From ff906c1d39aeb841152a1b1fc2ef3a2ae43c1658 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 5 Dec 2023 14:10:42 +0100 Subject: [PATCH 1/2] dns: adds test for dns over http2 Ticket: 5773 --- tests/dns-over-http2/README.md | 9 +++ tests/dns-over-http2/dns_over_https.pcap | Bin 0 -> 5188 bytes tests/dns-over-http2/test.rules | 7 +++ tests/dns-over-http2/test.yaml | 73 +++++++++++++++++++++++ 4 files changed, 89 insertions(+) create mode 100644 tests/dns-over-http2/README.md create mode 100644 tests/dns-over-http2/dns_over_https.pcap create mode 100644 tests/dns-over-http2/test.rules create mode 100644 tests/dns-over-http2/test.yaml diff --git a/tests/dns-over-http2/README.md b/tests/dns-over-http2/README.md new file mode 100644 index 000000000..f9fb01d63 --- /dev/null +++ b/tests/dns-over-http2/README.md @@ -0,0 +1,9 @@ +# Description + +Test DNS over HTTP2 +https://redmine.openinfosecfoundation.org/issues/5773 + +# PCAP + +The pcap comes from https://redmine.openinfosecfoundation.org/issues/5773 + diff --git a/tests/dns-over-http2/dns_over_https.pcap b/tests/dns-over-http2/dns_over_https.pcap new file mode 100644 index 0000000000000000000000000000000000000000..afc2809a455419a9c6b563f44439f128e6528655 GIT binary patch literal 5188 zcmeHLYj6`)6h50x+O#HV3knq}k3lLF0%uV z{*y6W9)LfG-kpY5L86!CN_GdD>9IPlCth&^ew7v_E-EeWAA4w^Vv*b(mOjS0>)El> z-)-UMz9Glw5FSq-t1qymz!H(zr0vxJXl< z>#}Fiqj&N%(HWKhNxC|E__(B$4&@aI-}Rrs#mp(*Gkj6`KEuNJ;;qriZv(7h*6?Tz zS6X!7?z3Wl&Az?FYdr=h4P8!6DvZ|#p@MN~y&oenTHJmEvY^u{n$yk`ZHzEvU}VGb zH;6?Zyb%rqj#jH^0MO%IYEogV#R^}r)k=Ih$L+@_d(&z=G0RZoxV%VV=eM#zaHknu zv7hq2QTav&x0-Mya7s0gaiiF=8#ljLMl2IrSVna8gNyURofmKdm&TDZIQ^-qixZqJ zJHk@NrlclsYus@mX<3TCxZ+&J;iiK1odjc&n%zB#e}t6@lDqJvi94i_P#e<-c$ZSk>zCC#12c{8EuSDS@xF8-f8SFn|ict z|E{k}=sNXJJe^(o;lBAh!=DchQ*FAsr{ZGfa^)pij%a5N1?