From 6adedc38d95258bce4343c5e5921473239bfc0d2 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Mon, 10 Jun 2024 11:57:00 -0600 Subject: [PATCH 1/5] tests: copy tests that will break with dns v3 to 7.0/ To prevent confusing multi-version tests, move all test that will break with the v3 DNS logging format to a 7.0 directory. The existing versions of these test will become 8.0+ only. --- tests/7.0/bug-1158/input.pcap | Bin 0 -> 31391 bytes tests/7.0/bug-1158/test.yaml | 4224 +++++++++++++++++ tests/7.0/bug-856/test.yaml | 138 + tests/7.0/bug-990/input.pcap | Bin 0 -> 123 bytes tests/7.0/bug-990/test.rules | 2 + tests/7.0/bug-990/test.yaml | 44 + tests/7.0/decode-teredo-01/README.md | 4 + tests/7.0/decode-teredo-01/input.pcap | Bin 0 -> 26297 bytes tests/7.0/decode-teredo-01/test.rules | 1 + tests/7.0/decode-teredo-01/test.yaml | 570 +++ tests/7.0/dns-eve-log-https-only/README.md | 11 + .../7.0/dns-eve-log-https-only/suricata.yaml | 11 + tests/7.0/dns-eve-log-https-only/test.pcap | Bin 0 -> 133 bytes tests/7.0/dns-eve-log-https-only/test.yaml | 10 + .../7.0/dns-eve-type-filtering/suricata.yaml | 39 + tests/7.0/dns-eve-type-filtering/test.pcap | Bin 0 -> 2053 bytes tests/7.0/dns-eve-type-filtering/test.yaml | 92 + tests/7.0/dns-eve/input.pcap | Bin 0 -> 876 bytes tests/7.0/dns-eve/suricata.yaml | 79 + tests/7.0/dns-eve/test.yaml | 12 + tests/7.0/dns-incomplete/README.md | 7 + tests/7.0/dns-incomplete/input.pcap | Bin 0 -> 1496 bytes tests/7.0/dns-incomplete/input.txt | 8 + tests/7.0/dns-incomplete/test.rules | 1 + tests/7.0/dns-incomplete/test.yaml | 20 + tests/7.0/dns-incomplete/txt2pcap.py | 88 + tests/7.0/dns-json-log/expected/dns.json | 9 + tests/7.0/dns-json-log/suricata.yaml | 8 + tests/7.0/dns-json-log/test.yaml | 25 + tests/7.0/dns-reversed-tcp-1/dns.pcap | Bin 0 -> 671 bytes tests/7.0/dns-reversed-tcp-1/suricata.yaml | 10 + tests/7.0/dns-reversed-tcp-1/test.yaml | 27 + tests/7.0/dns-reversed-udp-1/input.pcap | Bin 0 -> 182 bytes tests/7.0/dns-reversed-udp-1/suricata.yaml | 10 + tests/7.0/dns-reversed-udp-1/test.yaml | 33 + tests/7.0/dns-single-request/README.md | 1 + tests/7.0/dns-single-request/suricata.yaml | 9 + tests/7.0/dns-single-request/test.yaml | 14 + tests/7.0/dns-tcp-multirequest-buffer/README | 5 + .../dns-tcp-multirequest-buffer.pcap | Bin 0 -> 6276 bytes .../dns-tcp-multirequest-buffer/suricata.yaml | 8 + .../7.0/dns-tcp-multirequest-buffer/test.yaml | 12 + tests/7.0/dns-tcp-ts-gap/README.md | 2 + tests/7.0/dns-tcp-ts-gap/input.pcap | Bin 0 -> 2016 bytes tests/7.0/dns-tcp-ts-gap/original.pcap_ | Bin 0 -> 2132 bytes tests/7.0/dns-tcp-ts-gap/suricata.yaml | 9 + tests/7.0/dns-tcp-ts-gap/test.yaml | 17 + tests/7.0/dns-tcp-www-google-com/README.md | 2 + .../7.0/dns-tcp-www-google-com/suricata.yaml | 12 + tests/7.0/dns-tcp-www-google-com/test.yaml | 20 + .../README.txt | 8 + .../suricata.yaml | 9 + .../dns-udp-double-request-response/test.yaml | 16 + tests/7.0/dns-udp-eve-log-aaaa-only/README.md | 2 + .../dns-udp-eve-log-aaaa-only/suricata.yaml | 11 + tests/7.0/dns-udp-eve-log-aaaa-only/test.yaml | 20 + .../dns-udp-eve-log-answer-only/suricata.yaml | 12 + .../7.0/dns-udp-eve-log-answer-only/test.yaml | 15 + .../7.0/dns-udp-eve-log-mx-only/suricata.yaml | 11 + tests/7.0/dns-udp-eve-log-mx-only/test.yaml | 24 + .../dns-udp-eve-log-query-only/suricata.yaml | 13 + .../7.0/dns-udp-eve-log-query-only/test.yaml | 14 + tests/7.0/dns-udp-eve-log-srv/input.pcap | Bin 0 -> 342 bytes tests/7.0/dns-udp-eve-log-srv/suricata.yaml | 15 + tests/7.0/dns-udp-eve-log-srv/test.yaml | 33 + tests/7.0/dns-udp-eve-v2-dig/README.md | 1 + tests/7.0/dns-udp-eve-v2-dig/test.yaml | 60 + tests/7.0/dns-udp-eve-v2-txt/input.pcap | Bin 0 -> 514 bytes tests/7.0/dns-udp-eve-v2-txt/test.yaml | 124 + tests/7.0/dns-udp-junkrequest-first/README.md | 7 + tests/7.0/dns-udp-junkrequest-first/client.py | 16 + .../7.0/dns-udp-junkrequest-first/input.pcap | Bin 0 -> 431 bytes tests/7.0/dns-udp-junkrequest-first/test.yaml | 19 + tests/7.0/dns-udp-null/README.md | 4 + tests/7.0/dns-udp-null/input.pcap | Bin 0 -> 241 bytes tests/7.0/dns-udp-null/suricata.yaml | 9 + tests/7.0/dns-udp-null/test.yaml | 19 + .../dns-udp-unsolicited-response/README.md | 11 + .../suricata.yaml | 10 + .../dns-udp-unsolicited-response/test.yaml | 16 + tests/7.0/dns-z-bit/dns-events.rules | 9 + tests/7.0/dns-z-bit/input.pcap | Bin 0 -> 220 bytes tests/7.0/dns-z-bit/test.yaml | 62 + tests/7.0/dns/dns-invalid-opcode/input.pcap | Bin 0 -> 225 bytes tests/7.0/dns/dns-invalid-opcode/test.rules | 10 + tests/7.0/dns/dns-invalid-opcode/test.yaml | 204 + tests/7.0/vxlan-decoder-03/README.md | 8 + tests/7.0/vxlan-decoder-03/test.yaml | 30 + tests/7.0/vxlan-decoder-03/vxlan.pcap | Bin 0 -> 27672 bytes 89 files changed, 6416 insertions(+) create mode 100644 tests/7.0/bug-1158/input.pcap create mode 100644 tests/7.0/bug-1158/test.yaml create mode 100644 tests/7.0/bug-856/test.yaml create mode 100644 tests/7.0/bug-990/input.pcap create mode 100644 tests/7.0/bug-990/test.rules create mode 100644 tests/7.0/bug-990/test.yaml create mode 100644 tests/7.0/decode-teredo-01/README.md create mode 100644 tests/7.0/decode-teredo-01/input.pcap create mode 100644 tests/7.0/decode-teredo-01/test.rules create mode 100644 tests/7.0/decode-teredo-01/test.yaml create mode 100644 tests/7.0/dns-eve-log-https-only/README.md create mode 100644 tests/7.0/dns-eve-log-https-only/suricata.yaml create mode 100644 tests/7.0/dns-eve-log-https-only/test.pcap create mode 100644 tests/7.0/dns-eve-log-https-only/test.yaml create mode 100644 tests/7.0/dns-eve-type-filtering/suricata.yaml create mode 100644 tests/7.0/dns-eve-type-filtering/test.pcap create mode 100644 tests/7.0/dns-eve-type-filtering/test.yaml create mode 100644 tests/7.0/dns-eve/input.pcap create mode 100644 tests/7.0/dns-eve/suricata.yaml create mode 100644 tests/7.0/dns-eve/test.yaml create mode 100644 tests/7.0/dns-incomplete/README.md create mode 100644 tests/7.0/dns-incomplete/input.pcap create mode 100644 tests/7.0/dns-incomplete/input.txt create mode 100644 tests/7.0/dns-incomplete/test.rules create mode 100644 tests/7.0/dns-incomplete/test.yaml create mode 100644 tests/7.0/dns-incomplete/txt2pcap.py create mode 100644 tests/7.0/dns-json-log/expected/dns.json create mode 100644 tests/7.0/dns-json-log/suricata.yaml create mode 100644 tests/7.0/dns-json-log/test.yaml create mode 100644 tests/7.0/dns-reversed-tcp-1/dns.pcap create mode 100644 tests/7.0/dns-reversed-tcp-1/suricata.yaml create mode 100644 tests/7.0/dns-reversed-tcp-1/test.yaml create mode 100644 tests/7.0/dns-reversed-udp-1/input.pcap create mode 100644 tests/7.0/dns-reversed-udp-1/suricata.yaml create mode 100644 tests/7.0/dns-reversed-udp-1/test.yaml create mode 100644 tests/7.0/dns-single-request/README.md create mode 100644 tests/7.0/dns-single-request/suricata.yaml create mode 100644 tests/7.0/dns-single-request/test.yaml create mode 100644 tests/7.0/dns-tcp-multirequest-buffer/README create mode 100644 tests/7.0/dns-tcp-multirequest-buffer/dns-tcp-multirequest-buffer.pcap create mode 100644 tests/7.0/dns-tcp-multirequest-buffer/suricata.yaml create mode 100644 tests/7.0/dns-tcp-multirequest-buffer/test.yaml create mode 100644 tests/7.0/dns-tcp-ts-gap/README.md create mode 100644 tests/7.0/dns-tcp-ts-gap/input.pcap create mode 100644 tests/7.0/dns-tcp-ts-gap/original.pcap_ create mode 100644 tests/7.0/dns-tcp-ts-gap/suricata.yaml create mode 100644 tests/7.0/dns-tcp-ts-gap/test.yaml create mode 100644 tests/7.0/dns-tcp-www-google-com/README.md create mode 100644 tests/7.0/dns-tcp-www-google-com/suricata.yaml create mode 100644 tests/7.0/dns-tcp-www-google-com/test.yaml create mode 100644 tests/7.0/dns-udp-double-request-response/README.txt create mode 100644 tests/7.0/dns-udp-double-request-response/suricata.yaml create mode 100644 tests/7.0/dns-udp-double-request-response/test.yaml create mode 100644 tests/7.0/dns-udp-eve-log-aaaa-only/README.md create mode 100644 tests/7.0/dns-udp-eve-log-aaaa-only/suricata.yaml create mode 100644 tests/7.0/dns-udp-eve-log-aaaa-only/test.yaml create mode 100644 tests/7.0/dns-udp-eve-log-answer-only/suricata.yaml create mode 100644 tests/7.0/dns-udp-eve-log-answer-only/test.yaml create mode 100644 tests/7.0/dns-udp-eve-log-mx-only/suricata.yaml create mode 100644 tests/7.0/dns-udp-eve-log-mx-only/test.yaml create mode 100644 tests/7.0/dns-udp-eve-log-query-only/suricata.yaml create mode 100644 tests/7.0/dns-udp-eve-log-query-only/test.yaml create mode 100644 tests/7.0/dns-udp-eve-log-srv/input.pcap create mode 100644 tests/7.0/dns-udp-eve-log-srv/suricata.yaml create mode 100644 tests/7.0/dns-udp-eve-log-srv/test.yaml create mode 100644 tests/7.0/dns-udp-eve-v2-dig/README.md create mode 100644 tests/7.0/dns-udp-eve-v2-dig/test.yaml create mode 100644 tests/7.0/dns-udp-eve-v2-txt/input.pcap create mode 100644 tests/7.0/dns-udp-eve-v2-txt/test.yaml create mode 100644 tests/7.0/dns-udp-junkrequest-first/README.md create mode 100644 tests/7.0/dns-udp-junkrequest-first/client.py create mode 100644 tests/7.0/dns-udp-junkrequest-first/input.pcap create mode 100644 tests/7.0/dns-udp-junkrequest-first/test.yaml create mode 100644 tests/7.0/dns-udp-null/README.md create mode 100644 tests/7.0/dns-udp-null/input.pcap create mode 100644 tests/7.0/dns-udp-null/suricata.yaml create mode 100644 tests/7.0/dns-udp-null/test.yaml create mode 100644 tests/7.0/dns-udp-unsolicited-response/README.md create mode 100644 tests/7.0/dns-udp-unsolicited-response/suricata.yaml create mode 100644 tests/7.0/dns-udp-unsolicited-response/test.yaml create mode 100644 tests/7.0/dns-z-bit/dns-events.rules create mode 100644 tests/7.0/dns-z-bit/input.pcap create mode 100644 tests/7.0/dns-z-bit/test.yaml create mode 100644 tests/7.0/dns/dns-invalid-opcode/input.pcap create mode 100644 tests/7.0/dns/dns-invalid-opcode/test.rules create mode 100644 tests/7.0/dns/dns-invalid-opcode/test.yaml create mode 100644 tests/7.0/vxlan-decoder-03/README.md create mode 100644 tests/7.0/vxlan-decoder-03/test.yaml create mode 100644 tests/7.0/vxlan-decoder-03/vxlan.pcap diff --git a/tests/7.0/bug-1158/input.pcap b/tests/7.0/bug-1158/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..78a37f11233cd55c0862031da58602bea14f2d11 GIT binary patch literal 31391 zcmdsg3$!a$nP#1PdCNtvNA#Wx3iy^lC#k#<2vwC-RUVb3@~Wg1A(cuhsZ`~iR3#&= zJ@jCsjjt9RA25PqLyHP1qk}r03kobp9R@{b?B#T~Gq&0z!s^jkXyamb)p=A>sR}1? zdS>0pWwY)%Hz)tMzyJIH{qINZ^ZkeKzx@z&3bgln{&@)60AGClz9YGt?m7&;8T?&q zP^Ng#Sy}D>_y3DCpeO`U5Og(k_0gy9IqQ`du%Ny5u3teuC`4WLkQ4m8_7UK97NWh< z?iP)ldSzuaY#bi+$EOWP?RHH%Tf9D+gS5wh1ObzzWX^b=O z7Vbk4GBvFrXIxqB0EJeEc52-^aTxjpFs8KyK0mPea-C0lj?X_1j=wN9_*})JnW0^% zfT7ncGW3S+YZe*0<)On+0YKH-0zHA#xdFz-PnP6A)!L3dIt zDpU@QvP`^NX1v2xb2zP*iV|DuN|bQOm4LQizDVEs+wWYY?@`dR)#*F7Wu}itFnjvG z^ozsL+W~W0TkuhD*GGRg=c8*V?wpZf#JlUG2xd(QoD|V{N)T7V&YQmga8~d0(+&g9 zo;RcReIEYuF!X!SU9Bzj`RUz0pEcL#zo!0{d&DpT@)F452!dnae`tn|;aJ8aqQnFn z^b%q{)NzaQFs*>hieMg=Nwq4Nds-o)lO*HoRz2CULWu=9Nfbqv5QbH_(V&{{QKgh} zRU?!)g{e{*&UTWeRHvMe4LMnw@+9J>#OQz}B$<_ANlG#ei6hjZCNkC&AM+(-$d(#n zg}_HFT-f>0m)Eyi6{!^j@vag5mSud<}S15M{zzjx&v-qmx=ooc#8 zwiI_IOJ#*BpyMi0992E3PEt;dxty-`X?e$OdjXQ2X>5~|EqO0PJhuLV~=slp79zm zvU(oJ9y5&WF`mLK)U=m!