test: add test for dns.rcode #1563
Conversation
Feature #6621
|
This test is missing a pcap. Most of our existing DNS pcaps will have rcode values of 0 so are not that interesting. But |
You should use |
| @@ -0,0 +1,8 @@ | |||
| # Should alert in both directions as no flow is provided. | |||
| alert dns any any -> any any (dns.rcode; content:"oisf"; sid:1; rev:1;) | |||
There was a problem hiding this comment.
should it not be something like dns.rcode:12 ?
There was a problem hiding this comment.
Since it's an integer keyword ;)
| - filter: | ||
| count: 1 | ||
| match: | ||
| alert.signature_id: 3 |
There was a problem hiding this comment.
You can have only one filter per signature id, right ?
On the other hand, maybe we could have two tests, and use one of the pcaps with |
|
|
||
| The PCAP here was a request created with Scapy to include answers in | ||
| the request. However the response is from a real DNS server with the | ||
| provided request. |
There was a problem hiding this comment.
Please add a reference to the redmine ticket :)
If you do re-use a pcap from a different test, you can indicate that here, too.
| @@ -0,0 +1,8 @@ | |||
| # Should alert in both directions as no flow is provided. | |||
| alert dns any any -> any any (dns.rcode; content:"oisf"; sid:1; rev:1;) | |||
There was a problem hiding this comment.
Since it's an integer keyword ;)
| alert.signature_id: 1 | ||
| app_proto: dns |
There was a problem hiding this comment.
it's important to add a check for the rcode field on the checks, too :)
|
New PR: #1567 |
Feature #6621
Redmine ticket: https://redmine.openinfosecfoundation.org/issues/6621
Suricata PR: OISF/suricata#10087
Output from stdout file: