From 797cb6c05964de6ecc873b7a44ba24d74c46674c Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Wed, 14 May 2025 16:35:04 -0600 Subject: [PATCH] tests: add mdns test Ticket: #3952 --- tests/mdns/test.rules | 3 +++ tests/mdns/test.yaml | 41 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 tests/mdns/test.rules create mode 100644 tests/mdns/test.yaml diff --git a/tests/mdns/test.rules b/tests/mdns/test.rules new file mode 100644 index 000000000..44f36faa0 --- /dev/null +++ b/tests/mdns/test.rules @@ -0,0 +1,3 @@ +alert mdns any any -> any any (mdns.queries.rrname; content: "_apple"; sid:1;) +alert mdns any any -> any any (mdns.answers.rrname; content: "Mac"; sid:2;) +alert mdns any any -> any any (mdns.response.rrname; content: "John’s iMac._companion-link._tcp.local"; sid:3;) diff --git a/tests/mdns/test.yaml b/tests/mdns/test.yaml new file mode 100644 index 000000000..3fcd63d5b --- /dev/null +++ b/tests/mdns/test.yaml @@ -0,0 +1,41 @@ +requires: + min-version: 8.0.0 + +pcap: ../ipv6-evasion/ipv6-malformed-fragments-9/frag-9.pcap + +checks: + - filter: + count: 1 + match: + pcap_cnt: 6 + event_type: mdns + mdns.type: response + mdns.answers[0].rrname: "John’s iMac._device-info._tcp.local" + mdns.answers[0].txt: ["model=iMac17,1", "osxvers=17"] + mdns.answers[1].rrname: "_companion-link._tcp.local" + mdns.answers[1].ptr: "John’s iMac._companion-link._tcp.local" + - filter: + count: 1 + match: + pcap_cnt: 11 + event_type: mdns + mdns.type: request + mdns.queries[0].rrname: "_apple-mobdev._tcp.local" + mdns.queries[0].rrtype: "ptr" + mdns.queries[1].rrname: "92e80812._sub._apple-mobdev2._tcp.local" + mdns.queries[1].rrtype: "ptr" + mdns.queries[2].rrname: "_apple-pairable._tcp.local" + mdns.queries[2].rrtype: "ptr" + - filter: + count: 1 + match: + alert.signature_id: 1 + - filter: + count: 1 + match: + alert.signature_id: 2 + - filter: + count: 1 + match: + alert.signature_id: 3 + -- 2.47.2