From 661733bf70c29600abbe54791f3cd0976d87056f Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 6 Feb 2025 13:28:01 +0100 Subject: [PATCH] dns: convert unittests for dns.query keyword Ticket: 3725 --- .../dns-query/dns-detect-query-01/README.md | 7 +++ .../dns-query/dns-detect-query-01/input.pcap | Bin 0 -> 110 bytes .../dns-query/dns-detect-query-01/test.rules | 1 + .../dns-query/dns-detect-query-01/test.yaml | 12 ++++++ .../dns-query/dns-detect-query-02/README.md | 8 ++++ .../dns-query/dns-detect-query-02/input.pcap | Bin 0 -> 298 bytes .../dns-query/dns-detect-query-02/test.rules | 2 + .../dns-query/dns-detect-query-02/test.yaml | 29 +++++++++++++ .../dns-query/dns-detect-query-03/README.md | 7 +++ .../dns-query/dns-detect-query-03/input.pcap | Bin 0 -> 124 bytes .../dns-query/dns-detect-query-03/test.rules | 1 + .../dns-query/dns-detect-query-03/test.yaml | 12 ++++++ .../dns-query/dns-detect-query-04/README.md | 7 +++ .../dns-query/dns-detect-query-04/input.pcap | Bin 0 -> 110 bytes .../dns-query/dns-detect-query-04/test.rules | 2 + .../dns-query/dns-detect-query-04/test.yaml | 17 ++++++++ .../dns-query/dns-detect-query-05/README.md | 8 ++++ .../dns-query/dns-detect-query-05/input.pcap | Bin 0 -> 298 bytes .../dns-query/dns-detect-query-05/test.rules | 3 ++ .../dns-query/dns-detect-query-05/test.yaml | 40 ++++++++++++++++++ 20 files changed, 156 insertions(+) create mode 100644 tests/dns/dns-query/dns-detect-query-01/README.md create mode 100644 tests/dns/dns-query/dns-detect-query-01/input.pcap create mode 100644 tests/dns/dns-query/dns-detect-query-01/test.rules create mode 100644 tests/dns/dns-query/dns-detect-query-01/test.yaml create mode 100644 tests/dns/dns-query/dns-detect-query-02/README.md create mode 100644 tests/dns/dns-query/dns-detect-query-02/input.pcap create mode 100644 tests/dns/dns-query/dns-detect-query-02/test.rules create mode 100644 tests/dns/dns-query/dns-detect-query-02/test.yaml create mode 100644 tests/dns/dns-query/dns-detect-query-03/README.md create mode 100644 tests/dns/dns-query/dns-detect-query-03/input.pcap create mode 100644 tests/dns/dns-query/dns-detect-query-03/test.rules create mode 100644 tests/dns/dns-query/dns-detect-query-03/test.yaml create mode 100644 tests/dns/dns-query/dns-detect-query-04/README.md create mode 100644 tests/dns/dns-query/dns-detect-query-04/input.pcap create mode 100644 tests/dns/dns-query/dns-detect-query-04/test.rules create mode 100644 tests/dns/dns-query/dns-detect-query-04/test.yaml create mode 100644 tests/dns/dns-query/dns-detect-query-05/README.md create mode 100644 tests/dns/dns-query/dns-detect-query-05/input.pcap create mode 100644 tests/dns/dns-query/dns-detect-query-05/test.rules create mode 100644 tests/dns/dns-query/dns-detect-query-05/test.yaml diff --git a/tests/dns/dns-query/dns-detect-query-01/README.md b/tests/dns/dns-query/dns-detect-query-01/README.md new file mode 100644 index 000000000..0de3161f3 --- /dev/null +++ b/tests/dns/dns-query/dns-detect-query-01/README.md @@ -0,0 +1,7 @@ +# Description + +Translation of unit test DetectDnsQueryTest01 + +Positive test of keyword `dns.query` with its alias `dns_query` on a simple DNS/UDP request/query + +test simple google.com query matching diff --git a/tests/dns/dns-query/dns-detect-query-01/input.pcap b/tests/dns/dns-query/dns-detect-query-01/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..ee11d805cb76c9177a858dcd89c13dc7a054e8bb GIT binary patch literal 110 zc-p&ic+)~A1{MYw`2U}Qfsp|L+@KgJ2!