Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test: add test for dns.rcode v3 #1574

Closed
wants to merge 2 commits into from
Closed

test: add test for dns.rcode v3 #1574

wants to merge 2 commits into from

Conversation

hadiqaalamdar
Copy link
Contributor

Feature #6621

Redmine ticket: https://redmine.openinfosecfoundation.org/issues/6621

Previous PR: #1567

Suricata PR: OISF/suricata#10126

Changes made:

  • Changed the rcode:12 to rcode:3 which caused the schema.json error shown below. Changing the rcode value back to 12 got rid of this error
  • added negated rule which also caused the schema.json error regardless of the rcode value

Output from console after running the sv test:

Finished release [optimized] target(s) in 0.16s
===> dns-rcode: Sub test #1: FAIL : expected 1 matches; got 0 for filter {'count': 1, 'match': {'alert.signature_id': 1, 'direction': 'to_client', 'app_proto': 'dns', 'dns.rcode': 3}}
===> dns-rcode: Sub test #2: FAIL : expected 1 matches; got 0 for filter {'count': 1, 'match': {'alert.signature_id': 1, 'direction': 'to_server', 'app_proto': 'dns', 'dns.rcode': 3}}
===> dns-rcode: Sub test #3: FAIL : expected 1 matches; got 0 for filter {'count': 1, 'match': {'alert.signature_id': 2, 'direction': 'to_server', 'app_proto': 'dns', 'dns.rcode': 3}}
===> dns-rcode: Sub test #4: FAIL : expected 1 matches; got 0 for filter {'count': 1, 'match': {'alert.signature_id': 3, 'direction': 'to_client', 'app_proto': 'dns', 'dns.rcode': 3}}
===> dns-rcode: Sub test #5: FAIL : expected 1 matches; got 0 for filter {'count': 1, 'match': {'alert.signature_id': 4, 'direction': 'to_client', 'app_proto': 'dns', 'dns.rcode': 3, 'dns.negate': True}}
/Users/hadiqa/suricata-verify/tests/dns/dns-rcode/output/eve.json - INVALID. Errors:
1./dns/answer Additional properties are not allowed ('authorities' was unexpected)
/Users/hadiqa/suricata-verify/tests/dns/dns-rcode/output/eve.json - INVALID. Errors:
1./dns/answer Additional properties are not allowed ('authorities' was unexpected)
===> dns-rcode: FAILED: Invalid JSON schema

PASSED:  0
FAILED:  1
SKIPPED: 0

Output after running cat output/eve.json | jq 'select(.dns) | .dns' output/eve.json:

{
  "type": "query",
  "id": 33429,
  "rrname": "dne.oisf.net",
  "rrtype": "A",
  "tx_id": 0,
  "opcode": 0
}
{
  "answer": {
    "version": 2,
    "type": "answer",
    "id": 33429,
    "flags": "8183",
    "qr": true,
    "rd": true,
    "ra": true,
    "opcode": 0,
    "rrname": "dne.oisf.net",
    "rrtype": "A",
    "rcode": "NXDOMAIN",
    "authorities": [
      {
        "rrname": "oisf.net",
        "rrtype": "SOA",
        "ttl": 899,
        "soa": {
          "mname": "ns-110.awsdns-13.com",
          "rname": "awsdns-hostmaster.amazon.com",
          "serial": 1,
          "refresh": 7200,
          "retry": 900,
          "expire": 1209600,
          "minimum": 86400
        }
      }
    ]
  }
}
{
  "answer": {
    "version": 2,
    "type": "answer",
    "id": 33429,
    "flags": "8183",
    "qr": true,
    "rd": true,
    "ra": true,
    "opcode": 0,
    "rrname": "dne.oisf.net",
    "rrtype": "A",
    "rcode": "NXDOMAIN",
    "authorities": [
      {
        "rrname": "oisf.net",
        "rrtype": "SOA",
        "ttl": 899,
        "soa": {
          "mname": "ns-110.awsdns-13.com",
          "rname": "awsdns-hostmaster.amazon.com",
          "serial": 1,
          "refresh": 7200,
          "retry": 900,
          "expire": 1209600,
          "minimum": 86400
        }
      }
    ]
  }
}
{
  "version": 2,
  "type": "answer",
  "id": 33429,
  "flags": "8183",
  "qr": true,
  "rd": true,
  "ra": true,
  "opcode": 0,
  "rrname": "dne.oisf.net",
  "rrtype": "A",
  "rcode": "NXDOMAIN",
  "authorities": [
    {
      "rrname": "oisf.net",
      "rrtype": "SOA",
      "ttl": 899,
      "soa": {
        "mname": "ns-110.awsdns-13.com",
        "rname": "awsdns-hostmaster.amazon.com",
        "serial": 1,
        "refresh": 7200,
        "retry": 900,
        "expire": 1209600,
        "minimum": 86400
      }
    }
  ]
}