_X$)$B8a;iY>84SQ5cp%9-kx$T&hl^K9Ijfo{SC3OmV8` zb_V3~rrM~=DH&v($xgnE9u_2i zkWIw0ObyB~KIJ3Pi5=trdM(CZ>o&;PV?1ro_|Mm3{ASoNvd4G^ivR}UxHwCo-cN%- zz==U%l8kpNvM<~M3=edYTv=pn;2F2=bp2y%k#Xd=tWzZS0zb7Yh&dK+d;7@zwyf7qvUux!fR*2lGE%P^qTNXM8}sTP5J)kc~uP z3fucs?VG#bTg=HiF?RC%@mgd&|I{KGd2FXTRg*LQ;uzYkeGLK%>B2jG)xT%-JKUgh zs#|wtzU*2k4U9K}>ee+$<;y05V2$2chIY!`R36mH^FOSyJ4}NQup{H5XVwXmYwlho zqk!$1mL*Wyxm#4etn9;?`JSo2;o<(9v~oT-(=T1+;A?Fz+Rh9X|x=%{(bTboS;Jz;N`~le3fZjc2cW{@9jzQf@nSH74a7AKagmV}yoNQ4%=8 zH;M?y<;cG1Dy3bFGmBS-9q^B+V`l<2JAVovYy!1Ak(irDB$=YO90va8WM0~-ME9m> zvljLZsHwe3o0*-2!SrPAQ>oo4jMkfoXMaLrRC4o$NLZ^xOvBtNqg+_4L{=|E_J)%3 zOY|RZfzn;8VpOd@vR>pk@x#SMj<*A)oDYJ_0@KBhrBGn}?#K(8M641`5}=rPJitxDV}H4ij~hm*wIAinAtetvj8SU?#2iduZ%DbNTgNNWqDqX0ytZ7+RbZgk91r6-bx zkxTT^Q9(-D>K}sAL<|hrsNPqd3vKw`ec26=4+9XZ_w=5p4G?-yfzh&kPhb1-Q=m72 zpU~Puz+AR@fgUjT%>~TXeV1~N7y+|4cR0z{IgP-E^v#}~wc9Az%J@38kb559es)or zt=mq4{sOS5H8YjazuJ6-M&g1&(A{K*kaFk_j3lsJ#U}nYpj-3lB;<8q2=DbQ1^CmmP)Ai`v*V%E`!QFZ`-WU zT0)Gi;_XM5d;22Y+n=3U;EqO?+BB{>;h)WX4t8__yW)|Yc*6CZ^ zjRwR$NuA^i*p^f#SCQ0zSxZvi{jGU;7m$j*q`bE;_1CL)fBn_GzkYEK_SmAoPV(h% zOMj(S@fQZDToRqH(W7(zWJT}l_tRfAsN9QAo9zlqh}0_4`5pjq^@%uiM1w7^y96fML+n zY6n|{%;qCCJ^>fSKq%#Kj971JG~iu{Xdk0{gZLyoXnMSAtD8vlYrb|G^VGWCoHs^= z3d2GmUY-t}A>8eWbv$fO_6cOF$r7G;tXS?S&fGX6h+!J*mlJ89uQ(cI9fDloI}~1t zPm4UPl;Kjs%X?~hWK#0PCCtf`x{bC&inNmr)muc#p{sMu)8sRvC#aSBC^|C>vaZ=q zykfCtdmrF?b*Fx#ZE`A@hg9vI`lGu}Sz`;~A4S86p4TxN;q?hmOxal!j3KJ0IgAEM z1GS#QTZx>~m7R1F&N@5|#z(Z%eRkX|hn)FrI33_&T2j+BOp%F!8qJPe4qqhE#r-WM z-tXkx?cg}5B*(pxN6gjIVzFK30(i$Gfo^= z#(EUyNDtdpzNom8gv*JiorzwsZ8!0H4v?`r<44Xk$j~Dl6Ofuc6sQd%NNWpI z%kqbHlbLdLX+%~rMOCG{=dQhZw0 zqZs6HBnrL_mWikuI}q}@3?6P4gEg<}&yLuB)lbw_-T`NsP$D#{iy23)mGCJ_Kc37v z+T$(`4_Q@7Iwb_}rx7fSwj4s%%X?8W?{rj4t>lEE*g&+{PGMt)?KVlYixFKW zNMw4UR47rQy{s5Q=wTX;W!&lFB{e+Q5WU_i*-X-GI-)uwE~HoCqY{SY`dA^EXcp9| zvlSaC*0Wlx#n(41SIX;kr93*Xlo$O#`MIH#y`` zBAL7}tk<1`KIxmtQ!XXAI(%q6oq8)wkm(2Wa-$I>`{AZD*YU$blWh7_oL2_4Bauw> zI_-L{7E=-tzgos(>AuKHN-M`TTWP+7lf#J;^AZ_w1`Vv}sa?(!FSd9Ub_7ESwe1+e zeXK9B?Rd2{D3kqIyebhbcdJ+$wg(lzps(Ko4K!*YH!Or5gJ8@xaQFN}DqZh7xu(b= zN-O5~I+LE9SFQOfQC|`1B}q@6lVLj9?ZR1s_qJL>2X@{{fSQM^CqG&+O<)|s< zLWpKH9T$hwRAp2zNR0^Y$yR`F(TFyVBK-b|CGC62OJcoAL5@V2x=@f{k_=YCQDdvc z1uLaowp=N1(3SGYyiy7|GGQoXFQ=U3+t7xhAtR?`2~w89*|3(U?#S`2S^%5~WYe(} zPc)}f5>1W*u_2pFS3J3T)$b=Al}QE3QuVN;)H4~l;%JLqx$Pr|`IH0~)Iu*)QH_S!zOst&=!U_}UdD1S` zo2@0?jGSw?f`dRlNz#t#80knw)L&Ml>{x~A$|VWJRq8cc!%&_bU?WtXWRg7YVWUE- z)9a=DNLiJ9`B*8NS|O)+fKna?1DVzqO2`K`->4~N>w-C@-2Tn?9l32$DJS_J{fts> z*&ls!L^_?%hEig#(9Sk8)j~6v#PZ`7Ey?9Re=OC3Ro>!q5O2DH~Ef>2mP z%V);RW|-J{vSIEygZ~O#x_ZrYoq2&If*^u@&9wR4sgMXHqqT*a=`BDtTFrDT(2Y?u zkrWj;*Ql8;)M};(jWl+;4z_`3YI4wTyL##K!19NHQLQal{;E=91JVOaZT=398V5fMqJs^v?SPaz%Tug{hiK4%Pg<_?kD1$@e@QYND z^YToPpZ0B0K6lG$(A$7Xtu4e=d-D=KuDH3lV!!>9=bu`PtCRe=$4p$M_Twr~qz2J^ zriqjySSHsS4i!4DN{M=vs}+=icaR@tJ$`p6pQ96=Xx14`Rr79^&Yax|Mg(`g-j_R~ z&2GSn(Bic1A3k&%^cmm=tt}|#)?LNCWlk|SQSUiaGb=_xL@Y9nQB0eW`pJQ(Epp9v zR4%3HV!0W2lXcf1J4rdn*wX4Ll1IC}~44or)JI}dLqM zli{F0`aSnx1lW|GOMfx z-nJZ~Q-_GpLmb7w`&$!4@a&(>0<$H=$|?}=Tn^EtL!5uMviJN?;kTM0+AdgHLgZF~ z_?hJp-8#g`Jd5AS-}AH?qU|ocCB*V75bs?M5!NAM^AMevA34(m(SE(k5@Kx?h+hE^ z?*YNCwS|bkZPTMeeB&I%ca^SnJ#Ii;ceTqBdtJlsf)=usce}Y5>L&p9y8vvhEnxrX zrdP*4pKWh^$!URe4eaYwotC&88tzLMal5u_i?|;HxW5k|Yi$AdBbz=A_tx`soZtW4 zMdwEi-2dD)t7RXXS|3Y`eSFLI`xpE8#B%BTb>D>N`q=yZSFW4ckJQt!{j|dpqOgke zf3h56K!7N|BbdGN8JdRxY_JuSn^O^g@^A0h)Z_2LmI@b56(i|*b>!$6b*=a#GL%Q zAeL0}8kGk<3>ACxI+7~C(kv+&0aIkViOOxj$S**0)7nCY`|Hiib$|VI)?d)0#Y2Z` zCVzpY(EqD*EK7Dpja?a97?OJ1pI%IRKUj<18z*LV1w^)HcN<(CF@5B;WdZvpJzy`N zW48yj3O_K|eSxfC$wTX)0joj$=yHfx=nzBm5bu2S#)%oCJrBmM9L8KnUIpSOmP5Q! zhZvlP_&;7%ex(_rZ6H{(D6InV*rTVdk^Z|Cvzip7ZLg;0U!DPhB|5!5ufIUVzBAL( zuTe=IzY2oharBA*1b8Tb_B?bG_;dL!pMCIwjh$Ojz)xO;N1}K%g5yytibgREng4@= zYhNycHZ)m0(_1>!09#;w9GK_)?!W0)%$(bI$VwLNRXG1#f1UjJ*m)+-aRljDbAAHw z@HbDMvW)Yv&iUhiIOm$JQyZtPaf0BAzcV_dkDXvWwu`0Z7R=}Qc(oa+72Kp+A(XV* z;|rZQQEYVl@oHZXJke57X-xC2ZdOJ;rM@%`OI;WTH*E-o7>oHTwJ0qIR42GxBQubK zZHGFMg6NQh>-|bB8|OSVq8}U9l7mu*tF(JwM+WZ3*;Hmyi7{{|QSvyzX?G8rNOg0q zcsBxj;Osa*bjJgHYSifAw18LJyw$*@k#RL3WA)YWUwzdeLr$H-@;9fdWH|@$R%Xq0$|@E=p^4G5Zx$7r{>Zz`lzg$e+G! z2m%5If$X0T^xH-+ee9I^6VTmkTqBTI{&3Ls2aqH$;h#Ona{`QK$Ga&wd zqI*j!yBd`TsTnmYx0ibx(Y@`Rr4s7-Zur$#4JuzCYAhl4R`K>X0mLQi7^n{M_#DJ{ zIj{W4%*e8C%voaZYuFF6j-k=}t>yG$I(B#td+&eVko}5@Ui*l(gg97*USHw#HS*?@ zH=C0RjSTIR%5Tc2Ltg{+gw_^j4WHkP=scW0$HT`ycJ7lmn|ZJ`GQ&f_w|5)VkVr*) zSk#-yz^)cSx-hBkz+k_ch~riFuv>$DKF^>#jryHJ-fey8VtYD26VRMmV%K3TK${s8 zkdZxOzj({(YmDs|&)l}B=Qu(^##pS?FFLceYPHLBN)xHr9d^5DPLaKRx+pr5g(=m= zC;g76FDK+7*#4#{(N%PZtD@h1KDYs0cT>WjTTwO|Ikx>3xf#KQCW?7I5a=MYEz?l}S(@*A=NR7yMfBg>cV1$N>Wlrsa(R>ZHzrVS0o^&{J5AMg|ZD5hs9)-_trAJGdCDJ>lE2>s{x4( z$Kq`+goC+G2SeEc-D^&%HXr02cwT756M;f5BgkrclJ$Ga6aOHk7Dfag8?$hN52l$4 z0r&bOE!85zI2kFb4R8>O^@{02i|b94Mnw>Xw!@$73<^%Nn0FQ7bWd{I1>#2m8LKmX z>4yz6^l|~5@pRiW{^VMW-|=e0$PVKI0%KS$;%3wg;*k9{vW2_b-d=~xVkqWJ2R!L< zr#r$X@kw_|!@jPErPvxVZFf82g3xWdlOZBl_mjbXU#v^05-Kx(%vV&?LKB@(lX26H z1;Nq9(a0U*`%W$pY=%&VC`sUC8O&FjzUZ(B^Kh9|B|jpLGJ!Fh;#xv6844k}YQz&1 z^KP%NT#S!scnsU7zC-nO82{Hc?D@HaNf}lUDa|`8u}Gv{XgB%}bvPlX{e%~5$UZt$h|66hKfzlCaH5V+4*WUKAYT)k@L&?E zr%1=NofcX`%_n&>Y2GuCGBvi!C1d$YWRS0rOtjrsB1tMnha|;Ls zZVxv$-H6XWH^hNa+WRL&DE zteBEq-l+ps!#p-EajsE zUJ0ryCaXT)H^{^oI<7FI4u_3jAprtB43>xsJSUgJFzy}>`CO!_ zBDLsb#Io?1oaVF1IL1}LDr1OGbeLKQ7P9n+>ae3mp;XBae67+Xj=JQj9L76d)>+G? zCU_(0Y4nD9aIG(zm=4E|anGF~drn41nRGN559Y+2x9{}z%k5}_nO1%6mN?12B;AkU z$+!oTDnz5{ZD%TibzNybRji3m)&6O303mFSv3?LhsVg241hqErs| zy0LT&NpRj=w3@85T}%;k8JR9dF~vdU2kB^pOO=ulaGBfyo(%C3T0z<^86FgK0XnDp z!U4j^x$-`xk;mvFj}M*gY@JlcOuJUXGAa>@6!R0h2?r4@P^`GsVJtrhm7H7`mfF!q zNezrrHA-|-u4K)H7FxlMBi_$7`>+o@02qqPNV`_)45MyRP)H)!?AG(KMwLxB!STEE zp@rSI3r}3VIOl#4xMcMV@$2`RGX#x<>@&p8)w7rFZN_xJ|6n#lK#%%H=RIi75VjMu z8J`=68z)2>JlzpLU=5wQCQ?nY_0u922LI2_kJdE7DQ$sYIN@~2Fmv>#ArJZWrF1`oRK zra`=ZIYe#2;pp*8<{`qHk6&Vf2%gQgnY>y;oUQ`#PXWXw>+DHA9{yw&;>OlhmKCP?%k7s$< z*t+^#cf8u*VMp~R{qlpQzu;9={}7;Z$@#O4E~(efQVI3`s`%5tH>iAp#S2S_o>e6E z*m7^vy0_mp3vpwsS5s#W^6pH;Px_?~ODesqc>6ocy`9y){pwjNp&oPS&6k_JZNG40 z3DLKTx1RtIe*=not(hx(=x3Wb-P_x95WlyT^v_&tx#R8shs!ROB=|KFCeT7Hef{?R z^R=`#7F{%0CyQQwhpF02f`^ywv*`7srJ=9=BA%niFP>w%cfqx-ADhKsyE0_SLtqs# zoB$A4pHmz*{~nwqjiUBEe64!svJ?pH10F7#=i%0G|IT~_*M7*dOYO;ceqN_k0@n^0fctu+V0sm<)eK<}EsLgLKdKkEh z`}W2%!GqmZAo#fl&7s~I4=6X7TxD;>k_YUdJm?U=v#|ybKfA!pgMvn^179<8kFqrI zS)GTuYjL68JJ0{w1!f*>jac#!S%rry)OGZ58E4{wLQtEVd%ppA__u$%R1e^{2?9OL zAK&Q>pS+AS@nCPnk_Ygd=fSdz1~CIpM6Ny%TsZUGupSo_jpEjN(2RWh-AnbLJxYJ{ z_||-W=st1b%)$8=Fk;CAz6uY;KVL@=M?7Xd2&m0%s^0`W9Qn;sJzS&naBQB3)+t9k zWvSGH;pZwC-p*Tb!fnFj?Wt@WT8dCl!h_3&1mhnLUu@YvUHRm?ot8nNU- zzi;&*qpk+=ivZ&4JY0yIct|0r&3&tn03+W%>(H|C;#!@Dm(BAqeda>k#Dl#NOCAn< zsjCKY_@YB=@Nhk8=7C1z)_Ty46u!Jv57+5DoHx(IS--lTH1l9<#F7X7M%IJqL4){9 z0C9Ca1a2|&AfO3r9v%fo-gWU(JydiaUOLZ1@bF&#w{`UJ$%oB)5Kx $HOME_NET any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:8;) +alert ip any any -> any any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:8;) diff --git a/tests/7.0/bug-990/test.yaml b/tests/7.0/bug-990/test.yaml new file mode 100644 index 000000000..cf890a618 --- /dev/null +++ b/tests/7.0/bug-990/test.yaml @@ -0,0 +1,44 @@ +requires: + lt-version: 8 + +args: +- -k none + +checks: +- filter: + count: 0 + match: + event_type: alert +- filter: + count: 1 + match: + dest_ip: 192.38.129.234 + dest_port: 53 + dns.id: 28390 + dns.rrname: code.msdn.microsoft.com + dns.rrtype: A + dns.tx_id: 0 + dns.type: query + event_type: dns + pcap_cnt: 1 + proto: UDP + src_ip: 192.168.69.156 + src_port: 49379 +- filter: + count: 1 + match: + app_proto: dns + dest_ip: 192.38.129.234 + dest_port: 53 + event_type: flow + flow.age: 0 + flow.alerted: false + flow.bytes_toclient: 0 + flow.bytes_toserver: 83 + flow.pkts_toclient: 0 + flow.pkts_toserver: 1 + flow.reason: shutdown + flow.state: new + proto: UDP + src_ip: 192.168.69.156 + src_port: 49379 diff --git a/tests/7.0/decode-teredo-01/README.md b/tests/7.0/decode-teredo-01/README.md new file mode 100644 index 000000000..2130ed1fd --- /dev/null +++ b/tests/7.0/decode-teredo-01/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +Pcap found in the Bro github https://github.com/bro/bro/blob/master/testing/btest/Traces/tunnels/Teredo.pcap diff --git a/tests/7.0/decode-teredo-01/input.pcap b/tests/7.0/decode-teredo-01/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..2eff14469d6edb8f411e072b20f8dcd744b9faf3 GIT binary patch literal 26297 zcmeFa2UJwc(m%S10+Nv=AVZKOIp>^n&UqMM$YF?rWDo=dR20c70wRcl2qHNuNrHkP zC>cZ~gMh%>8;|FB@La!p-~GS0)_dz4=vlja_pYk0uKw+=qPrPtd6JI~U;;lrM@ImF z24;*)xm2ZaaDff*8cIjUAAq7yE(?YOC;`B1Tq6L4lU!J6EJ7y+(-DvW{`9{UBSDX~ zgUY~MEdaojl$8~gm6a8gbd=PU6%@3Uw3OtP<&>3_bd}{4z#p)Nwz8skpM*7-n`dpfFx`sNs04Ek22I(n)2+imLU;?TjL;5rz3=)LW_r?Qs=I{H~ zj#a?M@~xDab!q=03;XK4UYB3d z##LPshH!M3?^G^H{zT(wF&%V`_D6X*u*Ol-$wm%|LB5Fz+yw7I>6h+_7b^z7~=CQ#MypHr_fFlA-G4-RPPfCdk? z5o+@v6#zR>Ov7jRfA!q2I&VMLdGtT(oCMVQ2yjd#y%ryk2FXI{7oGFQbsST<_$L(( zKvz`qHY-%w3tbjSc>w_Em{^r)Xqf1bOfNqFWCzE?`e(}q0LYr$G)`DkH)snfy2PM0 zA-~IXVUqw52RT6Lmk!|kgNn*eR5;f9vDHAi*lbBDUcc=-mgylRj}}Pj&yn`4jyjK9 z7kQ#}Y#=pt$S#`{zsu8bNB}_HaNHFqsjS7lgs9xA{zocQip1=z0HCX5U z&f+j3Q85BMBVU9Mmz)#$h&aq3$ODe>;SuB(<%O}?`P+E;cyjUa35!WMvJ>E`disJ@ z96SR&+&t|Z#P|fb?fmV0QQUA(_hZr?2sjGq=^+l&Kp?!hR3BgDyR-JV*r5Ki9}XP*4O9O7Y|Af(CVb3#7_>oRj~9;rE>39~{5ueh`74I(b%ouq&*rAXfPJd(}k`u~&KP~C5=#jHli;t`D^N%?2 zgVuLcLLmZCJYH^gNDl}PAhi|K{G_&%@W>X|1>wOI$9Ft9F%dZf&I$ie+YuM~UtRbs zmF{DxzVvrg$(9CDWlNV>0a4HWUHQ+SVEm3s&oPzIf20D+f|l}~inj?CpaJ$ClujZX zAQd+RfD;j}V2BEs&`yN|LIC??Zh1KPmIi;J4<^#fUl`lT)6>ZffdQf{0MG(xkg~c< zumM-F5|mC_2bxvtIa%O{#DNGR3y}wePKBeXalVs>M}&i<(ScLIsedH>YatdS3PT@& zdwdJct&ycs5)uLwkrN<>p{d#e$I}W(TEMwc4kV5Spz*>1OfXaWZMU2@7QiYf{^N~)ljr3-#*fu5F*k|N}D$;kl# z?7M2@WeEXeP=8SRgV))`Y=dWzvxBC}F9}ZPNK`;K;`?1d5l}!AY{)@F!v<_=kT0O} zUp~jr|5Ez@*#dZ^0bB?TL+TV7aNII}Oi=Tr_!uTgqzE<|1~w5b!|}}XUo{X8_NdlA z=I?rR__#-%|N9)=vaW(Orju06AELwW0J22i>^$5Qh^^r{w)oTc|d^ z`2WZu9B2y}^sUN-q(gw*qCkh!9DEc?zW{|MX&dBQ-pGPvhT3%OTZ#^406^Hqhen6* zY@w$B3E(jN_yX`sI*gJ#Q$TvMoe(E!boAe8Zv0qt3V+uerLFBTVF}N?snH!AG#lhjXg$HE45LoT{1gA4#$bkMQA138hHtx!8ZFX8;f z`D8mSnJyo1##i`fgY z!&DG(S5F>j4$UjTFU-#iQ%3qA96bYh1h{$ag$VHE;BbT&=q(>lbe&P|Zk%>rUT#P@ z=!1BA@B~677XnX~y1PkuOYw4xadPl*9AAn4AjG8!dT)MqPT(9K6vfY%6X9`O;ZIIn zN*-`e2hhI}hdBi!y*M2Zj&9(T|Igz##mDJ~a^w;{CL_Z6 zouA0xC-?#SPF9Lx<3-ISf3L_rNB+!5~f2p`aA zL;3h2Bwz+0X+=FbIXP80_@x-+?%~KUVq)On?k#GpA)<)Vb5&F@3-B@&4pLI(gNu3z z!+m^^K8891s=lV${Mt5NI&c#%Ls5P=xOR}gn~|!MDbiTi*WAoURoKwOMbF0x4F77n z7#Zj&__%2*I}54t$~&mIAUy+v-Ccd1OniJC5n9GvK_d2ne1?3Qx(Zr~Iwrg(t^vHJ z%HAeAURrLh@(QZH4k&(OxUaJvuM0n~v6q@%fN+qL1WX&0osU<_Ma#@Y+toAJ*G*2) z$WGr+G&o4vKvT)XR}^Vt94x5f0IJo|)!W!z$U)hFSD7~$1s8QzbkkPXcXPA1F+rFi z#7qK(?L^HyMYKG8l!Ltk%;CXKrp7`DE`4Qt1s@-EF$YH@AtzrEF-;qP0eJ%lKZKf- zjgF3^if`Aq4)gLs`X7&tfAC46fhhrle;+MUMuy5<;28W-@9$&me{!lt|L#;f1^E6& z>4!(nFCqX&;0W;OuRzmk5VMb-nz;vLR+ApqH^`qCu?|T>8w)Do>lJn%?Ae~3^QiSK z6nUl+4!jBH#gVY?I66pX_VO|a5TW_xJ#1VDyen<+O3ba;%c}ZY;%$; z*MgKN%jPN)uO;s6aN-maA2*wJBB>Liffagc#zTD4g2+ z%a#Nh*9PXJcI)PE8DwN<+d?EIdpxsw?QUHqBlS_qYxWXLMiQrVua(PO!81lQRdbMz z-=Wrd*f(;AJy{hwi*=eK_jE(FonwxY)%C}hAN;uf~~S_M1brOU-KDc)YZDW%`Wl86>-L%*DUO%h8F!p zL3;T%r* zt*{9x>h%TVjR$Jf=OEY>Gw@|v0-1_4)j4+px{>Wk$17=5jCbCBrTW-p`rN~PM~*5s z`N`A-`n+_#k}13I>!yX)M`4rsaW9cwjS;qit}VHtx3Ol7P3Vtc2 zGX-=}0V?YB^R25^eTk<@Z+|48eeR#q4<$p1G`Du~C z)(C;gA&;wgF%RkGOSrw=8g&b^)-0VLC&2c+uTT#=&Z7kUwL6Tm$O@72u`j{X3l_a+ zwCcx5b!o-x#dua~+SGZSA)F?+{Vif%IY!L({|+%-1%BW(M>B}D^aG=d3p*BV36+?h zJ-g#{rcT^m`Xq6&jr7KtB{Dk>3-o;wBI7mtYYo|%VG{=}{8gR#lYYamXvQ)8=;VfJ zM*^MEi$0)4dWA2M(kZA$j|&Mez4n{-)xxY7e(ON&N+_(v?iZDl{vm;6<`K=Srgo8_ zO>%5ErfB*;)yV+I5D%)Ct5dUFJmq`>MPs~^iXLEh^;}-PiAy3tSyCc9jM>-Nb$|+b zycd2qK=k}`<2lhNt~YDrRxR7;iqG#~706|#yfH5qDW!&$ucI2EW$Chqm6dhR_`b{q zyceV;32%(!