Skip to content

Commit

Permalink
dns: update 7018 tests for suricata 8
Browse files Browse the repository at this point in the history 
using dns v3 logging

Ticket: 7199

This also fixes ticket 7449
  • Loading branch information
@catenacyber
catenacyber committed Jan 2, 2025
1 parent 64e6515 commit f96dbff
Show file tree
Hide file tree
Showing 2 changed files with 163 additions and 2 deletions.
117 changes: 116 additions & 1 deletion tests/dns/task-7018-dns-ips-stream-rule/test.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
requires:
min-version: 7
lt-version: 8

args:
- -k none
- --set detect.guess-applayer-tx=true

env:
SURICATA_EVE_DNS_VERSION: 2

pcap: ../task-7018-ids-dns-keywords/input.pcap

checks:
Expand All @@ -30,6 +32,7 @@ checks:
src_ip: 10.16.1.11
src_port: 36926
- filter:
lt-version: 8
count: 1
match:
event_type: alert
Expand All @@ -50,6 +53,28 @@ checks:
dns.query[0].rrtype: A
dns.query[0].tx_id: 0
dns.query[0].type: query
- filter:
# DNS has only v3 logging for alerts in 8
min-version: 8
count: 1
match:
event_type: alert
pcap_cnt: 4
proto: TCP
app_proto: dns
src_ip: 10.16.1.11
src_port: 36926
alert.signature: DNS suricata query - payload rule
alert.signature_id: 1
dest_ip: 9.9.9.9
dest_port: 53
direction: to_server
tx_id: 0
dns.id: 0
dns.opcode: 0
dns.queries[0].rrname: suricata.io
dns.queries[0].rrtype: A
dns.type: request
- filter:
count: 1
match:
Expand Down Expand Up @@ -77,6 +102,7 @@ checks:
dns.type: answer
dns.version: 2
- filter:
lt-version: 8
count: 1
match:
event_type: alert
Expand All @@ -102,6 +128,28 @@ checks:
dns.answer.rrtype: A
dns.answer.type: answer
dns.answer.version: 2
- filter:
min-version: 8
count: 1
match:
event_type: alert
pcap_cnt: 6
proto: TCP
src_ip: 9.9.9.9
src_port: 53
alert.signature: DNS suricata query - payload rule
alert.signature_id: 1
app_proto: dns
dest_ip: 10.16.1.11
dest_port: 36926
direction: to_client
tx_id: 1
dns.opcode: 0
dns.rcode: NOERROR
dns.answers[0].rrname: suricata.io
dns.answers[0].rrtype: A
dns.type: response
dns.version: 3
- filter:
count: 1
match:
Expand All @@ -119,6 +167,8 @@ checks:
src_ip: 10.16.1.11
src_port: 36926
- filter:
# This check is about an undesirable behavior cf redmine ticket #7004
lt-version: 8
count: 1
match:
event_type: alert
Expand All @@ -140,6 +190,29 @@ checks:
dns.query[0].rrtype: A
dns.query[0].tx_id: 2
- filter:
# This check is about an undesirable behavior cf redmine ticket #7004
min-version: 8
count: 1
match:
event_type: alert
pcap_cnt: 8
proto: TCP
src_ip: 10.16.1.11
src_port: 36926
alert.signature: DNS suricata query - payload rule
alert.signature_id: 1
app_proto: dns
dest_ip: 9.9.9.9
dest_port: 53
direction: to_server
tx_id: 2
dns.type: request
dns.id: 0
dns.opcode: 0
dns.queries[0].rrname: oisf.net
dns.queries[0].rrtype: A
- filter:
lt-version: 8
count: 1
match:
event_type: alert
Expand All @@ -164,6 +237,27 @@ checks:
dns.answer.rcode: NOERROR
dns.answer.type: answer
dns.answer.version: 2
- filter:
min-version: 8
count: 1
match:
event_type: alert
pcap_cnt: 9
alert.signature: DNS suricata query - payload rule
alert.signature_id: 1
proto: TCP
src_ip: 9.9.9.9
src_port: 53
dest_ip: 10.16.1.11
dest_port: 36926
app_proto: dns
direction: to_client
dns.answers[0].rrname: oisf.net
dns.answers[0].rrtype: A
dns.opcode: 0
dns.rcode: NOERROR
dns.type: response
dns.version: 3
- filter:
count: 1
match:
Expand Down Expand Up @@ -196,6 +290,7 @@ checks:
dns.type: answer
dns.version: 2
- filter:
lt-version: 8
count: 1
match:
event_type: alert
Expand All @@ -215,6 +310,26 @@ checks:
dns.query[0].rrtype: A
dns.query[0].tx_id: 4
dns.query[0].type: query
- filter:
min-version: 8
count: 1
match:
event_type: alert
alert.signature: DNS suricata query - payload rule
alert.signature_id: 1
dest_ip: 9.9.9.9
dest_port: 53
proto: TCP
src_ip: 10.16.1.11
src_port: 36926
direction: to_server
pcap_cnt: 10
tx_id: 4
dns.id: 0
dns.opcode: 0
dns.queries[0].rrname: suricata.org
dns.queries[0].rrtype: A
dns.type: request
- filter:
count: 1
match:
Expand Down
48 changes: 47 additions & 1 deletion tests/dns/task-7018-ids-dns-stream-rule/test.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
requires:
min-version: 7
lt-version: 8
args:
- -k none
- --set detect.guess-applayer-tx=true

env:
SURICATA_EVE_DNS_VERSION: 2

pcap: ../task-7018-ids-dns-keywords/input.pcap
checks:
- filter:
Expand All @@ -24,6 +26,7 @@ checks:
src_ip: 10.16.1.11
src_port: 36926
- filter:
lt-version: 8
count: 1
match:
event_type: alert
Expand All @@ -44,6 +47,26 @@ checks:
dns.query[0].rrtype: A
dns.query[0].tx_id: 0
dns.query[0].type: query
- filter:
min-version: 8
count: 1
match:
event_type: alert
pcap_cnt: 7
proto: TCP
app_proto: dns
src_ip: 10.16.1.11
src_port: 36926
alert.signature: DNS suricata query - payload rule
alert.signature_id: 1
dest_ip: 9.9.9.9
dest_port: 53
direction: to_server
tx_id: 0
dns.opcode: 0
dns.queries[0].rrname: suricata.io
dns.queries[0].rrtype: A
dns.type: request
- filter:
count: 1
match:
Expand Down Expand Up @@ -71,6 +94,7 @@ checks:
src_ip: 10.16.1.11
src_port: 36926
- filter:
lt-version: 8
count: 1
match:
event_type: alert
Expand All @@ -96,6 +120,28 @@ checks:
dns.answer.rrtype: A
dns.answer.type: answer
dns.answer.version: 2
- filter:
min-version: 8
count: 1
match:
event_type: alert
pcap_cnt: 9
proto: TCP
app_proto: dns
src_ip: 9.9.9.9
src_port: 53
alert.signature: DNS suricata query - payload rule
alert.signature_id: 1
dest_ip: 10.16.1.11
dest_port: 36926
direction: to_client
tx_id: 1
dns.opcode: 0
dns.rcode: NOERROR
dns.answers[0].rrname: suricata.io
dns.answers[0].rrtype: A
dns.type: response
dns.version: 3
- filter:
count: 1
match:
Expand Down

0 comments on commit f96dbff

Please sign in to comment.