Output from stdout file:

Notice: suricata: This is Suricata version 8.0.0-dev (8e0535dc2 2023-12-21) running in USER mode [LogVersion:suricata.c:1147]
Warning: threshold-config: Error opening file: "/usr/local/etc/suricata//threshold.config": Permission denied [SCThresholdConfInitContext:util-threshold-config.c:177]
Notice: threads: Threads created -> RX: 1 W: 12 FM: 1 FR: 1   Engine started. [TmThreadWaitOnThreadRunning:tm-threads.c:1891]
Notice: suricata: Signal Received.  Stopping engine. [SuricataMainLoop:suricata.c:2805]
Notice: pcap: read 1 file, 2 packets, 259 bytes [ReceivePcapFileThreadExitStats:source-pcap-file.c:389]

@hadiqaalamdar hadiqaalamdar mentioned this pull request Jan 5, 2024
Closed
3 tasks
@hadiqaalamdar hadiqaalamdar changed the title test: add test for dns.rcode v2 test: add test for dns.rcode v3 Jan 5, 2024
@hadiqaalamdar hadiqaalamdar mentioned this pull request Jan 5, 2024
Closed
@hadiqaalamdar hadiqaalamdar marked this pull request as draft January 5, 2024 10:56
jasonish
jasonish reviewed Jan 9, 2024
View reviewed changes
tests/dns/dns-rcode/test.rules
Comment on lines +1 to +2
# Should alert in both directions as no flow is provided.
alert dns any any -> any any (dns.rcode:3; sid:1; rev:1;)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should only alert in one direction, the reply. As the request has an rcode of 0.

jasonish
jasonish reviewed Jan 9, 2024
View reviewed changes
tests/dns/dns-rcode/test.rules
Comment on lines +4 to +5
# Should only alert in the request direction.
alert dns any any -> any any (dns.rcode:3; flow:to_server; sid:2; rev:1;)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should not alert at all. As an rcode of 3 in the to server direction does not exist in this pcap.

jasonish
jasonish reviewed Jan 9, 2024
View reviewed changes
tests/dns/dns-rcode/test.rules
Comment on lines +7 to +8
# Should only alert in the response direction.
alert dns any any -> any any (dns.rcode:3; flow:to_client; sid:3; rev:1;)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one is good, we should see one alert for this.

jasonish
jasonish reviewed Jan 9, 2024
View reviewed changes
tests/dns/dns-rcode/test.rules
Comment on lines +10 to +11
# Should only alert in the response direction.
alert dns any any -> any any (dns.rcode:!3; flow:to_client; sid:4; rev:1;)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This won't alert either. I'd suggest a simpler rule like:

alert dns any any -> any any (dns.rcode: !3; sid:4; rev:1;)

which should alert one, with the DNS request as it has an rcode of 0.

@hadiqaalamdar hadiqaalamdar mentioned this pull request Jan 11, 2024
Closed
@hadiqaalamdar
Copy link
Contributor Author

New PR: #1578

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonish jasonish jasonish left review comments

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hadiqaalamdar @jasonish