(yASUZsfWOasqg!f!Hg2(?%|xm(tmo$;o1gb(C#QUomt3H}L%sLjs_&fXn5g8K z-qtSMe=rnK7ARWy78$O5rw_k)e3Q&FJyIezmb@E@1HM%^);?PyO zU1Z31ro@a&zHnEWcAUUNAc#w9(L-1fE%TEXvYDq}4W7a$`APioKJ$d=Q!#eE81 zQgv7Qnr3bRFIn4eP*!8p>xlb=PfQfFDsh~Pg2k^Q-({;`eH9;bBy5f+b&*CRaZLB6 zbkQ@|S1K4R-{6trpdX^5}cQu=~oOnN-ypU*;Ox|H$t=H&W`w|f8&{$RxbX>Ia4hIHfgdF z(h>H}gu&jX!E0m|GkLUMo_Tz2e2!(wVLDb{ReL3L=8(f!3R_taRr{EleD{mC@_wWB z%coc6HmEX}!-Fb#rUX8m@@Ghw#xB`}r-#QubK_!^A=f2*YgGYnyk~2liiH{9 z#RV2S(6_M|zE1nte08TS{@G2f$D5g^x~R#5y@MSsQn9D@pr|}mUH*|cM!6vAlk4F8)>sEHi3jgzty_!AW0DQ2VhU6}jq{A>vM z$X1EwHLOk5U!m;Vs9l(b{CH=8;!LPzT}o)oR|;JX*PUF<-ekgO0X{VE7I5}>nR!Ob zzAp5m7$>e@_dJgHc5yHK>}&%6v5V{Bz*OkD0=c+^ z;2aa;IuCL+1pj;qrIRyTbY-SQ2&Xl!{fyJ-{9k-+p=loazdN(_Tsg*RDjK$L;QEHX zA>GV+tNguP*M$1~c>+`bxeTR^CDJ&x-QYHl_UQWPrj#2ty57^ZWdaj=#t8fBI2PS` zOHqZk*zuG-)f3#O8w%S=sNDR&!SICuT!*;lRS z8M3rt1Z0sPv2PBcopQWP;t;{30@KfnNw8SBZbv0(O-rvWkzq2IA}X1}bNv=05yH*P z)>O9Q#S|W|cFNbYUmoaORkd!)rxN66uaEJe#vR}8&oJj#VLbnSdb-_@++rbg`SL(M z^3^+v^o|M>ywZm+uCFWm1RUJdD66lU`Lut=ij-RYOFRm5nomoCLU~z`%$;g?bVsz6f>T#32_G{m|ve(S& zePXLZtH{f&u+>V~f%NK%gwqed=H?us<;P_5uTp~n8_>q&(9nKo*)zwM&Gz40w)eO$ zv8*{{+1?;m#sMr~2n^gn>6hS5d)y+#_2$!`xnew7;({z2Bl6!3-az9COnNkHsG4p(3Sn{I{?R2FDfuH`eq2R;))K z;fU}-_=v-tQ7A8Q9-b3HH6F;Z{oiQN|97H6&=`LbjrY5_OwzHJ(fae->pzdnc#nr% z^d10LWjPWl{yz|xF+iZesLpr8Gcb_S4;JsN;k+e z(9mB@TC*T6Y!@BWlyL9M*hUp*XN(W_^pe122~;to>4w+BK3u?c^P2kdwPia?+^gpK zPQR}Wa}y`2nq;mL=KhA6Jf?CgG4kqrO4MXv7H+em&O`mkS2P{OGjf}=yfi^1y*`Xt zAEb}o*YeK^$SG;gg}qLkS)C!w&N~;}5=2F|8UL~SieqRge^(pc;a8L$-iJ!6=1)$~ z^TfzoZ7xdAz1u|bQn_)aG8Hqu@Jk5Ied6^X8s84 z;E+ywbZqLa=aSeQRr;keX?r!Ru1`w(-_2bwm}7_A$_VJd&-q+0r1FrurII=uE;xJU ziC9I~7>>Y8feFVEs)eFMjM7Yl)TvbVu#Owaw_ly!|#GbIHIs?$Fh z*_?@5RK;dNF_B$T#t9T7Mq7!I!HwPa(2sgGC!1tbNb3{lBizP~&yM-HAch2U;;kJG zA+}RyDP_;WrhHUE5(+P}@hzJ_&SxvLm%Of`9DJ|nC4KlZh5*8dBDz>lsaGNEFg^T6 zc7_|?bt*vYW87E(=$TDLgFr46q=*AC0@%Sbc5 z#;5if>m}xv*ZUSef_G;gy4)#GPN>zg7MYtEud04XqL$)^_9jo%@KuuJvs`SYjwyBH zl%cYI{viS7>IpJ`-u6}5s&_d$k~ww=qc>^i3djpd;%WpVahrJ{_O0^`dU&J@(MEA`#ZWn-pko3MVNVb1M;zF3`x;Pniz8 z2`Y?xY{izZXrCJ0I@NcksJl$=E@E!CpHC)yN?p5DO(A~zV@PH-jCC-i?vZ8BlFRT? zoJ*6A<@1i<&;vFj6(Pr&t%?XkY&}n(rypchMz6jf{QL~<=Kh768`rkr1&%f9r$qDD zToMEl-~t_-D{^6lXsG88koZPjqCE$WedW2F2Zf@g#g_7+eS5)VyDgkM{I?T!NnNsd zN_E{uv$w{V0t{N}=r8NgxAWL!KU#RxrL#gW&3`m2gTL`*OGc)7deQ;4)=aD2P6_`S zBeOcQ%wrJ63x^-+p6yO=#>Jac^B*l+%xuN)>BQF@HREw03&7c^*15F5HLgSZmIXU$ zZY_1@oOb-8SQ$Bjxg5rCSeayS7w#Gl-(+Yg^Zkr-cWnDn5=CKhf17)QfKa0LGcDN} zJDZo6(<5Yy_I0h6oKjz48+>Zt=dWHiO}Wjtty+7u;vplLRMDSwR1XH+tI3KolbqsLsj;ygfg>w{2ph*srBo5Zn|pE& zBQFGs4fyQhw7-5;Els&R%$J&$`9`9_T{S1-X0~X9S!ny@sjQSL1`D?6$|QRF3ssbP z1CJ%UB}qS=;igT@x~51PEHCalrQ6k&H=R0Qx{pYoyg_@Tv`V*1I+sWEd-N1mSiCZaa%sAzPW5{?@#SO!DU+R1Gn)qf zlu-Jb{85y+&mis*G4nHzm0qgFD+5P?(otCGa-SU>dz}(%S1(LQ4oS*MVrFj0T$Wg> z{irB?`!4HQszq#$4@R2%vv^j*m%66a*lUvQoqI|zI_)dpxj4W<>NIjkv7y3QZs*`N z=}62vzb?5pF5#%Yg`(g}_Xl>13hBeHK+-JX*PZ)!%Uk2hU!2nDfY~{`lVx1FD&I`V zunVLo%RRB=UXmS1+>c>R#vr3b-(a6Y;z`X^!}_bKna}P#BC63&+@&e@9%=a+rj@}@ zvV*&{VQ6eJ@jIX0VEAyp;ls9i;n5BQ(=6&8zhC2O;%(|lxvnE(8z|fE) z?#_CxU?4to4Vk-fayl&*t0d-p(i1=Yb2m3?v1!kX;%Nor^dt%T;oo|HB@my&#Y??k zFMK^p=w1>X278{S2l=NIuq36EK~=^Tt`dWv>?|Hf<2|N+6@Bg;eop0%m1%i*lfuFN zaDP|w zsjTVq-b>QcMUR-~9YZqcZ<_AJ6@8`hZo2wFdITvV-qcj%3qO4D{s#T5?NyhN8uXUe z*IurdKf1wpWVCpYtG{;f%CKdbj%t}o(T&Od$T5PY(7LCC9h2X>9q5i^ArDh=X8@0IxUAF0vqCYR)&x4Gt;eUW*o zQ;fcOaT#qd5GPMLYNN!(VHsm3J)dKu$b+BfeRR4qK?Z{|;*S1@fv0f|axpGO#NxM% zuhay&EPZglv-7wig$C=W&nMNBn@Ch``N?PN^n|g#eq!EERd-JlF)v95v)owI>))tN^Q{NwsGyMw6Dz$taWb<>?es!m5|l(cT4i9 zf?v#Qap-o`BJ`TBSKAG7ls~a;Sjkbk^KdCYCN|er+kSPioN>}V)VIG|%GA~&u-`>Y zzsRKVxmQ!N5GGghq@;_Mtt77u%kJwN?x!+WM+nm&(x)(BHfG)!8<=hi-dMU%q~o9W#Hg{nK7&I-!HWkY zC3Qiv;1;=XNH-M~N(?NYZ>GDzLiOq$4IAEt5eN9};h5gR+49qL#os)I@u?y+@NLoL z3+tJ;f)4`ZYI)M}{gg@;xso0Ub^FwdRQ5K{5N3hXjiRnFkTr79F zU`#W*BQ<=7_c|TrT2)m#2~QWrAbD#6E%xWeQGjvjKK!LzT_&0dX7(#=Z#=xqGiZe0 zP_AfJ7wP7p!T)PDENwgp>c141SfaF1+B3qCx_&5)y&{S zk4de$Rbs1)ysbl_Bmrp;d)!_vRy}o-X4x9O>{~4p&OxuhBR9IzcqawZF&zg#@$25K z+(K(f16Ms=2}Rboe5P7y?Ca0mRM&tHDa0cMS{O|NJkvJ589pV$vTu$>!bZ&P>u@h~y^v zs?YzFIhC_=Hyn1_PDAPHBhLgb=Jj`q92r{7@4A z7nWPVx2cYb2+ZvIX#TwLeDqFfj9`3*MnM%_&u8o}hHZ9To*Q+V4PB${uT2IlyDje* za7dW4cKBJm)a>X>7(G|^LX7VwX-2%F05x{q+ZOkS2?~1^A*WvCSeJcSj6gFJ7YItb zOm&-kq%+~cu0!};quYy*whqVg6=^<&-;c1(%x9d~l;EdKV`N;nOr(o_SxD#fHMu^~ zO+qnIit>DBD<9R>tBUEW9g){zD*PDar+47N5l=665OW3-Xhk-Xlm+OTk3JHugN-#z zs{7xle>coB{&2AryT>YQJ#CS16hcga$G=6))MLbK{O=Gmiv0&-mcIgkE=HSK)d(gk z{#z!|o;R;(W{ftZiTH6mDlejH)9dNcsEF;@+;y@RDJZx{;VWH!_)Z$_pt}6ty6?W3 z*dVLV+t|z(9$$>N`cd8{G#i?O2zrU?_r2za`Cf_)3#t zeYY_FjutLa+jm9`YiCgU*F~9ymsLrxt1@f%uqwy5oMG}~8F&#@9(GNk>jV63Ah`+m zZRuiKe!I~9F@?+_k`^5~w{Y#FwbA`cWW`XUpp(;ecxxIa3tn`0Cx(TR$v zMg=aByj;NO4;}Dz*hr~Sut)1Y9r+laTKKgH>$? zp9a3W$5WJKmJioinh!K{``D#s{z-v(+1B^Q)eo8Z$<OWHrHIh%;o9X_Y5 z5KFRoXj~FJ{7&}%`#Rs-iR1M9HfjS?Ia}ALE!IQyiXO%lB7}w^!WVcu4lq7qGXFZn-Z2z6W>?;f>U=khkARCHcd;-x{KFa ze#+w#j>5djUgD)e6AdCtng+eDcWGj+Nh>R+qqDr%4~g;V%;3WY?|nS(1{7{J8@gJ+ z3-~?7M5oV8zwJ!w39c2K-TjIT< z>valetFYO7kmC`MW3X2#{)(!!cAhYIxo)N_eQc?f={0KOJ-yrRLw;kE=JI>j?_cvz z<_@)_H6@nUuny|Wc}riKPU0S_aXa);)Dx;9iYm5@@e<*0E2Akwjm}r)$Ur{S{;AL!K@R z?BHP26P)U~jMH@KMZ8C_OhMQu$;PCc>3l;1@<5HWwV0^-Z@Ec@JlKg*7rg*@$ba4QkS z^}_St;&j?EPB;8_I2||p1E>AK6~(@yLj(~-3RPQN=C||knML>SEwR8%=PcU%W#T0D9z--Ney)f_YN+C-KPE zuQyN}ZW82=IODyUO(5{8rY8&)J9LnVmN|v-aD6H58Kx>HDyw6FnaAhut2-`4t&@z_ zE;{cd#1PwfvvW_LOprTBKVx4m%W69q>93c(x<9$vfD?w&N;OK0A8BHEz#CLeFpg%4 z%Jt$mwQKC5QXApF$c%s;3VdYc4(*6nLkJW*NZS>^b@I9pP^r+ucixxZRAT$i*9Gb4 zJ$B141y(gY&k$K4>)VFzXPU1sCU0ey=)c@bWNs@hdZFmTAANDPd3)dW(-y1BCyCT= zVW9+(1p}8W+^*Zdt7R%0@mzn3m72x2D$F)|=KTs*eVT~kdDfA|)4ru&$bP*qg zU}R{V;pcsNqiIFoMbQ-KB*0!dZ69)%M~8(t`}NXlBj08kuSvhMTIjWLdS-)%VZ*Y` z6G?RHwI;J?ZqF=ccfhhV;beid-1&%^ZV{h*ZMmJbBtWr1VxEARNIGPt6P;Z_xT9@Y!!fc{0TWpi)f0J zm{2c$ov_R{#aWu&TR|_rfOQ=QNVm*^D=Y@SMl=_Fx3(&DSU$!tJAX-UKGWg|t}Bjv zG1pTdgN5M}2n&6RSu(#`S9{LHyTpEaA8Rf^tgU9BxJ~Sqvyc(E;@8^F&xB+0-TkhL zPjJ`6Z~V7!dna=hb7k@QAHpvUd8+!r2Nvh6Ozw%^6rH|#XABGdTeIMmtWZ6nuI4kr zOt-QRCGNeV?}g3obyqGsE!FMXi@U`ui`>v-c^gtoG3}^JOYr2bx#zkir?!yxv)q6; zrDqB`AHBckq1B{rWJ~zenNWuO*>=&rPI+As1~uY*+Gxufs*kuuu|@V;*TXCyNZUlS zgeaxI$kR{CE8yO}&CEK{Q#xV#)|bt&ngWNN-6?g+;j^W9_mhdIrCoMxM+{WrPa1+M zxR<@s;6^czt|tWdn<20rOuFL@<~oe-SC;h+)$4z`%`xV5PhP9RK7WtjW`Esn$%^C> z!cbo)4@FSLfKR!FYa7^yq3)Gv)Gol}aqHk6OeGD*@D_+_I-5>5@5vg*&gy zDn)!wZ*nKTeU|fJf-$$5Nn^4<=__i{0JG~kiM01*&e;c<$t5*87rEWVpXtzByeWB- z+vI4{pQfdpwXI#X0Eb&A3&#-U_cV=itXCHVVUJvMGpWOBDYJAPclBa9qP^-r;)O@< zQDVFiiZrL@Hcpi4wWM~R@G8uG#z#-HbA)Choy4lP4X|0n1S7+D5oNrx40^6StP zybm%%OldsaZ8P^UMxCQqY4O*y8NQd3D^p8!RFH@$S1A%cKwcEg@M)Z$Ey83T;g))Y zC5yg^)z@j~{A7ju7C>_~Cuuct)kxnA_f?CmQKt@#tUzDCrZe*?)+dOs8rF-<7@zmA zSVM>@*@yC`dx~g;^6jW-*3<3JtSsro z2lTa?4G;1Qn=6M0wm(-|_&GoOTsa1QFIP(VIR|{MtOdW9D=+#v?|iO25U&iCSiVFz z8Y9VOl=TqD-)H{>%@+_JA)ZKy8TC3t*P#$EkJl9Myf%xYJ} zFf_U>J5bqhhX0*%mH5;RSnXTIXP)>J>qp&ajWl`o1h(_Gx@f`#?a~inIi_oqykq=J zd{qdn*4LX>hm%`cBoC@}EnamcE4pc<$*sKrYzP%Z2-DhbQ!0}Mz6=;}l*L7}X1>hg zfUnhiBq?6Sc~`Uz>y3If{I>Pih(|*78oQU!$B|@olVn~bvr%fDeV^f9H7htfk-~-j zpCewZvjw{AEZ`;VEWGfk)L>FRP0BH6G;?dYKX_V6?2cFht?2BOMd`Aa{3`Ra)(6WL z%s6_8e4V(PU%X<)St4W(G>q+LA!u zKd1F@s*7X!D^q{0Hk0!vbMCE93DUtrBf{(1%pV;~Y%jh1w+nDBptxOfycU<2}p(l3(h#esV>LCNL*Cb?9j zf^+ciBtPW@Zk7tL3&P@u8ie72K>gX4<~eMD16=(IrIToePMgXEwFR#6b6e1HM2nn* zV~$TCfMontQU8J+RQZ2D|G&@xGzu2ye;NfRH)6}g?HwDc{@)Dsf>KG$-0ut(8hvOG zagQ4~0Jx^~IGr?0Kqr;?c!*K{Y?gooiA~Jh@el(!{F7N86K}+aSO9>iEP$yn;}Hlk zQ>n!H&Dm#{(PhDdYYxhxmOxKna{{{3_k*J$CSKq@XvOW1v(F%E!RmN_Q9FqaywIs- z{MdsP5G9Brpo`5Zy_d}jQjGBePc5?m-}fN3htNrC5VazZ+Mj>FIH_f}%NWP9Jv$*= z3`mg;I=RgJkH3PTY2pE=!4VFnlc0ija2XS#vOoEcRKTOUVuk+I)@%?Xx&OpSZV)5? zeiqsPZqEL{zd8GVTCn>cuCyk=Gvxxi1KK(Zt^`KGkGB*<2KH$8r{g0}nk!q;B4n-{ z11HRtP5OQa_`aovL8Abo;*X0DOo3a3p>%S*Vht62f~cH7|F5V_YyZR2(%+nS1+Mhu z`}<1IALm_t-?Y!A5AL-`_=>~qp~J`s@Qm$zg1|GejyLrGxeWAQul_XUGH~;BvICF7 zQ}Kj3fE(ty|El|A+pmDI5I9l(KY5lGv~T(6jl=-P8}p@r(Q4A8oCbNnKKI&rY)#cn z7UG41XvtpEw6WLzI|j++SVgH^kC@}i!w#}j=|?2d7bl2n4_;H5o$X1STgyz(1U5aZ=V!EiJw$9#j~G3g3z)^snbz`E^a zgJ5d1E3P{$HT${SNs7y3S|}_c`pfp{yZo9lL%gixvC63*&k1=smJRHE&?&l8Y(M?v ztbmcJd#v025g|b=rl)zAaBF1z! zRLOL*fZ^AO9oC;E(@s;FB6ZM1Z@wc9rn!9%+(F?eb zhB0|JXS>DW&lflkYW%VXmEl^2T%QH5Id~`XP}*xAsn&?C zd^1^rMHE`iyuT7r|G3|CiLvQvlhN>X1BEUCjw|`!B6zU$1b0u>Pw(kT_Fq_% z=^(Q|qv_~EkU>6ePT4!np{N2AG9=!RElP?r@VR<3SLeB;)Lj|?_i9#;zeHiiHtSCH z>O^MyB*upCj>D%?7D~RIcgZgI^6|Ie)%VmKX8Sdc4C`=Dz2OiWOo=Z{M9uoI*JxA= z3iF3=;%RPAUKO74?T&dQ!cj%cYh7ksJ92~X5e_^3lx2g>Bh?RtZV1VI-Yd@M2Z$Ee zSDt0RS{{Ei6DgN)SNTCw_q^Swd8zF!HsKvd^`v^Df|_U5?0s0doi`$w&RuA?u6x}o z^@*?LMX}JTs+!Dp<3%R!dj$Tu_GIr}sV`i8y1qQ|8s;)}TG7(`^*SRDJ^IL*%FpW| zY#4kRcUNV1nJrW58nmhcMxTjp95Ld|a;!U}WbUI;Zsgu%E2v-`eDzg8->>?4OwG*u z^>vfhLGS4Dw@+!JyA21>uJ<87OfCTY->mreOrj>x6+;PXN-erW+J5pyZ! z@CU+%)SeGuJ#`gcYrQ`Po^WWbacZPnveNZs~z{Y(=yKBk7f3I$XVR2%!!I~)D zuFMvGeL!2Hc2|1g1FCmGtZgP`;MrS@c;-{>u5&Y>Z>$!&i86`qksHbu-SH(ps^7V!r1>WtBtqG+#dMY#nT-n1*X@ z6FsAeHGQ`InMjL9k(I}O_T+BQ&81qu2Wo9q9r3}|6AntDsd?BVgqu(B?rz`luoxiY zh@rW#+(WnPPETx0C9`}@g1u-eIQR8yR#M(5b-l1kt98V?bffahPl6m*CIwb!({QdB zOrNDPH_VSw?QD6RrFK4q2B&!aKJj6tD@;-`7n|!~&SGiiX(H+5(;D9RK2Y7ZmO&{ zs$wLZ8CSo^qC4IvrO={cCjLY{_Ugi|-d65%|LL}~`zc^i{?ky)L!GDHzdRQ4KePFZ&}8P9qyv8_Q)d zut?!P&cZd@Nz7}i2Q6_~4a|7cUoyX*b)Q<|K8Ho@rJu7J z^0wmM@{2@vt&O_DX)QttxPzgCLq!f60be%vd!;v->_L%H*>i?>0u99u1J@rPKECvA zP3oIXSXem?!)sv2S6qU7iqj_5pCZ8Qe3;7(){fKT0eda&OXkbf#w9{Ldr47q@7_FX zUy9mMVeP1!dv@uWHwqOP=ri!yQdlyUV&q#$zkAkLSkI-&8VuhERf4#ULc8hLhpyIH zM6vHaw!PVMm)?5f{k8tx(S&ID!G2Ow&wEUqp3Td9Wd57ynshfjHZ~oPC=??c{QTaI ztYO|~G{M_`N2y^s-NJKsRR;g8XteQRNS3<&Ljup@v60FTFkug24U+c*i&>#dq14vn zRs`I}aJDU?tFAiqOH`=0_g-zip|qvjuJrA{v6;~2M|qtl_M+iK3e)U+>l_hA;a@!D z3vPQ^e4(YM6z_nkVXM?;dtAkj*d=aWi5AGd^X`qe(;p~~>&dlMCt*GF^-gW0&1{-XK&dkX;t$JdvZsDie=7k&?W|&UTjYvL@MVrz} zyF>m?bFx$9i$Jk2KfDO<^qm)_bQY3IM!@%=SwY8r^cDG&xh&+6ooNsz_nr}z6vBNS(j9vG9eE6C9Fo`?m z5zlk`))s2if^SYk}3tSTvME?AJa7@^Ky*t89QC( zdHz__V!^LpO?mrLGKoJcA2xQla(|>kTf8?*>V~_2&hh%Sg&?9s>44E})zsk7To@TI zg!rc@e*50QK7Mah{@oRY-Wx^X(0fCx`ulssxtIXpzy!lqU^?kjv#I+o!79Uyj84tjHQ^I`Z>89uCn*GG$WQ%5kgjrVCnkbb0X9AzYyzh4Kn zjqc@{h>N)>LCxv^Yrhif`D-6Vwe5TKz+>B~4X>GgG1q9Eusr_t+Ka_5D_(hteH5D4 zG(|PLL2dJno!qR!5uQdKs>!Ps38jXnM0mao6N_Hi)(a}kB-V18U0B=eFLKX{ z!N}lptKX^=4|xSK;XSGh)(4}0&0orGG?npm^PfJU8}HTb+}b;@Y1KPNYp-3BwsMoc zKRBjXv8;~K(|)hv6}?$6HeBEPCwy;N_0|27kM8R~@Z9=1>q&p2w17+cvgvO=YV=xvLpcwO)49Bkg5BHHQ3f zoRpnTn%eo!nu+=R#kxdyUEtmipdhpG}q|GcU53BcOfjZ1Ik&yFaH+2ulj~yIs_N zUORV_%q!c=-#00wC7)k?<$6?J)y)n2uDo&j9<|e4V{hzU?+w|f%2}V5Yj0<{EmOUG zbz^hX!@LJC4j;?PD*k&lF3V$D^=|21|GksefB9Q}V);`s^MrkID|VP~wY~dv-@e>t z-9MMNrCD;@hTSQ0H#~LsjnO}v2TZI$)!cV&K-`9 zj#p~gp!@5igp%LB;At=3SodmNY`&Z0=K4nM(xQx0O->tU)U;0i?