; rev:1;) diff --git a/tests/dns/dns-query-name/test.yaml b/tests/dns/dns-query-name/test.yaml new file mode 100644 index 000000000..5b8f9e4e3 --- /dev/null +++ b/tests/dns/dns-query-name/test.yaml @@ -0,0 +1,28 @@ +requires: + min-version: 8 + +pcap: ../../cond-log-dns-dig/input.pcap + +checks: + - filter: + count: 1 + match: + alert.signature_id: 1 + direction: to_client + app_proto: dns + - filter: + count: 1 + match: + alert.signature_id: 1 + direction: to_server + app_proto: dns + - filter: + count: 1 + match: + alert.signature_id: 2 + direction: to_server + - filter: + count: 1 + match: + alert.signature_id: 3 + direction: to_client -- 2.47.2