From 759fd771432f7b5046c452118e74b4d5a495a917 Mon Sep 17 00:00:00 2001
From: Hadiqa Alamdar Bukhari <hadiqaalamdar@gmail.com>
Date: Fri, 2 Feb 2024 18:38:49 +0500
Subject: [PATCH] test: add test for dns.rrtype

Feature #6666
---
 tests/dns/dns-rrtype/README.md  |  5 ++++
 tests/dns/dns-rrtype/test.rules |  8 +++++++
 tests/dns/dns-rrtype/test.yaml  | 42 +++++++++++++++++++++++++++++++++
 3 files changed, 55 insertions(+)
 create mode 100644 tests/dns/dns-rrtype/README.md
 create mode 100644 tests/dns/dns-rrtype/test.rules
 create mode 100644 tests/dns/dns-rrtype/test.yaml

diff --git a/tests/dns/dns-rrtype/README.md b/tests/dns/dns-rrtype/README.md
new file mode 100644
index 000000000..24b8c574f
--- /dev/null
+++ b/tests/dns/dns-rrtype/README.md
@@ -0,0 +1,5 @@
+Test the `dns.rrtype` value.
+
+The PCAP here was reused from ./tests/dns/dns-eve-empty-format/input.pcap
+
+Redmine ticket: https://redmine.openinfosecfoundation.org/issues/6666
\ No newline at end of file
diff --git a/tests/dns/dns-rrtype/test.rules b/tests/dns/dns-rrtype/test.rules
new file mode 100644
index 000000000..a40941b31
--- /dev/null
+++ b/tests/dns/dns-rrtype/test.rules
@@ -0,0 +1,8 @@
+# Only alert on requests.
+alert dns any any -> any any (dns.rrtype:1; flow:to_server; sid:1; rev:1;)
+
+# Only alert on responses.
+alert dns any any -> any any (dns.rrtype:1; flow:to_client; sid:2; rev:1;)
+
+# Negated rrtype value
+alert dns any any -> any any (dns.rrtype:!2; flow:to_client; sid:3; rev:1;)
\ No newline at end of file
diff --git a/tests/dns/dns-rrtype/test.yaml b/tests/dns/dns-rrtype/test.yaml
new file mode 100644
index 000000000..ca8b156f0
--- /dev/null
+++ b/tests/dns/dns-rrtype/test.yaml
@@ -0,0 +1,42 @@
+requires:
+  min-version: 8
+
+pcap: ../dns-eve-empty-format/input.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 1
+        dest_ip: 10.16.1.1
+        dest_port: 53
+        direction: to_server
+        app_proto: dns
+        event_type: alert
+        dns.query[0].rrtype: A
+        src_ip: 10.16.1.11
+        src_port: 57634
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 2
+        dest_ip: 10.16.1.11
+        dest_port: 33458
+        direction: to_client
+        app_proto: dns
+        event_type: alert
+        dns.answer.rrtype: A
+        src_ip: 10.16.1.1
+        src_port: 53
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 3
+        dest_ip: 10.16.1.11
+        dest_port: 33458
+        direction: to_client
+        app_proto: dns
+        event_type: alert
+        dns.answer.rrtype: A
+        src_ip: 10.16.1.1
+        src_port: 53
-- 
2.47.2