dns: update for v3 dns request logging

OISF · Jun 10, 2024 · 15e4b56 · 15e4b56
1 parent e8a1d72
commit 15e4b56
Show file tree

Hide file tree

Showing 32 changed files with 802 additions and 786 deletions.
diff --git a/tests/bug-1158/test.yaml b/tests/bug-1158/test.yaml
diff --git a/tests/bug-856/test.yaml b/tests/bug-856/test.yaml
@@ -1,7 +1,7 @@
 pcap: ../dns-udp-z-flag-fp/suricatafpdnsdecoder.pcap
 
 requires:
-  min-version: 6
+  min-version: 8
 
 args:
 - -k none
@@ -13,10 +13,10 @@ checks:
       dest_ip: 192.168.42.129
       dest_port: 53
       dns.id: 59165
-      dns.rrname: static.programme-tv.net
-      dns.rrtype: A
+      dns.queries[0].rrname: static.programme-tv.net
+      dns.queries[0].rrtype: A
       dns.tx_id: 0
-      dns.type: query
+      dns.type: request
       event_type: dns
       pcap_cnt: 1
       proto: UDP
@@ -28,10 +28,10 @@ checks:
       dest_ip: 192.168.42.129
       dest_port: 53
       dns.id: 25783
-      dns.rrname: static.programme-tv.net
-      dns.rrtype: AAAA
+      dns.queries[0].rrname: static.programme-tv.net
+      dns.queries[0].rrtype: AAAA
       dns.tx_id: 1
-      dns.type: query
+      dns.type: request
       event_type: dns
       pcap_cnt: 2
       proto: UDP
@@ -68,10 +68,10 @@ checks:
       dns.ra: true
       dns.rcode: NOERROR
       dns.rd: true
-      dns.rrname: static.programme-tv.net
-      dns.rrtype: A
-      dns.type: answer
-      dns.version: 2
+      dns.queries[0].rrname: static.programme-tv.net
+      dns.queries[0].rrtype: A
+      dns.type: response
+      dns.version: 3
       event_type: dns
       pcap_cnt: 3
       proto: UDP
@@ -108,10 +108,10 @@ checks:
       dns.ra: true
       dns.rcode: NOERROR
       dns.rd: true
-      dns.rrname: static.programme-tv.net
-      dns.rrtype: AAAA
-      dns.type: answer
-      dns.version: 2
+      dns.queries[0].rrname: static.programme-tv.net
+      dns.queries[0].rrtype: AAAA
+      dns.type: response
+      dns.version: 3
       event_type: dns
       pcap_cnt: 4
       proto: UDP

diff --git a/tests/bug-990/test.yaml b/tests/bug-990/test.yaml
@@ -1,3 +1,6 @@
+requires:
+  min-version: 8
+
 args:
 - -k none
 
@@ -12,10 +15,10 @@ checks:
       dest_ip: 192.38.129.234
       dest_port: 53
       dns.id: 28390
-      dns.rrname: code.msdn.microsoft.com
-      dns.rrtype: A
+      dns.queries[0].rrname: code.msdn.microsoft.com
+      dns.queries[0].rrtype: A
       dns.tx_id: 0
-      dns.type: query
+      dns.type: request
       event_type: dns
       pcap_cnt: 1
       proto: UDP

diff --git a/tests/decode-teredo-01/test.yaml b/tests/decode-teredo-01/test.yaml
@@ -1,5 +1,5 @@
 requires:
-  min-version: 7
+  min-version: 8
 