_>A+r@HEuuNjN} zY`t`z<9qp@8OOdT8^{LFcT?Lx?z7+-^%_jTd=oWKA1o2yIA4AGA;M5{O!lp zr|!CZ$J+O@kKS@r7fX4`*b<+yV1x4dq;p|YzUq~u_;<-<3iCIl{j zR$!JtYf1tH9b|mB0~as=OR+x_@GUD|@fJL4at^ipSyKWmf1*KGca&^`n4$(;28U;G zPZ;c$;zOEpx1&@=M85Eeg7z7v^7! any any (msg:"Flow longer than 20 seconds"; flow.age:>20; flowbits: isnotset, longflow; flowbits: set, longflow; sid:3;) diff --git a/tests/7.0/decode-teredo-01/test.yaml b/tests/7.0/decode-teredo-01/test.yaml new file mode 100644 index 000000000..352db7671 --- /dev/null +++ b/tests/7.0/decode-teredo-01/test.yaml @@ -0,0 +1,570 @@ +requires: + min-version: 7 + lt-version: 8 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + dest_ip: 192.168.2.1 + dest_port: 53 + dns.id: 16995 + dns.rrname: ipv6.google.com + dns.rrtype: AAAA + dns.tx_id: 0 + dns.type: query + event_type: dns + pcap_cnt: 21 + proto: UDP + src_ip: 192.168.2.16 + src_port: 1920 +- filter: + count: 1 + match: + dest_ip: 192.168.2.1 + dest_port: 53 + dns.answers[0].rdata: ipv6.l.google.com + dns.answers[0].rrname: ipv6.google.com + dns.answers[0].rrtype: CNAME + dns.answers[0].ttl: 8655 + dns.answers[1].rdata: 2001:4860:0000:2001:0000:0000:0000:0068 + dns.answers[1].rrname: ipv6.l.google.com + dns.answers[1].rrtype: AAAA + dns.answers[1].ttl: 300 + dns.authorities[0].rdata: a.l.google.com + dns.authorities[0].rrname: l.google.com + dns.authorities[0].rrtype: NS + dns.authorities[0].ttl: 77923 + dns.authorities[1].rdata: b.l.google.com + dns.authorities[1].rrname: l.google.com + dns.authorities[1].rrtype: NS + dns.authorities[1].ttl: 77923 + dns.authorities[2].rdata: c.l.google.com + dns.authorities[2].rrname: l.google.com + dns.authorities[2].rrtype: NS + dns.authorities[2].ttl: 77923 + dns.authorities[3].rdata: d.l.google.com + dns.authorities[3].rrname: l.google.com + dns.authorities[3].rrtype: NS + dns.authorities[3].ttl: 77923 + dns.authorities[4].rdata: e.l.google.com + dns.authorities[4].rrname: l.google.com + dns.authorities[4].rrtype: NS + dns.authorities[4].ttl: 77923 + dns.authorities[5].rdata: f.l.google.com + dns.authorities[5].rrname: l.google.com + dns.authorities[5].rrtype: NS + dns.authorities[5].ttl: 77923 + dns.authorities[6].rdata: g.l.google.com + dns.authorities[6].rrname: l.google.com + dns.authorities[6].rrtype: NS + dns.authorities[6].ttl: 77923 + dns.flags: '8180' + dns.grouped.AAAA[0]: 2001:4860:0000:2001:0000:0000:0000:0068 + dns.grouped.CNAME[0]: ipv6.l.google.com + dns.id: 16995 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.rrname: ipv6.google.com + dns.rrtype: AAAA + dns.type: answer + dns.version: 2 + event_type: dns + pcap_cnt: 22 + proto: UDP + src_ip: 192.168.2.16 + src_port: 1920 +- filter: + count: 1 + match: + dest_ip: 192.168.2.1 + dest_port: 53 + dns.id: 19995 + dns.rrname: ipv6.google.com + dns.rrtype: A + dns.tx_id: 2 + dns.type: query + event_type: dns + pcap_cnt: 23 + proto: UDP + src_ip: 192.168.2.16 + src_port: 1920 +- filter: + count: 1 + match: + app_proto: http + dest_ip: 75.126.203.78 + dest_port: 80 + event_type: fileinfo + fileinfo.filename: /cgi-bin/iavs4stats.cgi + fileinfo.gaps: false + fileinfo.size: 589 + fileinfo.state: CLOSED + fileinfo.stored: false + fileinfo.tx_id: 0 + http.hostname: download913.avast.com + http.http_method: POST + http.http_user_agent: Syncer/4.80 (av_pro-1169;f) + http.length: 0 + http.protocol: HTTP/1.0 + http.url: /cgi-bin/iavs4stats.cgi + proto: TCP + src_ip: 192.168.2.16 + src_port: 1578 +- filter: + count: 1 + match: + dest_ip: 192.168.2.1 + dest_port: 53 + dns.answers[0].rdata: ipv6.l.google.com + dns.answers[0].rrname: ipv6.google.com + dns.answers[0].rrtype: CNAME + dns.answers[0].ttl: 8655 + dns.authorities[0].rrname: l.google.com + dns.authorities[0].rrtype: SOA + dns.authorities[0].soa.expire: 1800 + dns.authorities[0].soa.minimum: 60 + dns.authorities[0].soa.mname: c.l.google.com + dns.authorities[0].soa.refresh: 900 + dns.authorities[0].soa.retry: 900 + dns.authorities[0].soa.rname: dns-admin.google.com + dns.authorities[0].soa.serial: 1345503 + dns.authorities[0].ttl: 60 + dns.flags: '8180' + dns.grouped.CNAME[0]: ipv6.l.google.com + dns.id: 19995 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.rrname: ipv6.google.com + dns.rrtype: A + dns.type: answer + dns.version: 2 + event_type: dns + pcap_cnt: 24 + proto: UDP + src_ip: 192.168.2.16 + src_port: 1920 +- filter: + count: 1 + match: + dest_ip: 192.168.2.1 + dest_port: 53 + dns.id: 38477 + dns.rrname: www.wireshark.org + dns.rrtype: AAAA + dns.tx_id: 4 + dns.type: query + event_type: dns + pcap_cnt: 58 + proto: UDP + src_ip: 192.168.2.16 + src_port: 1920 +- filter: + count: 1 + match: + dest_ip: 192.168.2.1 + dest_port: 53 + dns.aa: true + dns.flags: '8580' + dns.id: 38477 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.rrname: www.wireshark.org + dns.rrtype: AAAA + dns.type: answer + dns.version: 2 + event_type: dns + pcap_cnt: 59 + proto: UDP + src_ip: 192.168.2.16 + src_port: 1920 +- filter: + count: 1 + match: + dest_ip: 75.126.203.78 + dest_port: 80 + event_type: http + http.hostname: download913.avast.com + http.http_content_type: text/plain + http.http_method: POST + http.http_user_agent: Syncer/4.80 (av_pro-1169;f) + http.length: 0 + http.protocol: HTTP/1.0 + http.status: 204 + http.url: /cgi-bin/iavs4stats.cgi + pcap_cnt: 19 + proto: TCP + src_ip: 192.168.2.16 + src_port: 1578 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 192.168.2.1 + dest_port: 53 + dns.id: 26746 + dns.rrname: www.wireshark.org.gateway.2wire.net + dns.rrtype: AAAA + dns.tx_id: 6 + dns.type: query + event_type: dns + pcap_cnt: 60 + proto: UDP + src_ip: 192.168.2.16 + src_port: 1920 +- filter: + count: 1 + match: + dest_ip: 192.168.2.1 + dest_port: 53 + dns.aa: true + dns.flags: '8505' + dns.id: 26746 + dns.qr: true + dns.rcode: REFUSED + dns.rd: true + dns.rrname: www.wireshark.org.gateway.2wire.net + dns.rrtype: AAAA + dns.type: answer + dns.version: 2 + event_type: dns + pcap_cnt: 61 + proto: UDP + src_ip: 192.168.2.16 + src_port: 1920 +- filter: + count: 1 + match: + dest_ip: 192.168.2.1 + dest_port: 53 + dns.id: 34278 + dns.rrname: www.wireshark.org + dns.rrtype: A + dns.tx_id: 8 + dns.type: query + event_type: dns + pcap_cnt: 62 + proto: UDP + src_ip: 192.168.2.16 + src_port: 1920 +- filter: + count: 1 + match: + dest_ip: 192.168.2.1 + dest_port: 53 + dns.aa: true + dns.answers[0].rdata: 67.228.110.120 + dns.answers[0].rrname: www.wireshark.org + dns.answers[0].rrtype: A + dns.answers[0].ttl: 14400 + dns.flags: '8580' + dns.grouped.A[0]: 67.228.110.120 + dns.id: 34278 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.rrname: www.wireshark.org + dns.rrtype: A + dns.type: answer + dns.version: 2 + event_type: dns + pcap_cnt: 63 + proto: UDP + src_ip: 192.168.2.16 + src_port: 1920 +- filter: + count: 1 + match: + dest_ip: 67.228.110.120 + dest_port: 80 + event_type: http + http.hostname: www.wireshark.org + http.http_content_type: text/html + http.http_method: GET + http.http_refer: http://ipv6.google.com/search?hl=en&q=Wireshark+%21&btnG=Google+Search + http.http_user_agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) + Gecko/2008032620 Firefox/3.0b5 + http.length: 3651 + http.protocol: HTTP/1.1 + http.status: 200 + http.url: / + pcap_cnt: 74 + proto: TCP + src_ip: 192.168.2.16 + src_port: 1580 + tx_id: 0 +- filter: + count: 1 + match: + app_proto: http + dest_ip: 192.168.2.16 + dest_port: 1580 + event_type: fileinfo + fileinfo.filename: / + fileinfo.gaps: false + fileinfo.size: 11845 + fileinfo.state: CLOSED + fileinfo.stored: false + fileinfo.tx_id: 0 + http.hostname: www.wireshark.org + http.http_content_type: text/html + http.http_method: GET + http.http_refer: http://ipv6.google.com/search?hl=en&q=Wireshark+%21&btnG=Google+Search + http.http_user_agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) + Gecko/2008032620 Firefox/3.0b5 + http.length: 3651 + http.protocol: HTTP/1.1 + http.status: 200 + http.url: / + proto: TCP + src_ip: 67.228.110.120 + src_port: 80 +- filter: + count: 1 + match: + app_proto: failed + dest_ip: 192.168.2.16 + dest_port: 3797 + event_type: flow + flow.age: 0 + flow.alerted: false + flow.bytes_toclient: 0 + flow.bytes_toserver: 151 + flow.pkts_toclient: 0 + flow.pkts_toserver: 1 + flow.reason: shutdown + flow.state: new + proto: UDP + src_ip: 65.55.158.81 + src_port: 3544 +- filter: + count: 1 + match: + app_proto: dns + dest_ip: 192.168.2.1 + dest_port: 53 + event_type: flow + flow.age: 16 + flow.alerted: false + flow.bytes_toclient: 1246 + flow.bytes_toserver: 399 + flow.pkts_toclient: 5 + flow.pkts_toserver: 5 + flow.reason: shutdown + flow.state: established + proto: UDP + src_ip: 192.168.2.16 + src_port: 1920 +- filter: + count: 1 + match: + dest_ip: 192.168.2.16 + dest_port: 1576 + event_type: flow + flow.age: 27 + flow.alerted: true + flow.bytes_toclient: 108 + flow.bytes_toserver: 108 + flow.pkts_toclient: 2 + flow.pkts_toserver: 2 + flow.reason: shutdown + flow.state: new + proto: TCP + src_ip: 75.126.130.163 + src_port: 80 + tcp.tcp_flags: '00' + tcp.tcp_flags_tc: '00' + tcp.tcp_flags_ts: '00' +- filter: + count: 1 + match: + app_proto: failed + dest_ip: 192.168.2.255 + dest_port: 137 + event_type: flow + flow.age: 2 + flow.alerted: false + flow.bytes_toclient: 0 + flow.bytes_toserver: 276 + flow.pkts_toclient: 0 + flow.pkts_toserver: 3 + flow.reason: shutdown + flow.state: new + proto: UDP + src_ip: 192.168.2.16 + src_port: 137 +- filter: + count: 1 + match: + app_proto: failed + dest_ip: 192.168.2.255 + dest_port: 138 + event_type: flow + flow.age: 29 + flow.alerted: true + flow.bytes_toclient: 0 + flow.bytes_toserver: 500 + flow.pkts_toclient: 0 + flow.pkts_toserver: 2 + flow.reason: shutdown + flow.state: new + proto: UDP + src_ip: 192.168.2.16 + src_port: 138 +- filter: + count: 1 + match: + app_proto: dhcp + dest_ip: 255.255.255.255 + dest_port: 67 + event_type: flow + flow.age: 0 + flow.alerted: false + flow.bytes_toclient: 0 + flow.bytes_toserver: 342 + flow.pkts_toclient: 0 + flow.pkts_toserver: 1 + flow.reason: shutdown + flow.state: new + proto: UDP + src_ip: 0.0.0.0 + src_port: 68 +- filter: + count: 1 + match: + dest_ip: 2001:4860:0000:2001:0000:0000:0000:0068 + event_type: flow + flow.age: 0 + flow.alerted: false + flow.bytes_toclient: 0 + flow.bytes_toserver: 52 + flow.pkts_toclient: 0 + flow.pkts_toserver: 1 + flow.reason: shutdown + flow.state: new + icmp_code: 0 + icmp_type: 128 + src_ip: 2001:0000:4137:9e50:8000:f12a:b9c8:2815 +- filter: + count: 1 + match: + dest_ip: 192.168.2.16 + dest_port: 1577 + event_type: flow + flow.age: 24 + flow.alerted: true + flow.bytes_toclient: 108 + flow.bytes_toserver: 162 + flow.pkts_toclient: 2 + flow.pkts_toserver: 3 + flow.reason: shutdown + flow.state: new + proto: TCP + src_ip: 75.126.203.78 + src_port: 80 + tcp.tcp_flags: '00' + tcp.tcp_flags_tc: '00' + tcp.tcp_flags_ts: '00' +- filter: + count: 1 + match: + app_proto: failed + dest_ip: 83.170.1.38 + dest_port: 32900 + event_type: flow + flow.age: 14 + flow.alerted: false + flow.bytes_toclient: 11789 + flow.bytes_toserver: 2863 + flow.pkts_toclient: 13 + flow.pkts_toserver: 12 + flow.reason: shutdown + flow.state: established + proto: UDP + src_ip: 192.168.2.16 + src_port: 3797 +- filter: + count: 1 + match: + app_proto: http + dest_ip: 75.126.203.78 + dest_port: 80 + event_type: flow + flow.age: 19 + flow.alerted: false + flow.bytes_toclient: 445 + flow.bytes_toserver: 1122 + flow.pkts_toclient: 5 + flow.pkts_toserver: 6 + flow.reason: shutdown + flow.state: closed + proto: TCP + src_ip: 192.168.2.16 + src_port: 1578 + tcp.ack: true + tcp.psh: true + tcp.rst: true + tcp.state: closed + tcp.syn: true + tcp.tcp_flags: 1e + tcp.tcp_flags_tc: 1e + tcp.tcp_flags_ts: 1e +- filter: + count: 1 + match: + app_proto: failed + dest_ip: 65.55.158.80 + dest_port: 3544 + event_type: flow + flow.age: 9 + flow.alerted: false + flow.bytes_toclient: 90 + flow.bytes_toserver: 213 + flow.pkts_toclient: 1 + flow.pkts_toserver: 2 + flow.reason: shutdown + flow.state: established + proto: UDP + src_ip: 192.168.2.16 + src_port: 3797 +- filter: + count: 1 + match: + app_proto: http + dest_ip: 67.228.110.120 + dest_port: 80 + event_type: flow + flow.age: 1 + flow.alerted: false + flow.bytes_toclient: 4248 + flow.bytes_toserver: 855 + flow.pkts_toclient: 6 + flow.pkts_toserver: 7 + flow.reason: shutdown + flow.state: closed + proto: TCP + src_ip: 192.168.2.16 + src_port: 1580 + tcp.ack: true + tcp.fin: true + tcp.psh: true + tcp.state: closed + tcp.syn: true + tcp.tcp_flags: 1b + tcp.tcp_flags_tc: 1b + tcp.tcp_flags_ts: 1b +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/7.0/dns-eve-log-https-only/README.md b/tests/7.0/dns-eve-log-https-only/README.md new file mode 100644 index 000000000..1f329b0eb --- /dev/null +++ b/tests/7.0/dns-eve-log-https-only/README.md @@ -0,0 +1,11 @@ +Description +=========== +Test custom eve DNS logging by configuring it to log only HTTPS records, and verifying that only HTTPS records are logged. + +PCAP +==== +PCAP comes from the redmine ticket [4751](https://redmine.openinfosecfoundation.org/issues/4751) + +Redmine ticket +============== +https://redmine.openinfosecfoundation.org/issues/4751 diff --git a/tests/7.0/dns-eve-log-https-only/suricata.yaml b/tests/7.0/dns-eve-log-https-only/suricata.yaml new file mode 100644 index 000000000..16f00d29c --- /dev/null +++ b/tests/7.0/dns-eve-log-https-only/suricata.yaml @@ -0,0 +1,11 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - dns: + types: [https] diff --git a/tests/7.0/dns-eve-log-https-only/test.pcap b/tests/7.0/dns-eve-log-https-only/test.pcap new file mode 100644 index 0000000000000000000000000000000000000000..2090848cf55d84f28ca11ead9d847ac951f0457d GIT binary patch literal 133 zcmca|c+)~A1{MYcU}0bcau&LzCgyJAVu%H@L3qNWU5qsrQAMhJ(la?2Tp1Yr`4t%$ z90XtfIk193ABY)0F)^4jSpP^Br~&E+836=*CT6;Z2Bx}321dGuMrO>3d6mq`DS7Nb RIytepgef+LM+0p1yg5gMKiQ~&_u|fB5~-_nRB{3n`MSZAl9P~ z2~s%=(I_7zko*HTv#evN-Zvn!B)nx4kzx$(ED9F+!jYDXd&1Ul6(G5cy=Ml zZdHUqE54u*1x0Z|wqf}rz=g=93X&vgFrjeyZ$mNL+=Sb*xF~=u9||fG4|@a(UdQXi zRNyTrc{mom>OKaORN#Iz_F`f`UTdHfuPJ0airRXJ$HY?~kH`CvN0z>E+Q`I{Bo1a% zENTbL9AOpYvNP(K*@<UJvq#SAU$3*S#5$mv?SMUJ`gJ=7Oac)VE@D4!iMDy5~$m8`OGHTHU@N?q=7lvi1Wv&e6nMx18k n4So-!K&uv(rD(-fc8jfwKj1eb#5W_EKj-%tfAPG*?;!gFK&RmS literal 0 HcmV?d00001 diff --git a/tests/7.0/dns-eve-type-filtering/test.yaml b/tests/7.0/dns-eve-type-filtering/test.yaml new file mode 100644 index 000000000..d5d3ace70 --- /dev/null +++ b/tests/7.0/dns-eve-type-filtering/test.yaml @@ -0,0 +1,92 @@ +requires: + min-version: 4.1 + lt-version: 8 + +checks: + + - filter: + filename: all.json + count: 14 + match: + event_type: "dns" + + # Check that we only have requests and responses for A records. + - filter: + filename: only-a.json + count: 4 + match: + event_type: "dns" + - filter: + filename: only-a.json + count: 4 + match: + event_type: "dns" + dns.rrtype: "A" + + # Also check that the source and destination addresses and ports are + # as expected. + - filter: + filename: only-a.json + count: 1 + match: + pcap_cnt: 1 + src_ip: "10.16.1.11" + src_port: 54888 + dest_ip: "8.8.8.8" + dest_port: 53 + dns.type: "query" + - filter: + filename: only-a.json + count: 1 + match: + pcap_cnt: 2 + src_ip: "10.16.1.11" + src_port: 54888 + dest_ip: "8.8.8.8" + dest_port: 53 + dns.type: "answer" + + # Check that we only have A and AAAA requests. + - filter: + filename: a-and-aaaa-requests-only.json + count: 4 + match: + event_type: "dns" + - filter: + filename: a-and-aaaa-requests-only.json + count: 2 + match: + event_type: "dns" + dns.rrtype: "A" + - filter: + filename: a-and-aaaa-requests-only.json + count: 2 + match: + event_type: "dns" + dns.rrtype: "AAAA" + - filter: + filename: a-and-aaaa-requests-only.json + count: 4 + match: + event_type: "dns" + dns.type: "query" + + # Check that we only have 3 log entries, and that they are all MX + # responses. + - filter: + filename: mx-responses-only.json + count: 3 + match: + event_type: "dns" + - filter: + filename: mx-responses-only.json + count: 3 + match: + event_type: "dns" + dns.type: "answer" + - filter: + filename: mx-responses-only.json + count: 3 + match: + event_type: "dns" + dns.rrtype: "MX" diff --git a/tests/7.0/dns-eve/input.pcap b/tests/7.0/dns-eve/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..5c9ee35b3925845257e32c31a4312dca5ccc1a3a GIT binary patch literal 876 zcmca|c+)~A1{MYcU}0bca$Fy~g!8QAV+aJYL6|{QoR{tUjniFk7rJpUxH2#}&*^et za1d<&!X?1S4aAHW*E5(h=!@mdTn*F@G6D!VlXEgt^GbA+)7Vpr@(YskE0~k>b3xLK zZa@n{MOhgVfyzJ_Vl>1Wum!5inhU}hhP%%@%m6g}=ysUlO`Cv*8;cdJd(Ef-HJp(vIX@*eH$N{swURk6 zwFDea3=EnAAOnE_WJ!e+GXqcpj4^^NEe`C1W7dcu1NtGz^eC@CILMelrr_`aFt}L3 z?%-tLhA3f5H#{J8Kpz^491JYFR&I(QH;A^gGeiMR0$~g{_{1rKqb&sC2B23hv~R3? zjfggE9)-mh<7NhyjOJ769zdHkesSVSflJnaY^uKm3(|*5kQ8VciHI*eDG+4Ayx*Mo fQlJvpD?SLX0IjfBjJJ$LcmIXEm^n(zWj;yF9(4nCvtjwX*rJ*fr?H_1u2_gq+ zYf9)3XekS!h#aD+p(Xld-{*R*Q_j5T@B#6a&+~b{&wJ;mM|%os^z(duzrN{S=z7v= z0tZ|QYLdw0kEs)F5(%#Ru>axtIMj<{$}5%1#|Zwbja>;LwdKQNUjG?V8Y%Sla?NTPi6No~)bt241(uAUF+;zu= zy}Vly?5qU)3n%-IH=PijRnmUE-oAzt0B5w$K4=X6WX*OXpfN+nO}x?sxy@7jKl_%)9H|^PKT4`~7?O+vwUXUAeRP{8`xp z`*Ww=pSa+BZK>?B?0wF6=+*_t=HqST(^~n{T;8m&X0CMgjhuDCk#l)5*J9mvnUnqm DPo`*r literal 0 HcmV?d00001 diff --git a/tests/7.0/dns-incomplete/input.txt b/tests/7.0/dns-incomplete/input.txt new file mode 100644 index 000000000..3739f2884 --- /dev/null +++ b/tests/7.0/dns-incomplete/input.txt @@ -0,0 +1,8 @@ +# First a complete request to get protocol detection +c2s 001c11330100000100000000000006676F6F676C65036E65740000100001 +s2c 002c10328180000100010000000006676F6F676C6503636F6D0000010001c00c00010001000140ef000401020304 +# Then an incomplete request split in 2 packets, to be tested +c2s 001c103201000001000000000000 +c2s 06676F6F676C6503636F6D0000100001 +# And its answer +s2c 002c10328180000100010000000006676F6F676C6503636F6D0000010001c00c00010001000140ef000401020304 \ No newline at end of file diff --git a/tests/7.0/dns-incomplete/test.rules b/tests/7.0/dns-incomplete/test.rules new file mode 100644 index 000000000..1473e8048 --- /dev/null +++ b/tests/7.0/dns-incomplete/test.rules @@ -0,0 +1 @@ +alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google.com"; nocase; sid:1;) diff --git a/tests/7.0/dns-incomplete/test.yaml b/tests/7.0/dns-incomplete/test.yaml new file mode 100644 index 000000000..6745b4afc --- /dev/null +++ b/tests/7.0/dns-incomplete/test.yaml @@ -0,0 +1,20 @@ +requires: + min-version: 6.0 + lt-version: 8 + +# disables checksum verification +args: +- -k none --set app-layer.protocols.dns.detection-ports.dp=5353 + +checks: + - filter: + count: 1 + match: + event_type: dns + dns.rrname: google.com + dns.type: query + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 diff --git a/tests/7.0/dns-incomplete/txt2pcap.py b/tests/7.0/dns-incomplete/txt2pcap.py new file mode 100644 index 000000000..40d7e56b5 --- /dev/null +++ b/tests/7.0/dns-incomplete/txt2pcap.py @@ -0,0 +1,88 @@ +import sys +import binascii +from threading import Thread +import time +import socket + +# Create a pcap from a htp test file +# Launches a server on port 8080 +# Launches a client in another thread that connects to it +# Both client and server read the htp test file +# And they send and receive data as described (without analysing it) +# So, you need to capture traffic on port 8080 while running the script + +def removeOneEOL(s): + r = s + if r[-1] == '\n': + r = r[:-1] + if r[-1] == '\r': + r = r[:-1] + return r + +PCAP_TCP_PORT = 5353 + +class ServerThread(Thread): + + def __init__(self, filename): + Thread.__init__(self) + self.filename = filename + + def run(self): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.bind(("127.0.0.1", PCAP_TCP_PORT)) + s.listen(1) + conn, addr = s.accept() + f = open(self.filename) + sending = "" + receiving = "" + + for l in f.readlines(): + data = binascii.unhexlify(l.split()[1]) + if l.split()[0] == "s2c": + conn.send(data) + print "server sent", len(data) + else: + data = conn.recv(len(data)) + print "server recvd", len(data) + + conn.close() + s.close() + f.close() + + +class ClientThread(Thread): + + def __init__(self, filename): + Thread.__init__(self) + self.filename = filename + + def run(self): + time.sleep(1) + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect(("127.0.0.1", PCAP_TCP_PORT)) + f = open(self.filename) + sending = "" + receiving = "" + + for l in f.readlines(): + data = binascii.unhexlify(l.split()[1]) + if l.split()[0] != "s2c": + s.send(data) + print "client sent", len(data) + else: + data = s.recv(len(data)) + print "client recvd", len(data) + + s.close() + f.close() + +t1 = ServerThread(sys.argv[1]) +t2 = ClientThread(sys.argv[1]) + +# Launch threads +t1.start() +t2.start() + +# Wait for threads to finish +t1.join() +t2.join() diff --git a/tests/7.0/dns-json-log/expected/dns.json b/tests/7.0/dns-json-log/expected/dns.json new file mode 100644 index 000000000..afec32e8f --- /dev/null +++ b/tests/7.0/dns-json-log/expected/dns.json @@ -0,0 +1,9 @@ +{"timestamp":"2016-05-24T23:27:01.960780+0000","flow_id":15684738590988,"pcap_cnt":1,"event_type":"dns","src_ip":"10.16.1.11","src_port":53679,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39339,"rrname":"client-cf.dropbox.com","rrtype":"A","tx_id":0}} +{"timestamp":"2016-05-24T23:27:02.333141+0000","flow_id":15684738590988,"pcap_cnt":2,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":53679,"proto":"UDP","dns":{"type":"answer","id":39339,"rcode":"NOERROR","rrname":"client-cf.dropbox.com","rrtype":"A","ttl":47,"rdata":"52.85.112.21"}} +{"timestamp":"2016-05-24T23:27:02.832606+0000","flow_id":542660046009438,"pcap_cnt":3,"event_type":"dns","src_ip":"10.16.1.11","src_port":49697,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3407,"rrname":"block.dropbox.com","rrtype":"A","tx_id":0}} +{"timestamp":"2016-05-24T23:27:03.085375+0000","flow_id":1585332076629375,"pcap_cnt":4,"event_type":"dns","src_ip":"10.16.1.11","src_port":33458,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":44779,"rrname":"codemonkey.net","rrtype":"A","tx_id":0}} +{"timestamp":"2016-05-24T23:27:03.213624+0000","flow_id":542660046009438,"pcap_cnt":5,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":49697,"proto":"UDP","dns":{"type":"answer","id":3407,"rcode":"NOERROR","rrname":"block.dropbox.com","rrtype":"CNAME","ttl":9,"rdata":"block.g1.dropbox.com"}} +{"timestamp":"2016-05-24T23:27:03.213624+0000","flow_id":542660046009438,"pcap_cnt":5,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":49697,"proto":"UDP","dns":{"type":"answer","id":3407,"rcode":"NOERROR","rrname":"block.g1.dropbox.com","rrtype":"A","ttl":8,"rdata":"45.58.70.33"}} +{"timestamp":"2016-05-24T23:27:03.493333+0000","flow_id":1585332076629375,"pcap_cnt":6,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":33458,"proto":"UDP","dns":{"type":"answer","id":44779,"rcode":"NOERROR","rrname":"codemonkey.net","rrtype":"A","ttl":435,"rdata":"104.131.202.103"}} +{"timestamp":"2016-05-24T23:27:04.653864+0000","flow_id":848126710184488,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":57634,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":14681,"rrname":"client-cf.dropbox.com","rrtype":"A","tx_id":0}} +{"timestamp":"2016-05-24T23:27:04.654238+0000","flow_id":848126710184488,"pcap_cnt":8,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":57634,"proto":"UDP","dns":{"type":"answer","id":14681,"rcode":"NOERROR","rrname":"client-cf.dropbox.com","rrtype":"A","ttl":45,"rdata":"52.85.112.21"}} diff --git a/tests/7.0/dns-json-log/suricata.yaml b/tests/7.0/dns-json-log/suricata.yaml new file mode 100644 index 000000000..4daa2b75f --- /dev/null +++ b/tests/7.0/dns-json-log/suricata.yaml @@ -0,0 +1,8 @@ +%YAML 1.1 +--- + +outputs: + - dns-json-log: + version: 1 + enabled: yes + filename: dns.json diff --git a/tests/7.0/dns-json-log/test.yaml b/tests/7.0/dns-json-log/test.yaml new file mode 100644 index 000000000..8bea7cd6e --- /dev/null +++ b/tests/7.0/dns-json-log/test.yaml @@ -0,0 +1,25 @@ +pcap: ../../dns-eve/input.pcap + +requires: + lt-version: 6 + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 9 + filename: dns.json + match: + event_type: dns + - filter: + count: 4 + filename: dns.json + match: + event_type: dns + dns.type: query + - filter: + count: 5 + filename: dns.json + match: + event_type: dns + dns.type: answer diff --git a/tests/7.0/dns-reversed-tcp-1/dns.pcap b/tests/7.0/dns-reversed-tcp-1/dns.pcap new file mode 100644 index 0000000000000000000000000000000000000000..af7d25b6aeacc0fc53c7624f1cba02cf1646b499 GIT binary patch literal 671 zcmca|c+)~A1{MYcU}0bca;ze|B3cz$81#W05WaD`>+M1}22pWdw(lGat_+NddO-{f zmTcDX92_hxTmp>T45m|!eP_6Gm(^#RHApbr3-@PWU}WUr5PcGMPmcd za2}xXjLhZbY(zA&&HVDOVb<4Xbn&_^lj literal 0 HcmV?d00001 diff --git a/tests/7.0/dns-reversed-udp-1/suricata.yaml b/tests/7.0/dns-reversed-udp-1/suricata.yaml new file mode 100644 index 000000000..c7c9cd5dd --- /dev/null +++ b/tests/7.0/dns-reversed-udp-1/suricata.yaml @@ -0,0 +1,10 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: true + types: + - dns: + enabled: true + version: 2 diff --git a/tests/7.0/dns-reversed-udp-1/test.yaml b/tests/7.0/dns-reversed-udp-1/test.yaml new file mode 100644 index 000000000..38aa5f490 --- /dev/null +++ b/tests/7.0/dns-reversed-udp-1/test.yaml @@ -0,0 +1,33 @@ +requires: + min-version: 5.0.0 + lt-version: 8 + +args: + - --set stream.midstream=true + +checks: + + - filter: + comment: request + count: 0 + match: + event_type: dns + dns.type: query + + - filter: + comment: response + count: 1 + match: + event_type: dns + dns.type: answer + dns.answers[0].rrtype: CNAME + dns.answers[1].rrtype: A + dns.answers[2].rrtype: A + + - filter: + count: 1 + match: + event_type: dns + dns.type: answer + src_ip: "10.16.1.11" + dest_ip: "10.16.1.1" diff --git a/tests/7.0/dns-single-request/README.md b/tests/7.0/dns-single-request/README.md new file mode 100644 index 000000000..29dacb251 --- /dev/null +++ b/tests/7.0/dns-single-request/README.md @@ -0,0 +1 @@ +Check a simple DNS request and response. diff --git a/tests/7.0/dns-single-request/suricata.yaml b/tests/7.0/dns-single-request/suricata.yaml new file mode 100644 index 000000000..bf949095f --- /dev/null +++ b/tests/7.0/dns-single-request/suricata.yaml @@ -0,0 +1,9 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filename: eve.json + types: + - dns: diff --git a/tests/7.0/dns-single-request/test.yaml b/tests/7.0/dns-single-request/test.yaml new file mode 100644 index 000000000..dcd1c5586 --- /dev/null +++ b/tests/7.0/dns-single-request/test.yaml @@ -0,0 +1,14 @@ +pcap: ../../dns-single-request-v1/input.pcap + +requires: + lt-version: 8 + +checks: + - filter: + count: 1 + match: + dns.type: query + - filter: + count: 1 + match: + dns.type: answer diff --git a/tests/7.0/dns-tcp-multirequest-buffer/README b/tests/7.0/dns-tcp-multirequest-buffer/README new file mode 100644 index 000000000..6ce66e4e5 --- /dev/null +++ b/tests/7.0/dns-tcp-multirequest-buffer/README @@ -0,0 +1,5 @@ +Test a TCP DNS request that contains multiple DNS requests in a single +buffer. + +This test includes its own verification script instead of using the +default file compare. diff --git a/tests/7.0/dns-tcp-multirequest-buffer/dns-tcp-multirequest-buffer.pcap b/tests/7.0/dns-tcp-multirequest-buffer/dns-tcp-multirequest-buffer.pcap new file mode 100644 index 0000000000000000000000000000000000000000..f46aefbf6288e88538de5735bc2598f971670b01 GIT binary patch literal 6276 zcmbW*Yf#ix6aetM50*Cz(t}2aZ44VVES6nBlyM}>n3@FE5j9XVMOWh?U@t8b?O_%O zjunb8UJ3@iq!>StIDRnEX>`V>#!uvg_65EvZcWiSXSsjw|9}78c3}9=0O!u({O)Vd z?v0Dzwpf{+O@7%7GmbFS+3IN9^?Gd}FWhhrUMzh2ot(y}yyJ`Gyme9%pA-a%pc6m z7-mjs#H^T|W!%2eJ(@NE*~?E(t9tY{l&fV9)D>fPo_P#1KMns0AE{<#IvQii$zVwt!{Y&T`XE0AkUzS#fSssDRi+|aezFBE*2*akSEc_oZL#HK2zqfs3bXpSF@Sa-O zvWC-gS;#1zY;XS&%(&?v$S9ud3rT~%F*tuCdv;7@oH*5OP~)9Xf~OhlG|AXZ8UHrP zc%L#BY8m(9J%Jg2KW|}&AR9hX#t-_BQpPi;8I#z^_Jvx;>vXRbFjl*lE=`^VV-H-%>FU7cnmrZV20Z!6!TdO3J|+$Du~W%B-c8S!h_9 z``x4NM7+mpmrT@{vaB2KvFn)ek>9K;^)XU+>DBH;Seg5~L0vPOtLvwOx|OQWn+NG(R{3-cvP}>Bx zbRSMl9si?UrCv|!`La4a64krTYw8+MH=)|r8KzR7B=sr1Iz5uBxAkahIM?|#ptcKY z>5@07J)!OJRH#w0)~}G-&{O%~T&EYK`klWtHJs~uI@cd{IaKNvQg;~C#avxE#MK89 zL5=4+Oi)X&Tn2TB=lXl7QK8;I>P(Zh?jiLoO+D%l97x2q?&u0vsar|iZcz7VYKNv? z0qRjuI|Q}#a%@nCxYm78qe8ur)EOq~aa6y}@1B%`G*GWV^>ZIbsMKwwZZoLIxw-;+ zaC*HC9H{q0R#1lvYN^LCsJ)@>@Jgsrp)Mu0S5|upQN43NU+aRcpsq)CZcU_0-A?LO zz1maA)#dPxWI{a%>aC!T5Y$rRG&S{Fs8ONbL~4(Tx((GkE@Tk{sPCfstv@yOkU!91M|Jz^Xa+B6 z^hmwghyABWeZru=%hjvTY3ik*9%6+oYEo_TZehS_XwIBMbLRZ7=IlEtQo;5U+by%b zdBlEk_Ds)C zH?qxJ@o%6=1$!&8pE6;OBKwUhjok_CtH|!ni&L??h<((+9_4JGm$Mtgf!zu0SdlIF zXL`0bH1^L>q=Nk_v7eOL8M(-Qy-Q=?@&_8jk)53CRI$$xyIIf9$mMMOWGT4G8*_nu z3)pcYTW-*%#9jhLD%fSjo@c^7gzVRDakg&;uyfmiJ!>?0o#C}+a;1Gi>>~#DAtZxReog!QA(DZESY|EP*i(CaoD%j=3PBmfQA$F9;UI*;Gn6d1dMYY=9#6E0b z-{I^RuW0OkV6OvqyvUYYv?;NhphyL~g4j>U?92to-mbmP_8kUxKe7w1Syk*FVmIm8 znF};FZ}0<+;#c5_h@>y`~S~27TF0!D%h38o@>IcLv{^*R7s!v_-+Dw95c>3 zYg4hmB=+Y9b{%KGkjhv4U^cLC0(+XsmYXy^JA|7Yi)?@*73^)qo@2ruLUuK8sZy3d z;13+k#*9aL?JD+H#Qw~{9^&l05{X3>Qx=)x2cTtsOlxN#>chAwOgNZWv*S@kIrrL`=H`KGhYaMOgzuhvzBx0g zmro-yXhA)+AYmw* zq3_U|eT4ozBVV$<+W?TYy0}(0n%A#<%F=a7qcITKK4nqJoXPo|?AZ@+L~rsEmFUp7 zP;@7r^dNn7reo}@A<4+oM9%h?_Y!@Zd=|;aaV0uyYIcUNv6}5d&7(+n1gx+c^=S${PVRshBWSgobeE?!t@FZk;)XqOKL-wXM>kc&e8AmlefE(p0KYJX$D44l5R>&_cX|79L;Z)7)U9$Js=0 z)Fs-W)S**|Ng{#+WW3SoUdN-}MAMpIe)HLDFn>8RZ+I)1&!hPynUCiAn%Vx!ZZw}n z^YTBM9}?z|XLbH~R_Bjrb^dr(=Z|M~{&-gBk7srMcvk0+XLbH~R_BlBH1$lzrZzD@ z!OV9Ho|5jw+#;IadN8PX+N8eyLZU{e62+$=I0x@A3+8GIbBoMEJ7n(P{cB+WG-zRy zh@lw%BrGj+vd+1;dDpq~LF>_%GdI!tUYiGMU z>Apg1KHXhr?jol@K7S+Y&uOVYUhGdF?qY7Zp0A1P9mk!N5b-4v>v3VaWTH~#KTJe> zC@;|ib0eW_BFqDHhp}2`ppJ)!e?pbiL03TJIs7tw)vQfXK5^q<{ymkHF3Rh+({74EC0Xwuh_F9 zPmwS)zg_Y)hUQafes$;o?-};1pZbY3uNB*S~8zP^KmjioXVI_*Wga#XkPtC^KH`1^DJhbXEF0Ui<#$H%skIx z=6Mz~&$F0$p2f`bEM}f(G4njnQqNQzry}NinE7hSQ@mwzbPCOH-fJ~IttXq(HNTLk zSp-pj@`A7R7PH{UwlF%yER@6C-P?aHG=qi~)`=L|Ld^4A>SZ;`?`5iSI$RE$k(-$s jjfEsqS&gxxHDV2TQY=!9(^zAI-Zzo!W{vnRHWvN>;7&p3 literal 0 HcmV?d00001 diff --git a/tests/7.0/dns-tcp-ts-gap/suricata.yaml b/tests/7.0/dns-tcp-ts-gap/suricata.yaml new file mode 100644 index 000000000..bf949095f --- /dev/null +++ b/tests/7.0/dns-tcp-ts-gap/suricata.yaml @@ -0,0 +1,9 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filename: eve.json + types: + - dns: diff --git a/tests/7.0/dns-tcp-ts-gap/test.yaml b/tests/7.0/dns-tcp-ts-gap/test.yaml new file mode 100644 index 000000000..3a08d15ee --- /dev/null +++ b/tests/7.0/dns-tcp-ts-gap/test.yaml @@ -0,0 +1,17 @@ +requires: + # App-layer gap handling didn't happen until v4. + min-version: 4.0.0 + lt-version: 8 + +checks: + - filter: + count: 2 + match: + event_type: dns + dns.type: query + - filter: + count: 3 + match: + event_type: dns + dns.type: answer + dns.answers.__len: 12 diff --git a/tests/7.0/dns-tcp-www-google-com/README.md b/tests/7.0/dns-tcp-www-google-com/README.md new file mode 100644 index 000000000..d1db12dc6 --- /dev/null +++ b/tests/7.0/dns-tcp-www-google-com/README.md @@ -0,0 +1,2 @@ +A basic TCP DNS test that sends one request with a response that +contains multiple answers. diff --git a/tests/7.0/dns-tcp-www-google-com/suricata.yaml b/tests/7.0/dns-tcp-www-google-com/suricata.yaml new file mode 100644 index 000000000..6bc3c0ded --- /dev/null +++ b/tests/7.0/dns-tcp-www-google-com/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +# Remove stats logging. +stats: + enabled: no + +outputs: + - eve-log: + enabled: yes + types: + - dns: diff --git a/tests/7.0/dns-tcp-www-google-com/test.yaml b/tests/7.0/dns-tcp-www-google-com/test.yaml new file mode 100644 index 000000000..576a63c20 --- /dev/null +++ b/tests/7.0/dns-tcp-www-google-com/test.yaml @@ -0,0 +1,20 @@ +pcap: ../../dns-tcp-www-google-com-v1/dns.pcap + +requires: + lt-version: 8 + +checks: + - filter: + count: 1 + match: + src_ip: "10.16.1.11" + dest_ip: "8.8.4.4" + event_type: dns + dns.type: query + - filter: + count: 1 + match: + src_ip: "10.16.1.11" + dest_ip: "8.8.4.4" + event_type: dns + dns.type: answer diff --git a/tests/7.0/dns-udp-double-request-response/README.txt b/tests/7.0/dns-udp-double-request-response/README.txt new file mode 100644 index 000000000..d0a46a673 --- /dev/null +++ b/tests/7.0/dns-udp-double-request-response/README.txt @@ -0,0 +1,8 @@ +Test 2 UDP DNS requests followed back to back with no response, then +the 2 responses being received. + +Prior to Suricata 3.2 the first request would be marked as having a +reply lost when the second request was seen. + +Related issue: +https://redmine.openinfosecfoundation.org/issues/1923 diff --git a/tests/7.0/dns-udp-double-request-response/suricata.yaml b/tests/7.0/dns-udp-double-request-response/suricata.yaml new file mode 100644 index 000000000..bf949095f --- /dev/null +++ b/tests/7.0/dns-udp-double-request-response/suricata.yaml @@ -0,0 +1,9 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filename: eve.json + types: + - dns: diff --git a/tests/7.0/dns-udp-double-request-response/test.yaml b/tests/7.0/dns-udp-double-request-response/test.yaml new file mode 100644 index 000000000..375b6908b --- /dev/null +++ b/tests/7.0/dns-udp-double-request-response/test.yaml @@ -0,0 +1,16 @@ +pcap: ../../dns-udp-double-request-response-v1/dns-udp-double-request-response.pcap + +requires: + lt-version: 8 + +checks: + - filter: + count: 2 + match: + event_type: dns + dns.type: query + - filter: + count: 2 + match: + event_type: dns + dns.type: answer diff --git a/tests/7.0/dns-udp-eve-log-aaaa-only/README.md b/tests/7.0/dns-udp-eve-log-aaaa-only/README.md new file mode 100644 index 000000000..88649bff1 --- /dev/null +++ b/tests/7.0/dns-udp-eve-log-aaaa-only/README.md @@ -0,0 +1,2 @@ +Test custom eve DNS logging by configuring it to log only AAAA +records, and verifying that only AAAA records are logged. diff --git a/tests/7.0/dns-udp-eve-log-aaaa-only/suricata.yaml b/tests/7.0/dns-udp-eve-log-aaaa-only/suricata.yaml new file mode 100644 index 000000000..443e47a28 --- /dev/null +++ b/tests/7.0/dns-udp-eve-log-aaaa-only/suricata.yaml @@ -0,0 +1,11 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - dns: + types: [aaaa] diff --git a/tests/7.0/dns-udp-eve-log-aaaa-only/test.yaml b/tests/7.0/dns-udp-eve-log-aaaa-only/test.yaml new file mode 100644 index 000000000..01d7d562c --- /dev/null +++ b/tests/7.0/dns-udp-eve-log-aaaa-only/test.yaml @@ -0,0 +1,20 @@ +pcap: ../../dns-udp-eve-log-query-only-v1/dns-udp-google.com-a-aaaa-mx.pcap + +requires: + lt-version: 8 + +checks: + - filter: + count: 1 + match: + dns.type: query + dns.rrtype: AAAA + - filter: + count: 1 + match: + dns.type: answer + dns.answers[0].rrtype: AAAA + - filter: + count: 0 + match: + dns.rrtype: A diff --git a/tests/7.0/dns-udp-eve-log-answer-only/suricata.yaml b/tests/7.0/dns-udp-eve-log-answer-only/suricata.yaml new file mode 100644 index 000000000..314990072 --- /dev/null +++ b/tests/7.0/dns-udp-eve-log-answer-only/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - dns: + requests: no + responses: yes diff --git a/tests/7.0/dns-udp-eve-log-answer-only/test.yaml b/tests/7.0/dns-udp-eve-log-answer-only/test.yaml new file mode 100644 index 000000000..a9e4396aa --- /dev/null +++ b/tests/7.0/dns-udp-eve-log-answer-only/test.yaml @@ -0,0 +1,15 @@ +pcap: ../../dns-udp-eve-log-query-only-v1/dns-udp-google.com-a-aaaa-mx.pcap + +requires: + lt-version: 8 + +checks: + - filter: + count: 0 + match: + dns.type: query + - filter: + count: 3 + match: + dns.type: answer + diff --git a/tests/7.0/dns-udp-eve-log-mx-only/suricata.yaml b/tests/7.0/dns-udp-eve-log-mx-only/suricata.yaml new file mode 100644 index 000000000..4db14a4e8 --- /dev/null +++ b/tests/7.0/dns-udp-eve-log-mx-only/suricata.yaml @@ -0,0 +1,11 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - dns: + types: [mx] diff --git a/tests/7.0/dns-udp-eve-log-mx-only/test.yaml b/tests/7.0/dns-udp-eve-log-mx-only/test.yaml new file mode 100644 index 000000000..1616cea8d --- /dev/null +++ b/tests/7.0/dns-udp-eve-log-mx-only/test.yaml @@ -0,0 +1,24 @@ +pcap: ../../dns-udp-eve-log-query-only-v1/dns-udp-google.com-a-aaaa-mx.pcap + +requires: + lt-version: 8 + +checks: + - filter: + count: 1 + match: + dns.type: query + dns.rrtype: "MX" + - filter: + count: 1 + match: + dns.type: query + - filter: + count: 1 + match: + dns.type: answer + dns.answers[0].rrtype: "MX" + - filter: + count: 1 + match: + dns.type: answer diff --git a/tests/7.0/dns-udp-eve-log-query-only/suricata.yaml b/tests/7.0/dns-udp-eve-log-query-only/suricata.yaml new file mode 100644 index 000000000..f79fff57c --- /dev/null +++ b/tests/7.0/dns-udp-eve-log-query-only/suricata.yaml @@ -0,0 +1,13 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - dns: + requests: yes + responses: no + diff --git a/tests/7.0/dns-udp-eve-log-query-only/test.yaml b/tests/7.0/dns-udp-eve-log-query-only/test.yaml new file mode 100644 index 000000000..b709e58d3 --- /dev/null +++ b/tests/7.0/dns-udp-eve-log-query-only/test.yaml @@ -0,0 +1,14 @@ +pcap: ../../dns-udp-eve-log-query-only-v1/dns-udp-google.com-a-aaaa-mx.pcap + +requires: + lt-version: 8 + +checks: + - filter: + count: 3 + match: + dns.type: query + - filter: + count: 3 + match: + event_type: dns diff --git a/tests/7.0/dns-udp-eve-log-srv/input.pcap b/tests/7.0/dns-udp-eve-log-srv/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..565399fa954c412728ee5b89c919d735af5eb996 GIT binary patch literal 342 zcmca|c+)~A1{MYcU|~oFa=5H!$Md(bF(d=oAnXdHc&{@sI0y&(BZKNo7vX&t+gx1gX>% z0IO!;Vc=rm2u$B$Av~kWA7tgx18fYtfpQ=Wv~qXyN(Kfy!M)!>)`6^LFa=t={OpU@ zVT}zygP4f5@&FISVn$&GH3ks|M&Tp8K DIoePE literal 0 HcmV?d00001 diff --git a/tests/7.0/dns-udp-eve-log-srv/suricata.yaml b/tests/7.0/dns-udp-eve-log-srv/suricata.yaml new file mode 100644 index 000000000..e1afb7b14 --- /dev/null +++ b/tests/7.0/dns-udp-eve-log-srv/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - dns + +app-layer: + protocols: + dns: + enabled: yes diff --git a/tests/7.0/dns-udp-eve-log-srv/test.yaml b/tests/7.0/dns-udp-eve-log-srv/test.yaml new file mode 100644 index 000000000..10819d3cc --- /dev/null +++ b/tests/7.0/dns-udp-eve-log-srv/test.yaml @@ -0,0 +1,33 @@ +requires: + min-version: 7 + lt-version: 8 + +args: + - -k none + +checks: + + - filter: + count: 1 + match: + event_type: dns + dns.type: query + dns.rrname: _sip._udp.sip.voice.google.com + dns.rrtype: SRV + + - filter: + count: 1 + match: + event_type: dns + dns.type: answer + dns.rrname: _sip._udp.sip.voice.google.com + dns.rrtype: SRV + dns.rcode: NOERROR + dns.answers[0].srv.priority: 20 + dns.answers[0].srv.weight: 1 + dns.answers[0].srv.port: 5060 + dns.answers[0].srv.name: sip-anycast-2.voice.google.com + dns.answers[1].srv.priority: 10 + dns.answers[1].srv.weight: 1 + dns.answers[1].srv.port: 5060 + dns.answers[1].srv.name: sip-anycast-1.voice.google.com diff --git a/tests/7.0/dns-udp-eve-v2-dig/README.md b/tests/7.0/dns-udp-eve-v2-dig/README.md new file mode 100644 index 000000000..b62bf5054 --- /dev/null +++ b/tests/7.0/dns-udp-eve-v2-dig/README.md @@ -0,0 +1 @@ +DNS EVE v2 test of a dig against www.suricata-ids.org. diff --git a/tests/7.0/dns-udp-eve-v2-dig/test.yaml b/tests/7.0/dns-udp-eve-v2-dig/test.yaml new file mode 100644 index 000000000..a8ab795d2 --- /dev/null +++ b/tests/7.0/dns-udp-eve-v2-dig/test.yaml @@ -0,0 +1,60 @@ +pcap: ../../cond-log-dns-dig/input.pcap + +requires: + lt-version: 8 + +checks: +- filter: + count: 2 + match: + event_type: dns +- filter: + count: 1 + match: + dest_ip: 10.16.1.1 + dest_port: 53 + dns.id: 36146 + dns.rrname: www.suricata-ids.org + dns.rrtype: A + dns.tx_id: 0 + dns.type: query + event_type: dns + pcap_cnt: 1 + proto: UDP + src_ip: 10.16.1.11 + src_port: 41805 +- filter: + count: 1 + match: + dest_ip: 10.16.1.1 + dest_port: 53 + dns.answers[0].rdata: suricata-ids.org + dns.answers[0].rrname: www.suricata-ids.org + dns.answers[0].rrtype: CNAME + dns.answers[0].ttl: 3544 + dns.answers[1].rdata: 192.0.78.24 + dns.answers[1].rrname: suricata-ids.org + dns.answers[1].rrtype: A + dns.answers[1].ttl: 244 + dns.answers[2].rdata: 192.0.78.25 + dns.answers[2].rrname: suricata-ids.org + dns.answers[2].rrtype: A + dns.answers[2].ttl: 244 + dns.flags: 81a0 + dns.grouped.A[0]: 192.0.78.24 + dns.grouped.A[1]: 192.0.78.25 + dns.grouped.CNAME[0]: suricata-ids.org + dns.id: 36146 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.rrname: www.suricata-ids.org + dns.rrtype: A + dns.type: answer + dns.version: 2 + event_type: dns + pcap_cnt: 2 + proto: UDP + src_ip: 10.16.1.11 + src_port: 41805 diff --git a/tests/7.0/dns-udp-eve-v2-txt/input.pcap b/tests/7.0/dns-udp-eve-v2-txt/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..edb238eda2cacf9c11f22c7e52e85ba6c5b84d2c GIT binary patch literal 514 zcmca|c+)~A1{MYcU}0bca!d;?BdwP5Fa!eGAj}{t&dc`w#_6uN3*9&vTp1Xg^&J=( z90X16xda%wftc}3C4(u0eqm-_Frxz42nGg5w)Fh`^qf@Y`ElzpCjSWDfK(55F-~bQA8lH&^ zD#~TH#RX}G3YmGyIi)G7R`Ecd9>hUl-{011wJQ~&?~ literal 0 HcmV?d00001 diff --git a/tests/7.0/dns-udp-eve-v2-txt/test.yaml b/tests/7.0/dns-udp-eve-v2-txt/test.yaml new file mode 100644 index 000000000..1c4af50aa --- /dev/null +++ b/tests/7.0/dns-udp-eve-v2-txt/test.yaml @@ -0,0 +1,124 @@ +requires: + lt-version: 8 + +checks: +- filter: + count: 1 + match: + dest_ip: 10.16.1.1 + dest_port: 53 + dns.id: 39372 + dns.rrname: textsecure-service-ca.whispersystems.org + dns.rrtype: A + dns.tx_id: 0 + dns.type: query + event_type: dns + pcap_cnt: 3 + proto: UDP + src_ip: 10.16.1.11 + src_port: 60922 +- filter: + count: 1 + match: + dest_ip: 10.16.1.1 + dest_port: 53 + dns.id: 28243 + dns.rrname: google.com + dns.rrtype: TXT + dns.tx_id: 0 + dns.type: query + event_type: dns + pcap_cnt: 1 + proto: UDP + src_ip: 10.16.1.11 + src_port: 52345 +- filter: + count: 1 + match: + dest_ip: 10.16.1.1 + dest_port: 53 + dns.answers[0].rdata: 34.197.178.240 + dns.answers[0].rrname: textsecure-service-ca.whispersystems.org + dns.answers[0].rrtype: A + dns.answers[0].ttl: 5 + dns.flags: '8180' + dns.grouped.A[0]: 34.197.178.240 + dns.id: 39372 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.rrname: textsecure-service-ca.whispersystems.org + dns.rrtype: A + dns.type: answer + dns.version: 2 + event_type: dns + pcap_cnt: 4 + proto: UDP + src_ip: 10.16.1.11 + src_port: 60922 +- filter: + count: 1 + match: + dest_ip: 10.16.1.1 + dest_port: 53 + dns.answers[0].rdata: v=spf1 include:_spf.google.com ~all + dns.answers[0].rrname: google.com + dns.answers[0].rrtype: TXT + dns.answers[0].ttl: 3217 + dns.flags: '8180' + dns.grouped.TXT[0]: v=spf1 include:_spf.google.com ~all + dns.id: 28243 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.rrname: google.com + dns.rrtype: TXT + dns.type: answer + dns.version: 2 + event_type: dns + pcap_cnt: 2 + proto: UDP + src_ip: 10.16.1.11 + src_port: 52345 +- filter: + count: 1 + match: + app_proto: dns + dest_ip: 10.16.1.1 + dest_port: 53 + event_type: flow + flow.age: 0 + flow.alerted: false + flow.bytes_toclient: 116 + flow.bytes_toserver: 100 + flow.end: 2017-06-08T15:45:58.525601+0000 + flow.pkts_toclient: 1 + flow.pkts_toserver: 1 + flow.reason: shutdown + flow.start: 2017-06-08T15:45:58.520996+0000 + flow.state: established + proto: UDP + src_ip: 10.16.1.11 + src_port: 60922 +- filter: + count: 1 + match: + app_proto: dns + dest_ip: 10.16.1.1 + dest_port: 53 + event_type: flow + flow.age: 0 + flow.alerted: false + flow.bytes_toclient: 129 + flow.bytes_toserver: 81 + flow.end: 2017-06-08T15:45:57.833020+0000 + flow.pkts_toclient: 1 + flow.pkts_toserver: 1 + flow.reason: shutdown + flow.start: 2017-06-08T15:45:57.828730+0000 + flow.state: established + proto: UDP + src_ip: 10.16.1.11 + src_port: 52345 diff --git a/tests/7.0/dns-udp-junkrequest-first/README.md b/tests/7.0/dns-udp-junkrequest-first/README.md new file mode 100644 index 000000000..9160bebf6 --- /dev/null +++ b/tests/7.0/dns-udp-junkrequest-first/README.md @@ -0,0 +1,7 @@ +# Description + +Test DNS detection when first request from client is junk. + +# PCAP + +The pcap comes from running the present dummy python script client.py which first sends junk (SNMP request actually), then a regular DNS request. diff --git a/tests/7.0/dns-udp-junkrequest-first/client.py b/tests/7.0/dns-udp-junkrequest-first/client.py new file mode 100644 index 000000000..70482922c --- /dev/null +++ b/tests/7.0/dns-udp-junkrequest-first/client.py @@ -0,0 +1,16 @@ +import socket +import binascii + +sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +sock.connect(("192.168.1.1", 53)) + +snmp = binascii.unhexlify("3040020103300f02030091c8020205dc040104020103041530130400020100020100040561646d696e04000400301304000400a00d02030091c80201000201003000") +dns = binascii.unhexlify("c58e012000010000000000010b636174656e61637962657202467200000100010000291000000000000000") +a = sock.send(snmp) +data = sock.recv(2000) +print "1", binascii.hexlify(data) +a = sock.send(dns) +data = sock.recv(2000) +print "2", binascii.hexlify(data) + +sock.close() diff --git a/tests/7.0/dns-udp-junkrequest-first/input.pcap b/tests/7.0/dns-udp-junkrequest-first/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..8b87f791e15f3a368a8775f7d2cbe675df95787c GIT binary patch literal 431 zcmca|c+)~A1{MYcU}0bca&BDKi#@8v%a8+PgYb>zVQU&#uO!YD{=R^N!Igm_Zu>R{ z1_wd=+5;;Xxqz7Q*C;n3!1aurRU!1z1E4gjpDv7(s}I zH8CYOGmiymEl7}sVF52hHCWbw;TF*Dpe3vfHb8qp7-B2L1z@{1fHni|-ku4v7i2$! zDbRM2C+iIy8XAEbz(AomH7_L|WLCs-R)$cZ7zktd!`(9;outf}D2X8pQ$`A$QgD{4JeV`6@MRBkN`@Exl ZjSC=#F)(1W?_(W&}P(R2BAmA=b1cL0uqLiFWwt~!}#FA9z;?zV21}+9h zkPXj)Hlzd9fiTQ$h&@0XBB3@UgG>k6!e9!t!