((ocv-oMZ8XTW^?W?TK3)b!I-C34>5hJQ3`pXv{NSysXg`c;5=v)`-rn|x(Ufqunnty$~7Cn`Oq;X#Y!r6v^$maMCAiGp=t zp>MD_q^lVFeBwKIgiXX~7YayMiaN*J?e^g5R-4h5W#Ub_**FATjY_=D^#yrJYxNoA zqqr)!5>#B7bou}LcaH~HKmn9NJ}MD;`VHVA5kp8#DvUe>3ULU@WA-Hv??f)JjU#sw z&FRT9onKu4;lVbOwXW86fOc9h)o_RWpK4Nv{~P*5s8d7u04Gr)G7-zeOkYAN@ca=8 z^`=(z0}+-dxRTL4Jcbw4q{7b0A%)0VgnP#CoNNS8l+(dh(ShbDg9z@XaHdLAvpy6~ z;0QITFxW$m&k6Q}OMbA&y|7dE(ww!duu%xu&1Qv7cw6P!9!K?A-HhvXJv**CymrB= zgv6}Nzcnr0RUNc<*0(<=>c=_HpN}k5=}s<;a=KQ}Vl|rj_;%OnsOP$4_4bcHly7A0 zj>J&-8nvV*6=v)wj-$-ji@wInioC{Z>@;T`Gd5VjQPJ3l+cS2sZltE(_;HnJ-cQGj z7d3mFw^N+Dz1CI@Qp1a=F*T_$Yv(%7leN1C_z@86DL#f6Gro%EjAc8TqOBcmbsOae z8=q1lEkDBC;?75L7&2H5?UAw6q(Yj>6pkNAv+AvWn*Hk4ERHHn&q1y5?4DF-a>^Xz zY^^zCy7?Y!w$WmPDpl^$&zc$&9q6+ZUr6f{4VI#-j=P+v*c!I?HO8=HIGf# z*eu4(%q&y3F~>OFY~gdvHmFGeHV4o9_>TB2n`5a`Vhe z)2!V53}arN!Z;`2Vy@{^V-xEI2m$%MsaHq*Q7=Sby`YwQ;XmIeiae-Sv-jnj@5~;r zF!Da?xWLH!tS?1^Kl4&#LxK1>ZFfi!-{W3J_=f9h7>ReONrmALbo|Kh?Y>(99|I8F zOv$00L36xsGN71CkkL2P0d{D|PYlxH2l=oUa$_1n`tHz7(``32fi(S@!RGtHKJJBm zl@%s($`1&p1!SmcDLSg{TE~F}IOd)wp_nLq dDnm&UQIP0?bV+9@8b4i9Q5QM=vsQ^HzXL^{>!|<$ literal 0 HcmV?d00001 diff --git a/tests/dns-over-http2/test.rules b/tests/dns-over-http2/test.rules new file mode 100644 index 000000000..450a62aea --- /dev/null +++ b/tests/dns-over-http2/test.rules @@ -0,0 +1,7 @@ +alert http2 any any -> any any (http.uri; content: "/dns"; sid:10; ) +alert doh2 any any -> any any (http.uri; content: "/dns"; sid:11; ) +alert dns any any -> any any (dns.query; content: "www.gstatic.com"; sid:20; ) +alert doh2 any any -> any any (dns.query; content: "www.gstatic.com"; sid:21; ) +alert http2 any any -> any any (http2.frametype:6; sid:30; ) +alert doh2 any any -> any any (http2.frametype:6; sid:31; ) +alert doh2 any any -> any any (dns.opcode: 0; http.host; content: "dns.google"; sid:40; ) diff --git a/tests/dns-over-http2/test.yaml b/tests/dns-over-http2/test.yaml new file mode 100644 index 000000000..82a594487 --- /dev/null +++ b/tests/dns-over-http2/test.yaml @@ -0,0 +1,73 @@ +requires: + min-version: 8.0.0 + +# disables checksum verification +args: + - -k none + +checks: + - filter: + count: 4 + match: + event_type: alert + alert.signature_id: 10 + - filter: + count: 4 + match: + event_type: alert + alert.signature_id: 11 + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 20 + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 