|XDt_%zoU}-@Hh65`YS%H{w;ROa$1{DSd Y0V77Z5p3!C`RO^S%*pw=KnVs$04VSd)Bpeg literal 0 Hc-jL100001 diff --git a/tests/dns/dns-query/dns-detect-query-01/test.rules b/tests/dns/dns-query/dns-detect-query-01/test.rules new file mode 100644 index 000000000..2e3f86e36 --- /dev/null +++ b/tests/dns/dns-query/dns-detect-query-01/test.rules @@ -0,0 +1 @@ +alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google"; nocase; sid:1;) diff --git a/tests/dns/dns-query/dns-detect-query-01/test.yaml b/tests/dns/dns-query/dns-detect-query-01/test.yaml new file mode 100644 index 000000000..792c42561 --- /dev/null +++ b/tests/dns/dns-query/dns-detect-query-01/test.yaml @@ -0,0 +1,12 @@ +requires: + min-version: 8.0.0 + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 diff --git a/tests/dns/dns-query/dns-detect-query-02/README.md b/tests/dns/dns-query/dns-detect-query-02/README.md new file mode 100644 index 000000000..c27dbf85c --- /dev/null +++ b/tests/dns/dns-query/dns-detect-query-02/README.md @@ -0,0 +1,8 @@ +# Description + +Translation of unit test DetectDnsQueryTest02 + +Tests of keyword `dns.query` with some DNS/UDP traffic. +Especially tests that we do not match on DNS response. + +test multi tx google.(com|net) query matching diff --git a/tests/dns/dns-query/dns-detect-query-02/input.pcap b/tests/dns/dns-query/dns-detect-query-02/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..4696e33fc9823ad670eb19e5dda83fa35b740f7d GIT binary patch literal 298 zc-p&ic+)~A1{MYw`2U}Qfsp|L+@KgJ2!|XDt_%zoU}-@Hh65`YS%H{w;ROa$1{DSd z0V77Z5p3!C`RO^S%*pw=5EGyv42m&K^*}O}5o9uhDbQRKkg1IgFcZ*CJ-`Do!Qnjv X3nLRV3;AvrG{$s$UTO)@dIm-SwqhmK literal 0 Hc-jL100001 diff --git a/tests/dns/dns-query/dns-detect-query-02/test.rules b/tests/dns/dns-query/dns-detect-query-02/test.rules new file mode 100644 index 000000000..e936c8d17 --- /dev/null +++ b/tests/dns/dns-query/dns-detect-query-02/test.rules @@ -0,0 +1,2 @@ +alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google.com"; nocase; sid:1;) +alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google.net"; nocase; sid:2;) diff --git a/tests/dns/dns-query/dns-detect-query-02/test.yaml b/tests/dns/dns-query/dns-detect-query-02/test.yaml new file mode 100644 index 000000000..48ad831b3 --- /dev/null +++ b/tests/dns/dns-query/dns-detect-query-02/test.yaml @@ -0,0 +1,29 @@ +requires: + min-version: 8.0.0 + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pcap_cnt: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + pcap_cnt: 3 diff --git a/tests/dns/dns-query/dns-detect-query-03/README.md b/tests/dns/dns-query/dns-detect-query-03/README.md new file mode 100644 index 000000000..0b135bd84 --- /dev/null +++ b/tests/dns/dns-query/dns-detect-query-03/README.md @@ -0,0 +1,7 @@ +# Description + +Translation of unit test DetectDnsQueryTest03 + +Positive test of keyword `dns.query` with its alias `dns_query` on a simple DNS/TCP request/query + +test simple google.com query matching (TCP) diff --git a/tests/dns/dns-query/dns-detect-query-03/input.pcap b/tests/dns/dns-query/dns-detect-query-03/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..d308f766d4f9925a614e1f8c55d97cc8984db5d8 GIT binary patch literal 124 zc-p&ic+)~A1{MYw`2U}Qfsp|LLZBEZ2!|XDt_%!rU}-i6h65`YS%H{w;ROa$n63Z; e7Z)%?M!<*>ZXjEFetvpRDsysvE(3!A10w+E;}6pS literal 0 Hc-jL100001 diff --git a/tests/dns/dns-query/dns-detect-query-03/test.rules b/tests/dns/dns-query/dns-detect-query-03/test.rules new file mode 100644 index 000000000..2e3f86e36 --- /dev/null +++ b/tests/dns/dns-query/dns-detect-query-03/test.rules @@ -0,0 +1 @@ +alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google"; nocase; sid:1;) diff --git a/tests/dns/dns-query/dns-detect-query-03/test.yaml b/tests/dns/dns-query/dns-detect-query-03/test.yaml new file mode 100644 index 000000000..9c9f61d84 --- /dev/null +++ b/tests/dns/dns-query/dns-detect-query-03/test.yaml @@ -0,0 +1,12 @@ +requires: + min-version: 8.0.0 + +args: + - -k none --set stream.midstream=true --set stream.inline=true + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 diff --git a/tests/dns/dns-query/dns-detect-query-04/README.md b/tests/dns/dns-query/dns-detect-query-04/README.md new file mode 100644 index 000000000..f543eb83c --- /dev/null +++ b/tests/dns/dns-query/dns-detect-query-04/README.md @@ -0,0 +1,7 @@ +# Description + +Translation of unit test DetectDnsQueryTest04 + +Test of keyword `dns.query` with pcre usage + +test simple google.com query matching, pcre diff --git a/tests/dns/dns-query/dns-detect-query-04/input.pcap b/tests/dns/dns-query/dns-detect-query-04/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..ee11d805cb76c9177a858dcd89c13dc7a054e8bb GIT binary patch literal 110 zc-p&ic+)~A1{MYw`2U}Qfsp|L+@KgJ2!|XDt_%zoU}-@Hh65`YS%H{w;ROa$1{DSd Y0V77Z5p3!C`RO^S%*pw=KnVs$04VSd)Bpeg literal 0 Hc-jL100001 diff --git a/tests/dns/dns-query/dns-detect-query-04/test.rules b/tests/dns/dns-query/dns-detect-query-04/test.rules new file mode 100644 index 000000000..a5066041d --- /dev/null +++ b/tests/dns/dns-query/dns-detect-query-04/test.rules @@ -0,0 +1,2 @@ +alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google"; nocase; pcre:"/google\.com$/i"; sid:1;) +alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google"; nocase; pcre:"/^\.[a-z]{2,3}$/iR"; sid:2;) diff --git a/tests/dns/dns-query/dns-detect-query-04/test.yaml b/tests/dns/dns-query/dns-detect-query-04/test.yaml new file mode 100644 index 000000000..34be244ac --- /dev/null +++ b/tests/dns/dns-query/dns-detect-query-04/test.yaml @@ -0,0 +1,17 @@ +requires: + min-version: 8.0.0 + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 diff --git a/tests/dns/dns-query/dns-detect-query-05/README.md b/tests/dns/dns-query/dns-detect-query-05/README.md new file mode 100644 index 000000000..df60c1b6b --- /dev/null +++ b/tests/dns/dns-query/dns-detect-query-05/README.md @@ -0,0 +1,8 @@ +# Description + +Translation of unit test DetectDnsQueryTest05 + +Tests of keyword `dns.query` with some DNS/UDP traffic. +Also tests app-layer event, related to bug #839. + +test multi tx google.(com|net) query matching + app layer event diff --git a/tests/dns/dns-query/dns-detect-query-05/input.pcap b/tests/dns/dns-query/dns-detect-query-05/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..ba09a3c047e971fe26f82bc43225c7e74a43705f GIT binary patch literal 298 zc-p&ic+)~A1{MYw`2U}Qfsp|L+@KgJ2!|XDt_%zoU}-@Hh65`YS%H{w;ROa$1{DSd z0V77Z5p3!C`RO^S%*pw=5EGyv42m&K^*}O}5o9uhDbQRKkg1IaU?!lOdVmLFg2Q_T X7Dgs!7V_OLXpHIhywnn)^$d&v)*>bq literal 0 Hc-jL100001 diff --git a/tests/dns/dns-query/dns-detect-query-05/test.rules b/tests/dns/dns-query/dns-detect-query-05/test.rules new file mode 100644 index 000000000..8e8e713d6 --- /dev/null +++ b/tests/dns/dns-query/dns-detect-query-05/test.rules @@ -0,0 +1,3 @@ +alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google.com"; nocase; sid:1;) +alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google.net"; nocase; sid:2;) +alert dns any any -> any any (msg:"Test Z flag event"; app-layer-event:dns.z_flag_set; sid:3;) diff --git a/tests/dns/dns-query/dns-detect-query-05/test.yaml b/tests/dns/dns-query/dns-detect-query-05/test.yaml new file mode 100644 index 000000000..f4c34bc96 --- /dev/null +++ b/tests/dns/dns-query/dns-detect-query-05/test.yaml @@ -0,0 +1,40 @@ +requires: + min-version: 8.0.0 + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pcap_cnt: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + pcap_cnt: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + pcap_cnt: 3 \ No newline at end of file -- 2.47.2