 args:
 - -k none
@@ -11,10 +11,10 @@ checks:
       dest_ip: 192.168.2.1
       dest_port: 53
       dns.id: 16995
-      dns.rrname: ipv6.google.com
-      dns.rrtype: AAAA
+      dns.queries[0].rrname: ipv6.google.com
+      dns.queries[0].rrtype: AAAA
       dns.tx_id: 0
-      dns.type: query
+      dns.type: request
       event_type: dns
       pcap_cnt: 21
       proto: UDP
@@ -69,10 +69,10 @@ checks:
       dns.ra: true
       dns.rcode: NOERROR
       dns.rd: true
-      dns.rrname: ipv6.google.com
-      dns.rrtype: AAAA
-      dns.type: answer
-      dns.version: 2
+      dns.queries[0].rrname: ipv6.google.com
+      dns.queries[0].rrtype: AAAA
+      dns.type: response
+      dns.version: 3
       event_type: dns
       pcap_cnt: 22
       proto: UDP
@@ -84,10 +84,10 @@ checks:
       dest_ip: 192.168.2.1
       dest_port: 53
       dns.id: 19995
-      dns.rrname: ipv6.google.com
-      dns.rrtype: A
+      dns.queries[0].rrname: ipv6.google.com
+      dns.queries[0].rrtype: A
       dns.tx_id: 2
-      dns.type: query
+      dns.type: request
       event_type: dns
       pcap_cnt: 23
       proto: UDP
@@ -141,10 +141,10 @@ checks:
       dns.ra: true
       dns.rcode: NOERROR
       dns.rd: true
-      dns.rrname: ipv6.google.com
-      dns.rrtype: A
-      dns.type: answer
-      dns.version: 2
+      dns.queries[0].rrname: ipv6.google.com
+      dns.queries[0].rrtype: A
+      dns.type: response
+      dns.version: 3
       event_type: dns
       pcap_cnt: 24
       proto: UDP
@@ -156,10 +156,10 @@ checks:
       dest_ip: 192.168.2.1
       dest_port: 53
       dns.id: 38477
-      dns.rrname: www.wireshark.org
-      dns.rrtype: AAAA
+      dns.queries[0].rrname: www.wireshark.org
+      dns.queries[0].rrtype: AAAA
       dns.tx_id: 4
-      dns.type: query
+      dns.type: request
       event_type: dns
       pcap_cnt: 58
       proto: UDP
@@ -177,10 +177,10 @@ checks:
       dns.ra: true
       dns.rcode: NOERROR
       dns.rd: true
-      dns.rrname: www.wireshark.org
-      dns.rrtype: AAAA
-      dns.type: answer
-      dns.version: 2
+      dns.queries[0].rrname: www.wireshark.org
+      dns.queries[0].rrtype: AAAA
+      dns.type: response
+      dns.version: 3
       event_type: dns
       pcap_cnt: 59
       proto: UDP
@@ -211,10 +211,10 @@ checks:
       dest_ip: 192.168.2.1
       dest_port: 53
       dns.id: 26746
-      dns.rrname: www.wireshark.org.gateway.2wire.net
-      dns.rrtype: AAAA
+      dns.queries[0].rrname: www.wireshark.org.gateway.2wire.net
+      dns.queries[0].rrtype: AAAA
       dns.tx_id: 6
-      dns.type: query
+      dns.type: request
       event_type: dns
       pcap_cnt: 60
       proto: UDP
@@ -231,10 +231,10 @@ checks:
       dns.qr: true
       dns.rcode: REFUSED
       dns.rd: true
-      dns.rrname: www.wireshark.org.gateway.2wire.net
-      dns.rrtype: AAAA
-      dns.type: answer
-      dns.version: 2
+      dns.queries[0].rrname: www.wireshark.org.gateway.2wire.net
+      dns.queries[0].rrtype: AAAA
+      dns.type: response
+      dns.version: 3
       event_type: dns
       pcap_cnt: 61
       proto: UDP
@@ -246,10 +246,10 @@ checks:
       dest_ip: 192.168.2.1
       dest_port: 53
       dns.id: 34278
-      dns.rrname: www.wireshark.org
-      dns.rrtype: A
+      dns.queries[0].rrname: www.wireshark.org
+      dns.queries[0].rrtype: A
       dns.tx_id: 8
-      dns.type: query
+      dns.type: request
       event_type: dns
       pcap_cnt: 62
       proto: UDP
@@ -272,10 +272,10 @@ checks:
       dns.ra: true
       dns.rcode: NOERROR
       dns.rd: true
-      dns.rrname: www.wireshark.org
-      dns.rrtype: A
-      dns.type: answer
-      dns.version: 2
+      dns.queries[0].rrname: www.wireshark.org
+      dns.queries[0].rrtype: A
+      dns.type: response
+      dns.version: 3
       event_type: dns
       pcap_cnt: 63
       proto: UDP