21 + - filter: + count: 4 + match: + event_type: alert + alert.signature_id: 30 + - filter: + count: 4 + match: + event_type: alert + alert.signature_id: 31 + - filter: + count: 4 + match: + event_type: alert + alert.signature_id: 40 + - filter: + count: 2 + match: + event_type: doh2 + dns.query[0].type: query + dns.query[0].rrname: www.gstatic.com + - filter: + count: 2 + match: + event_type: doh2 + dns.query[0].type: query + dns.query[0].rrname: nav-edge.smartscreen.microsoft.com + - filter: + count: 2 + match: + event_type: doh2 + dns.type: answer + dns.rrname: www.gstatic.com + - filter: + count: 2 + match: + event_type: doh2 + dns.type: answer + dns.rrname: nav-edge.smartscreen.microsoft.com + - filter: + count: 1 + match: + event_type: flow + app_proto: doh2 + app_proto_orig: http2 From 107bbe11aaf54f025ac249c63cdc6e22a8489f63 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 28 Mar 2024 16:51:03 +0100 Subject: [PATCH 2/2] doh: adds test for dns over http2 with post Ticket: 5773 --- tests/dns-over-http2-post/README.md | 9 +++++++ .../dns_over_https_POST.pcap | Bin 0 -> 21044 bytes tests/dns-over-http2-post/test.yaml | 25 ++++++++++++++++++ 3 files changed, 34 insertions(+) create mode 100644 tests/dns-over-http2-post/README.md create mode 100644 tests/dns-over-http2-post/dns_over_https_POST.pcap create mode 100644 tests/dns-over-http2-post/test.yaml diff --git a/tests/dns-over-http2-post/README.md b/tests/dns-over-http2-post/README.md new file mode 100644 index 000000000..0afd21b71 --- /dev/null +++ b/tests/dns-over-http2-post/README.md @@ -0,0 +1,9 @@ +# Description + +Test DNS over HTTP2 with POST +https://redmine.openinfosecfoundation.org/issues/5773 + +# PCAP + +The pcap comes from https://redmine.openinfosecfoundation.org/issues/5773 + diff --git a/tests/dns-over-http2-post/dns_over_https_POST.pcap b/tests/dns-over-http2-post/dns_over_https_POST.pcap new file mode 100644 index 0000000000000000000000000000000000000000..930c062511d425ac74c7796033ba03384370187e GIT binary patch literal 21044 zcmc&+30%}w9)B~;Fd&C`Yi1rmd4y+bmIf#@YDVJGu5Gq10wRfm;#FyXK$9u+D9cTE z+YUR{OD?Kn+Lm_pM8G*<9}fOzw`S$-ZAVg zedkp(voJZTsu(lj&4Vr1KHR&i9_xjBx;#e+voqE{$zUuYm@(I1Ese)VUH*B;=PX5j zD#cvIKDr>N%+piJ7gUG>QDP~eBZeuZA*dV`RF>(f6ewjOMNBDCpmI!5`J*X}ZN(4i z@*G^FkCF;CRGL?