test dns.log for unanswered requests

diff --git a/dns-udp-dns-log-unanswered/README.md b/dns-udp-dns-log-unanswered/README.md
new file mode 100644 (file)
index 0000000..8a37a51
--- /dev/null
+++ b/dns-udp-dns-log-unanswered/README.md
@@ -0,0 +1,4 @@
+Test the dns.log for unanswered queries being logged.
+
+Based on the issue:
+https://redmine.openinfosecfoundation.org/issues/2012

diff --git a/dns-udp-dns-log-unanswered/check.sh b/dns-udp-dns-log-unanswered/check.sh
new file mode 100644 (file)
index 0000000..dd031bb
--- /dev/null
+++ b/dns-udp-dns-log-unanswered/check.sh
@@ -0,0 +1,15 @@
+#! /bin/sh
+
+n=$(grep Query output/dns.log | wc -l)
+if [ "$n" -ne 4 ]; then
+    echo "expected 4 queries, found $n"
+    exit 1
+fi
+
+n=$(grep Response output/dns.log | wc -l)
+if [ "$n" -ne 4 ]; then
+    echo "expected 4 responses, found $n"
+    exit 1
+fi
+
+exit 0

diff --git a/dns-udp-dns-log-unanswered/dnslookups2.pcap b/dns-udp-dns-log-unanswered/dnslookups2.pcap
new file mode 100644 (file)
index 0000000..11fdc2f
Binary files /dev/null and b/dns-udp-dns-log-unanswered/dnslookups2.pcap differ

diff --git a/dns-udp-dns-log-unanswered/suricata.yaml b/dns-udp-dns-log-unanswered/suricata.yaml
new file mode 100644 (file)
index 0000000..a8303b3
--- /dev/null
+++ b/dns-udp-dns-log-unanswered/suricata.yaml
@@ -0,0 +1,9 @@
+%YAML 1.1
+---
+
+include: ../etc/suricata-3.1.2.yaml
+
+outputs:
+  - dns-log:
+      enabled: yes
+      filename: dns.log

diff --git a/dns-udp-dns-log-unanswered/vars.sh b/dns-udp-dns-log-unanswered/vars.sh
new file mode 100644 (file)
index 0000000..f0baf29
--- /dev/null
+++ b/dns-udp-dns-log-unanswered/vars.sh
@@ -0,0 +1 @@
+RUNMODE=single