doh2: add test for 65K limit

Ticket: 7464

diff --git a/tests/dns-over-http2-limit/README.md b/tests/dns-over-http2-limit/README.md
new file mode 100644 (file)
index 0000000..c45a5f3
--- /dev/null
+++ b/tests/dns-over-http2-limit/README.md
@@ -0,0 +1,12 @@
+# Description
+
+Test DNS over HTTP2 respects 65K UDP limit
+https://redmine.openinfosecfoundation.org/issues/7464
+
+# PCAP
+
+Crafted with:
+- a simple golang HTTP2 server always returning 415 http.StatusUnsupportedMediaType
+- client `curl -H "content-type: application/dns-message" --http2-prior-knowledge  127.0.0.1:8080/dns -d @badns` with badns being a file over 65Kbytes
+
+(I do not know why golang server sends many RST_STREAM at packet 45)

diff --git a/tests/dns-over-http2-limit/input.pcap b/tests/dns-over-http2-limit/input.pcap
new file mode 100644 (file)
index 0000000..9984c3e
Binary files /dev/null and b/tests/dns-over-http2-limit/input.pcap differ

diff --git a/tests/dns-over-http2-limit/test.rules b/tests/dns-over-http2-limit/test.rules
new file mode 100644 (file)
index 0000000..c23d9d4
--- /dev/null
+++ b/tests/dns-over-http2-limit/test.rules
@@ -0,0 +1,2 @@
+alert http2 any any -> any any (msg:"SURICATA HTTP2 dns request too long"; flow:established,to_server; app-layer-event:http2.dns_request_too_long; classtype:protocol-command-decode; sid:2290016; rev:1;)
+alert http2 any any -> any any (msg:"SURICATA HTTP2 dns response too long"; flow:established,to_client; app-layer-event:http2.dns_response_too_long; classtype:protocol-command-decode; sid:2290017; rev:1;)

diff --git a/tests/dns-over-http2-limit/test.yaml b/tests/dns-over-http2-limit/test.yaml
new file mode 100644 (file)
index 0000000..40ccf57
--- /dev/null
+++ b/tests/dns-over-http2-limit/test.yaml
@@ -0,0 +1,17 @@
+requires:
+  min-version: 8.0.0
+
+# disables checksum verification
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2290016