@pF$W*89um8$2NmTj!fy&y>r)ydJ*+TB-1Nn4Xcf4;`XyJGZJLo)xKxa9R;cG!bPKYvSQ>?_lo zWOeL+tY3W5W9vUL#=Tas_KU+Ku3QUwV(*bw@7{Xo-5$%|p0)CuZ`)1&`@6TFoxFLU z?c$s5maN<#1wfldgs!^%t@EXe*3=)dxYe{z#zx%Q@4msqo4)?ngyUU?&5s+Bd+@^V zHe5}x9!Od6r^>gl4DY`!VfUCfqW>{!-d|6)y=`sr7{8}R7iOJJC>(6eOPreomL?;Ox64%~LwP0~jnOH>_{YpRsVJM6N1IORh+%&0-Mg z&dHH0ffP5nT_1i9^zkx}L=`A-}!$W2~3-%+Jh&jnb8~sYrn#*Xin=V{nzSmZs#yHU zb;mi=g*TpDbuo5A_8qOaf1f=5{nDmQ|FQpt)oZssH|IdiKO;-l4A{LfX64xX#znWU zcUjH%4y_ZCyC zs}rDLUB&6PXW=Y{-_`O$zRlaH_3cwCXP6$9&RAJ0Sdb^{PX@V^I5T?~Z|L$I9C<^N z)(UdorNOiem(Vjkcx-_gR1kPH1D~wI$Wuu$|p8E_Kz%VTWo+=x)jqX0E`yKzh zdn&SKK4%Us3i6=^38T~km=V8CW|sYT?U`GH89OkO$cg+fFJzM33uayJ`9Nh7^H6D$ zH=h>#NreVPZq~A39iV<0!K5u)h&G0jNf}^8(c7BAAvNv~XgvigqVY|PP;*`=BEOmA*}FoO!D1zv4wIg|1-CQYp)sJc~YRlcN@B27v$ zN9gh#oY7ZFh$C{ZcQ0ff1x6v z9W)itK7q^@NxHvtkeG^G2_t*>x$e1g#xR>EG1yTB{jDDq2?=f`30`|us7)c&h!iUS ztjA0ed%r1_e622fV@?gAlCQx4EOeMv7Y>f0E3v&`YnLvF1mqEH0j@O#fs?>dl)cxhJ1%EPS6C&5&6vB?;4PBmt$HixM zOfnRv#B5BM@=ogCSxX)l&75W1w{0y&Y#71S7Tl2HQ>EYo4+|>r<2K+8tWrxuLUdrn zyv$!^%N(ilOScO%kp-KP1>24a(NrmWJweX9?FqUSP4P2??f7FvPNeJ>xKpMuBd9RD zbqO&GemI0p#>eRL9Nb-LcFY7xb{}TRlG&=|^h|f2vcU{0kQR6~XQkJ%K7}s$>?p#Xk9un5_KMoYCuE1a$W2Ev|(CZ zn<_>4PKxli5)wh^+6s3{T{m)Fn>-Mzt93{~{zk>ZMYT~^qHxPv2S(ny)-gg>9u8$E zL4_{Q!9(<*Jz7ZM-Dy~dAVdd}TlegvXQFvVZRy;+Yv&FbAqg{(UX6M*p{#5)WpV$- z=~?5ae=lnjJW~@OO3%1MWEa(@CM#+}t_U2+~!x>Pr_2b5Ve_qyR}j z6RN9Cu}X5GlAL8PkrTD4m2=CdpX{nYzA?f?idoPw!KXIC-`*DV^|#xAH?TJKy`Z%q z%7(&%?@5)H?60w4E3)7{hwAB4OeaCkyIfcXG8SA+SbXy=krQD@J(DKvUi_w>F6>Y< z6=C;?Wc0==VkBBjF#4~;ZqSl29ay?4EmsW7y-BJ@v>^!uSXw)`?*8s0NE@UdHW;)HN^tl#JR-MsHvOBbyg6@&-#?nwKfiHRl2J zaClU`(q~Ulnhv?unnAjD$s!TNN?){UrEhHqtXO}xcaOW!=OO(VQ36dnA_vBJryi)` zjV3=e+=XiA4XN~Gl1&ea9fo+)&13K;r<*-dX%Z|b36nfMQ#?XwiY9U|UJuftX@Jtn z8H|OR$igo@OXNiAiN&2V^%R#7qhzy1ho&SYBlO&YQLjv5BwArGszH+_H8(5Iw_iYm z<-0*cA}n2P(e;M|Ri+CCD{DFFx{;F<{b8)rweR!KBy2i|?cKB6Xvq7+sFHK@y*C^n zZb3dIHbViEQe2?MN-DLCVxgAY>}h$XY*zzU9DYP@dW}QLV`-`j3unN1od>CYeVs*@ zg9a&8M|UGsFZ!KeM&iU0xmJI+>QHm9(wXIOChu;R^EtFY&21p5M9oHynxa>&x`Kt~ z-M_oBV)h~!E$d8ji-HA45T7)_YaKTmNY!Bv1?xa_ztVE(Zh~V7G=KUF@e`oA%~?