From 32907090340ee944ac13b0afd72e1e53d9adaba4 Mon Sep 17 00:00:00 2001
From: Hadiqa Alamdar Bukhari <hadiqaalamdar@gmail.com>
Date: Thu, 21 Dec 2023 21:19:40 +0500
Subject: [PATCH] test: add test for dns.rcode

Feature #6621
---
 tests/dns/dns-rcode/README.md  |  5 ++++
 tests/dns/dns-rcode/test.rules |  8 +++++++
 tests/dns/dns-rcode/test.yaml  | 43 ++++++++++++++++++++++++++++++++++
 3 files changed, 56 insertions(+)
 create mode 100644 tests/dns/dns-rcode/README.md
 create mode 100644 tests/dns/dns-rcode/test.rules
 create mode 100644 tests/dns/dns-rcode/test.yaml

diff --git a/tests/dns/dns-rcode/README.md b/tests/dns/dns-rcode/README.md
new file mode 100644
index 000000000..1f758814e
--- /dev/null
+++ b/tests/dns/dns-rcode/README.md
@@ -0,0 +1,5 @@
+Test the `dns.rcode` sticky buffer.
+
+The PCAP here was a request created with Scapy to include answers in
+the request. However the response is from a real DNS server with the
+provided request.
diff --git a/tests/dns/dns-rcode/test.rules b/tests/dns/dns-rcode/test.rules
new file mode 100644
index 000000000..659c3135b
--- /dev/null
+++ b/tests/dns/dns-rcode/test.rules
@@ -0,0 +1,8 @@
+# Should alert in both directions as no flow is provided.
+alert dns any any -> any any (dns.rcode; content:"oisf"; sid:1; rev:1;)
+
+# Should only alert in the request direction.
+alert dns any any -> any any (dns.rcode; content:"oisf"; flow:to_server; sid:2; rev:1;)
+
+# Should only alert in the response direction.
+alert dns any any -> any any (dns.rcode; content:"oisf"; flow:to_client; sid:3; rev:1;)
diff --git a/tests/dns/dns-rcode/test.yaml b/tests/dns/dns-rcode/test.yaml
new file mode 100644
index 000000000..4bc24a91e
--- /dev/null
+++ b/tests/dns/dns-rcode/test.yaml
@@ -0,0 +1,43 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 2
+      match:
+        alert.signature_id: 1
+        app_proto: dns
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 1
+        direction: to_client
+        app_proto: dns
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 1
+        direction: to_server
+        app_proto: dns
+
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 2
+        direction: to_server
+        app_proto: dns
+
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 3
+        direction: to_client
+        app_proto: dns