diff --git a/tests/dns-eve-log-https-only/test.yaml b/tests/dns-eve-log-https-only/test.yaml
@@ -1,7 +1,10 @@
+requires:
+  min-version: 8
+
 checks:
   # Check that we only have requests and responses for HTTPS records.
 - filter:
     count: 1
     match:
       event_type: "dns"
-      dns.rrtype: "HTTPS"
+      dns.queries[0].rrtype: "HTTPS"
diff --git a/tests/dns-eve-type-filtering/test.yaml b/tests/dns-eve-type-filtering/test.yaml
@@ -1,5 +1,5 @@
 requires:
-  min-version: 4.1
+  min-version: 8
 
 checks:
 
@@ -15,12 +15,23 @@ checks:
       count: 4
       match:
         event_type: "dns"
+
+  # 2 should be DNS requests
   - filter:
       filename: only-a.json
-      count: 4
+      count: 2
+      match:
+        event_type: "dns"
+        dns.type: request
+        dns.queries[0].rrtype: "A"
+
+  # 2 should be DNS responses
+  - filter:
+      filename: only-a.json
+      count: 2
       match:
         event_type: "dns"
-        dns.rrtype: "A"
+        dns.answers[1].rrtype: "A"
 
   # Also check that the source and destination addresses and ports are
   # as expected.
@@ -33,7 +44,7 @@ checks:
         src_port: 54888
         dest_ip: "8.8.8.8"
         dest_port: 53
-        dns.type: "query"
+        dns.type: "request"
   - filter:
       filename: only-a.json
       count: 1
@@ -43,7 +54,7 @@ checks:
         src_port: 54888
         dest_ip: "8.8.8.8"
         dest_port: 53
-        dns.type: "answer"
+        dns.type: "response"
 
   # Check that we only have A and AAAA requests.
   - filter:
@@ -56,19 +67,19 @@ checks:
       count: 2
       match:
         event_type: "dns"
-        dns.rrtype: "A"
+        dns.queries[0].rrtype: "A"
   - filter:
       filename: a-and-aaaa-requests-only.json
       count: 2
       match:
         event_type: "dns"
-        dns.rrtype: "AAAA"
+        dns.queries[0].rrtype: "AAAA"
   - filter:
       filename: a-and-aaaa-requests-only.json
       count: 4
       match:
         event_type: "dns"
-        dns.type: "query"
+        dns.type: "request"
 
   # Check that we only have 3 log entries, and that they are all MX
   # responses.
@@ -82,10 +93,10 @@ checks:
       count: 3
       match:
         event_type: "dns"
-        dns.type: "answer"
+        dns.type: "response"
   - filter:
       filename: mx-responses-only.json
       count: 3
       match:
         event_type: "dns"
-        dns.rrtype: "MX"
+        dns.queries[0].rrtype: "MX"
diff --git a/tests/dns-eve/test.yaml b/tests/dns-eve/test.yaml
@@ -1,13 +1,12 @@
 requires:
-  features:
-    - HAVE_LIBJANSSON
+  min-version: 8
 
 checks:
   - filter:
       count: 4
       match:
-        dns.type: query
+        dns.type: request
   - filter:
       count: 4
       match:
-        dns.type: answer
+        dns.type: response
diff --git a/tests/dns-incomplete/test.yaml b/tests/dns-incomplete/test.yaml
@@ -1,5 +1,5 @@
 requires:
-  min-version: 6.0
+  min-version: 8
 
 # disables checksum verification
 args:
@@ -10,8 +10,8 @@ checks:
       count: 1
       match:
         event_type: dns
-        dns.rrname: google.com
-        dns.type: query
+        dns.queries[0].rrname: google.com
+        dns.type: request
   - filter:
       count: 1
       match:

diff --git a/tests/dns-json-log/test.yaml b/tests/dns-json-log/test.yaml
@@ -22,4 +22,4 @@ checks:
       filename: dns.json
       match:
         event_type: dns
-        dns.type: answer
+        dns.type: response