{p ze_u6d3iic+{@Grmu>eg)S99XCZ@hZoEjg)xv>Y@fuTolfrn&FNY$}lIy?-C90}Zwh z{JWfbQ>E&2Q6OlL3bzrtNo~V)%Qe85zb}I^bE!9*EZGKqq+G7)fIB5<3`^m}L#4zl zGdhe>uB*;>^ei7dO+I2Dtz-r`31;IzqYwAtvV&O-a6(hlX*)10Eu)S(#~2f)iQH{buIhl1$ zuRA{t(=AY?2?@NX-}Pn#E~m)92cWcEpz7c(JMcxNjFe09`}cirH04#fasH$4`1E-2 zPfdOe>>rtA*&o==A-SoU8L8=a^fG0KrRPi=o1KxCos~90?C{be9bt9{<=w{U!{mBa zGvr+?4fzd%+mU_R2|!eY0R zEOi~E`ArtC!IZXF%2%Q~0|E3(ch#=@==DjRchVv#rwB$WYZ zSPLiaDkEm=e;>|f;A3=o4xV+g>=RVXY`~OYHUMj_jNQp$0A@8o=!a@^9uTG8+aodF zj*8GlVvf>;SE1cV(z);qi6P(<=d3vN)j0iQ+p4EE`dA#)9U0?I5g z#IkD%#BSBF@(aY~fEAWb{RinjvWa%Km8;S{e4W(&u}=h5f=?WgyEZ#Q2cJBpM@KRi zzMf1O0wBqv)dhE6@Y!CpjVEv;xN!2{%ZXXTf(T~dV{~~A4xh<(lvaPNQm_kVEwDy~ zPjL8vnFoBtu?mzfQ>I_O)4*tYT%@k`L231`|KaPQWf|$-@_Q0Tv_4&&TaO$*Bw>`0 z^VPvGjhlJv(;%_=VDEkzqI;mIHqqT^+Q}k3(z>g;i>f!d(GNbY0Us>d1{~yxpl*@6 z*5^@`>Jf-5q56#11aV^Dg~)xiNIPf8e!jx7WsF74BuhSl=3jOJ)CGB=Xh#tir_l$v zID+neE>hR_pxP=JeJdG_zK0lzwg-$n5cHq6JwL?P*DdoDDD4M8h47Sw%MjFUyY8HvHG1{bC>UmmeKFsez7LdMQK}@;S(?hw`Lx&T;Id)X$pf)qU zK62P-BM_DTTrZza2&!lhB~@_)YC;`L*>>NaGGHkqlYGOthzrI~b7k%dY}FTfE)3t4#PLqtp>&^w*ktO^~czu*`q5GtEq`QDn&u2g` zbe0xEe^z?-XLz=hOgXJ15fc#VjXNcT%F2mR(Gw=!Y!<63{&g($X35C7NQ}g67K~~j zRL6B6l3++D-62!^%Sy|YV&#b+fsAcL5{RYe-v0S$PHtyfdOq>}chz7jSZe@TMl1(Y zOwLD@KCLyh;9!C(wX6qqzcK4UWRiwmwP1QhWs<1H(j3iS)_b#{x`!KvoH+QVu3tJKX_O`xi<^XsZRI4-b*l;(#d_)qp9`p+ZF(B6WK# z(yDt{DaD6UiX4xEes>^sOSrmEJs+%FX+NT5^p#|^5Z$0$X$PYkb(P2N0_Zw#Z?G=q z9v32bF9k&{!(voR$`gBbk_aN@-tBaqI(b5-+|KWQ|J}F7Z6ZqM-ag5v4}`oPQKC8w zi!>`{1#5UEj)wf!Rm6?`Dn~KM&tV6&tEMoof68qzRO+6AH3AwG=ywyj@Z(xjVy#<2 z4pAaZnaigR!jyfSC1*~blBVnucJjpcMh9Wag}5DrhgTv*Aicy;>Twvd`yNE8KNKVlo>*ln;0;P$4BV$9K6}?WGa%`5waS zxTnN3ePLM_IU0YrOKFN z3zbvqkDUstnOpryrC)d<;I^K^7eUDiIUdBTy-^C(`xSFGFwnKj@+a@Blwe21e8so>o^`YLf6DVx{5g4*+zRt5G7rq>vhR! zav13<0t1Y^b*;mG47v6E679*hUxWnSm8szltkCu$x2~H*5{SS^be8{c?rhoVQzwm1 zJTTg(KhfW(AVJFie_*s+sy*3OrBb;OkStUl?J);PBn!5AQFqGH0sHu;mPW9fAZI>G z78I+3@y<=>e>mqZNI_@MoHpY4s$knOv+UldEP*j^OZs8kon!vVw;@*CfYLs0xz3Uf z0McLe#&=59A5JILMT&_hOK!ZNJ0s`_5#+qj2!^3BH%=rhj?E@wBJ2j>PMKmv*xi3g zcSg_=s$?`;GMWetWY~exe-(Dk-qxKFbfAx$>N4r<)_OTrGl`5l336)2oBcuUqvjGbLmO(+fjbul2 zr4L_(4=<4g$2>&D1X%32Q-Z}+PK+LHq1!okv`{koP%`R^=0+|dgHa7w{Pu%__}8h` zn^+{r>GCkmf}rCTrTs3!e%DFiTT$8N1l+EifYXBD#h)(73Hau!AJ6|_bmNeE_MJgj zhkJhm3A%7dnL*VQSQh|`ALYT9s_VAP{EqL6V4z)QGRc{(T1d54nWPB}Ax!c>V={?= zl%2@E+Fy6<)DfffG^%kE-r|gIOT+}E2I5W$sbUVP?7_NiQAezbQFt54=%%}fkyv5| zBMqeFx~!tjA$><&3)jp_9ax?6PeM&l`@>TSQU7XBVu-2KK&R{SrHc|ehpT?N@T1W~ zKxfnZ==0vtfy^4{NSWQp8CDB&c#g2}V7}5+kuE z3Pv6f3b@axz|KM_{6Tl!VP;2PrTxG%g8xB}u4hROv7$UgRnWT7it_bqS7lb(Tnu~} zcM3>-{_?bC-jD)e4@d>n#f_z;TGEm{Hnpy<1&vH{6vjtqA7I_ZfprD{aB7ZLN0?;D zd@_lE)DR-~0s{X*{D3acA@)oi2`W!Vz$?w$Qi30jZb?Ea8FxxZ6_*pEMT>NMrjA4< zqX#6TsCC3h6f`i>KuQ*e0ElWc*u+kQ6kVQ!>wCyySDLRa%(s;EUCgs^EdRn=veQ+? zez`8ObJ)0c^@?$qz|Q_nS9g0?GzhK1juhGros?RjBP*I8bOKg1@sBIHubjb)aG? z7=0ia9e06xbwvXs5A4)d6#`(W;4fxIsf8}j!7+5ialg`xN3i{GCcU>L&@;Dj3=MUb zRGF(xRm@$~KK$kSHKVUU(Q#+9bnmZIKzt7r)h50hP45IMYJTvkt*DXP552D2({iM! z)Nip|s&DTjOhzag`Ygz;pKH||7jq0(IXBXbuO+V_YwmIpIdR%>819rPGHivp@tcU* zo+2xog^$tYIk@X4IYua%b&$;7&!T7g5ri0+)gUQ6J!5J{+SJ^fDN|FkZR4`0WQ@z1 zshh2lEHC8-vx}fXm**f^Oy4;sEA6-fcFZBg3wqHrYdDOCsft_Th^7lve_JZ3d(U3< z$EC!d>dEh1b%X!5l+mA~xkIbxCk?9po_w{!Fd;{?6^fYjCUiqNhTY=zNlWgOob=#{ zIgh2zsQz~4XW64KQm6{PCb?BN?oyL7g>-(R4xlDQ}k43DrG5vEEDN3DH4@`1B7nm ACIA2c literal 0 HcmV?d00001 diff --git a/tests/dns-over-http2-post/test.yaml b/tests/dns-over-http2-post/test.yaml new file mode 100644 index 000000000..818a11d33 --- /dev/null +++ b/tests/dns-over-http2-post/test.yaml @@ -0,0 +1,25 @@ +requires: + min-version: 8.0.0 + +# disables checksum verification +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: doh2 + dns.query[0].type: query + dns.query[0].rrname: example.com + dns.query[0].rrtype: NS + dns.answers[0].rrname: example.com + dns.answers[0].rrtype: NS + dns.answers[0].rdata: b.iana-servers.net + dns.grouped.NS[0]: b.iana-servers.net + - filter: + count: 1 + match: + event_type: flow + app_proto: doh2 + app_proto_orig: http2