&OR7XhRFg2CyCYY&gIJvIpc22F@@? LXKxqgqc0f&BNH-4 literal 0 HcmV?d00001 diff --git a/tests/7.0/dns-udp-null/suricata.yaml b/tests/7.0/dns-udp-null/suricata.yaml new file mode 100644 index 000000000..bf949095f --- /dev/null +++ b/tests/7.0/dns-udp-null/suricata.yaml @@ -0,0 +1,9 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filename: eve.json + types: + - dns: diff --git a/tests/7.0/dns-udp-null/test.yaml b/tests/7.0/dns-udp-null/test.yaml new file mode 100644 index 000000000..05928735f --- /dev/null +++ b/tests/7.0/dns-udp-null/test.yaml @@ -0,0 +1,19 @@ +requires: + lt-version: 8 + min-version: 7 + +checks: + - filter: + count: 1 + match: + event_type: dns + dns.type: query + dns.rrtype: "NULL" + - filter: + count: 1 + match: + event_type: dns + dns.type: answer + dns.rcode: NOERROR + dns.rrtype: "NULL" + dns.answers[0].rdata: "VACKD\u0003\\xc5\\xe9\u0001" diff --git a/tests/7.0/dns-udp-unsolicited-response/README.md b/tests/7.0/dns-udp-unsolicited-response/README.md new file mode 100644 index 000000000..e202ff97b --- /dev/null +++ b/tests/7.0/dns-udp-unsolicited-response/README.md @@ -0,0 +1,11 @@ +Test the following sequence of DNS messages on a flow: + +- DNS request with ID 0x99ab. +- DNS response with ID 0x9941 (unsolicited response). +- DNS response with ID 0x99ab (expected response). + +Check that all 3 DNS message are logged, and that an unsolicted dns +response event is logged. + +NOTE: Unsolicited responses do not exist with the Rust DNS parser as +it doesn't correlate responses with requests. diff --git a/tests/7.0/dns-udp-unsolicited-response/suricata.yaml b/tests/7.0/dns-udp-unsolicited-response/suricata.yaml new file mode 100644 index 000000000..43de9cdb6 --- /dev/null +++ b/tests/7.0/dns-udp-unsolicited-response/suricata.yaml @@ -0,0 +1,10 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: true + filename: eve.json + types: + - alert + - dns: diff --git a/tests/7.0/dns-udp-unsolicited-response/test.yaml b/tests/7.0/dns-udp-unsolicited-response/test.yaml new file mode 100644 index 000000000..d32711d32 --- /dev/null +++ b/tests/7.0/dns-udp-unsolicited-response/test.yaml @@ -0,0 +1,16 @@ +requires: + lt-version: 8 + +pcap: ../../dns-udp-unsolicited-response-v1/dns-response-2x.pcap + +checks: + - filter: + count: 1 + match: + event_type: dns + dns.type: query + - filter: + count: 2 + match: + event_type: dns + dns.type: answer diff --git a/tests/7.0/dns-z-bit/dns-events.rules b/tests/7.0/dns-z-bit/dns-events.rules new file mode 100644 index 000000000..0e34dae13 --- /dev/null +++ b/tests/7.0/dns-z-bit/dns-events.rules @@ -0,0 +1,9 @@ +# Malformed data in request. Malformed means length fields are wrong, etc. +alert dns any any -> any any (msg:"SURICATA DNS malformed request data"; flow:to_server; app-layer-event:dns.malformed_data; classtype:protocol-command-decode; sid:2240002; rev:2;) +alert dns any any -> any any (msg:"SURICATA DNS malformed response data"; flow:to_client; app-layer-event:dns.malformed_data; classtype:protocol-command-decode; sid:2240003; rev:2;) +# Response flag set on to_server packet +alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server; app-layer-event:dns.not_a_request; classtype:protocol-command-decode; sid:2240004; rev:2;) +# Response flag not set on to_client packet +alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; classtype:protocol-command-decode; sid:2240005; rev:2;) +# Z flag (reserved) not 0 +alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; classtype:protocol-command-decode; sid:2240006; rev:2;) diff --git a/tests/7.0/dns-z-bit/input.pcap b/tests/7.0/dns-z-bit/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..b9fe2f5fd25d05330c2996bc07285faf2bd292db GIT binary patch literal 220 zcmca|c+)~A1{MYcU}0bca%Nc`N(^9PXYc~DL3n}Ld>hS8E_CByaAjbyS+3#0 z;2>BL$0fkX%>e{UmNA$zXlz)|z{uzTHUg-NxxBobEj>R!JtvhpIX{;HD9#8nc}fjC zLljURgdt`^%mi_@% literal 0 HcmV?d00001 diff --git a/tests/7.0/dns-z-bit/test.yaml b/tests/7.0/dns-z-bit/test.yaml new file mode 100644 index 000000000..f28ee4fbe --- /dev/null +++ b/tests/7.0/dns-z-bit/test.yaml @@ -0,0 +1,62 @@ +requires: + lt-version: 8 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + event_type: dns + dns.type: query + dns.z: true +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2240006 + dns.query[0].z: true +- filter: + count: 1 + match: + dest_ip: 8.8.8.8 + dest_port: 53 + dns.answers[0].rdata: 142.251.32.68 + dns.answers[0].rrname: www.google.com + dns.answers[0].rrtype: A + dns.answers[0].ttl: 58 + dns.flags: '8180' + dns.grouped.A[0]: 142.251.32.68 + dns.id: 1 + dns.qr: true + dns.ra: true + dns.rcode: NOERROR + dns.rd: true + dns.rrname: www.google.com + dns.rrtype: A + dns.type: answer + dns.version: 2 + event_type: dns + pcap_cnt: 2 + proto: UDP + src_ip: 10.16.1.11 + src_port: 42150 +- filter: + count: 1 + match: + app_proto: dns + dest_ip: 8.8.8.8 + dest_port: 53 + event_type: flow + flow.age: 0 + flow.alerted: true + flow.bytes_toclient: 90 + flow.bytes_toserver: 74 + flow.pkts_toclient: 1 + flow.pkts_toserver: 1 + flow.reason: shutdown + flow.state: established + proto: UDP + src_ip: 10.16.1.11 + src_port: 42150 diff --git a/tests/7.0/dns/dns-invalid-opcode/input.pcap b/tests/7.0/dns/dns-invalid-opcode/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..a8a010e3b7a56dd26fd92413c9ab06501bf218be GIT binary patch literal 225 zcmca|c+)~A1{MYw`2U}Qff2|_nbel77|+Gv4rGI{5*P@A0SALC1A`? any any (msg:"SURICATA DNS malformed request data"; flow:to_server; app-layer-event:dns.malformed_data; classtype:protocol-command-decode; sid:2240002; rev:2;) +alert dns any any -> any any (msg:"SURICATA DNS malformed response data"; flow:to_client; app-layer-event:dns.malformed_data; classtype:protocol-command-decode; sid:2240003; rev:2;) +# Response flag set on to_server packet +alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server; app-layer-event:dns.not_a_request; classtype:protocol-command-decode; sid:2240004; rev:2;) +# Response flag not set on to_client packet +alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; classtype:protocol-command-decode; sid:2240005; rev:2;) +# Z flag (reserved) not 0 +alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; classtype:protocol-command-decode; sid:2240006; rev:2;) +alert dns any any -> any any (msg:"SURICATA DNS Invalid opcode"; app-layer-event:dns.invalid_opcode; classtype:protocol-command-decode; sid:2240007; rev:1;) diff --git a/tests/7.0/dns/dns-invalid-opcode/test.yaml b/tests/7.0/dns/dns-invalid-opcode/test.yaml new file mode 100644 index 000000000..6c4f58dfa --- /dev/null +++ b/tests/7.0/dns/dns-invalid-opcode/test.yaml @@ -0,0 +1,204 @@ +requires: + lt-version: 8 + min-version: 7 + +args: +- -k none + +checks: + +# Simple check for one query. +- filter: + count: 1 + match: + event_type: dns + dns.type: query + +# Simple check for one answer. +- filter: + count: 1 + match: + event_type: dns + dns.type: answer + +# One alert in to_server direction. +- filter: + count: 1 + match: + event_type: alert + direction: to_server + +# One alert in to_client direction. +- filter: + count: 1 + match: + event_type: alert + direction: to_client + +# Generated checks below. + +- filter: + count: 1 + match: + alert.action: allowed + alert.category: Generic Protocol Command Decode + alert.gid: 1 + alert.rev: 1 + alert.severity: 3 + alert.signature: SURICATA DNS Invalid opcode + alert.signature_id: 2240007 + app_proto: dns + dest_ip: 2.2.2.2 + dest_port: 53 + direction: to_server + dns.query[0].id: 1 + dns.query[0].opcode: 9 + dns.query[0].rrname: suricata.io + dns.query[0].rrtype: A + dns.query[0].tx_id: 0 + dns.query[0].type: query + event_type: alert + flow.bytes_toclient: 0 + flow.bytes_toserver: 71 + flow.dest_ip: 2.2.2.2 + flow.dest_port: 53 + flow.pkts_toclient: 0 + flow.pkts_toserver: 1 + flow.src_ip: 1.1.1.1 + flow.src_port: 5333 + pcap_cnt: 1 + pkt_src: wire/pcap + proto: UDP + src_ip: 1.1.1.1 + src_port: 5333 + tx_id: 0 +- filter: + count: 1 + match: + anomaly.app_proto: dns + anomaly.event: invalid_opcode + anomaly.layer: proto_parser + anomaly.type: applayer + dest_ip: 2.2.2.2 + dest_port: 53 + event_type: anomaly + pcap_cnt: 1 + pkt_src: wire/pcap + proto: UDP + src_ip: 1.1.1.1 + src_port: 5333 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 2.2.2.2 + dest_port: 53 + dns.id: 1 + dns.opcode: 9 + dns.rrname: suricata.io + dns.rrtype: A + dns.tx_id: 0 + dns.type: query + event_type: dns + pcap_cnt: 1 + pkt_src: wire/pcap + proto: UDP + src_ip: 1.1.1.1 + src_port: 5333 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: Generic Protocol Command Decode + alert.gid: 1 + alert.rev: 1 + alert.severity: 3 + alert.signature: SURICATA DNS Invalid opcode + alert.signature_id: 2240007 + app_proto: dns + dest_ip: 1.1.1.1 + dest_port: 5333 + direction: to_client + dns.answer.flags: c800 + dns.answer.id: 1 + dns.answer.opcode: 9 + dns.answer.qr: true + dns.answer.rcode: NOERROR + dns.answer.rrname: suricata.io + dns.answer.rrtype: A + dns.answer.type: answer + dns.answer.version: 2 + event_type: alert + flow.bytes_toclient: 98 + flow.bytes_toserver: 71 + flow.dest_ip: 2.2.2.2 + flow.dest_port: 53 + flow.pkts_toclient: 1 + flow.pkts_toserver: 1 + flow.src_ip: 1.1.1.1 + flow.src_port: 5333 + pcap_cnt: 2 + pkt_src: wire/pcap + proto: UDP + src_ip: 2.2.2.2 + src_port: 53 + tx_id: 1 +- filter: + count: 1 + match: + anomaly.app_proto: dns + anomaly.event: invalid_opcode + anomaly.layer: proto_parser + anomaly.type: applayer + dest_ip: 1.1.1.1 + dest_port: 5333 + event_type: anomaly + pcap_cnt: 2 + pkt_src: wire/pcap + proto: UDP + src_ip: 2.2.2.2 + src_port: 53 + tx_id: 1 +- filter: + count: 1 + match: + dest_ip: 2.2.2.2 + dest_port: 53 + dns.answers[0].rdata: 127.0.0.1 + dns.answers[0].rrname: suricata.io + dns.answers[0].rrtype: A + dns.answers[0].ttl: 0 + dns.flags: c800 + dns.grouped.A[0]: 127.0.0.1 + dns.id: 1 + dns.opcode: 9 + dns.qr: true + dns.rcode: NOERROR + dns.rrname: suricata.io + dns.rrtype: A + dns.type: answer + dns.version: 2 + event_type: dns + pcap_cnt: 2 + pkt_src: wire/pcap + proto: UDP + src_ip: 1.1.1.1 + src_port: 5333 +- filter: + count: 1 + match: + app_proto: dns + dest_ip: 2.2.2.2 + dest_port: 53 + event_type: flow + flow.age: 0 + flow.alerted: true + flow.bytes_toclient: 98 + flow.bytes_toserver: 71 + flow.pkts_toclient: 1 + flow.pkts_toserver: 1 + flow.reason: shutdown + flow.state: established + proto: UDP + src_ip: 1.1.1.1 + src_port: 5333 diff --git a/tests/7.0/vxlan-decoder-03/README.md b/tests/7.0/vxlan-decoder-03/README.md new file mode 100644 index 000000000..6acdd4fc4 --- /dev/null +++ b/tests/7.0/vxlan-decoder-03/README.md @@ -0,0 +1,8 @@ +# Description + +Test basic VXLAN decoding by tracking SSH over VXLAN + +# PCAP + +Pcap provided by Eric Leblond. Captured using AWS traffic mirror feature. + diff --git a/tests/7.0/vxlan-decoder-03/test.yaml b/tests/7.0/vxlan-decoder-03/test.yaml new file mode 100644 index 000000000..115b77a3f --- /dev/null +++ b/tests/7.0/vxlan-decoder-03/test.yaml @@ -0,0 +1,30 @@ +requires: + lt-version: 8 + +args: + - --set decoder.vxlan.enabled=true + +checks: + - filter: + count: 13 + match: + event_type: flow + dest_port: 4789 + flow.pkts_toclient: 0 + flow.bytes_toclient: 0 + - filter: + count: 4 + match: + event_type: ssh + dest_port: 22 + - filter: + count: 1 + match: + event_type: flow + app_proto: ntp + dest_port: 123 + - filter: + count: 8 + match: + event_type: dns + dns.rrname: "ec2-18-196-145-224.eu-central-1.compute.amazonaws.com" diff --git a/tests/7.0/vxlan-decoder-03/vxlan.pcap b/tests/7.0/vxlan-decoder-03/vxlan.pcap new file mode 100644 index 0000000000000000000000000000000000000000..c71d5dcdc13cc9d37eeccae7bcb5444ef6e7cb8c GIT binary patch literal 27672 zcmeI530%zi|Hr>ghonQPBrIi}HK}Pz5>cTG5jmHpOObREIf|0393k0tbhwEWYP&X- z4JFo5xk78@W>-X^-~0WYX^!tqV`pdW{{J4$fj|0HXnt3cLlEoXK5hziwmVy9EA+HtUS6z7j3$T`_>2~Hmo-Ow5igGR zQqOPMr*VpyM-Ymze{z#LK^xd7v}`#o#;^DYjeLf4$B8518Qq@aGsYWz*Z)~H5kXkU zB=jLV_QqHH+$~^Pubzj;O&*MF8!k!3MpCf}*=*jc2qH-R`+Vd=J|Y6>ET-)2A=B{* zn~Qd3PJSv=J#BdSO!nRO-Q!@d^ON5k*ixV z=r)5-H!7P|ZRe4MwL+&Rjnd8c@L8L!2<`fsBM=0FNTxNtG6F4Va`GqTXo^Z%qZ)4E zei>QW4#;v|Iu>dStq1~Qs4z$gIgp3Y-fR_cymTAzj7iq;y*p(pkA)E{e-wFISq{IF zB|?D>Hz8eokQ#K^EuhOJF}g5o)lnB^8Hz4rfG07sv&`G4oj?Z}Qj^=rf_m)uLzdVE z?}VEWLoA13xd20m7=|ge8f0wlie%7{c{`aQ$l&T~PiGhz(FTiIZ-4g`y zf#HO($ft3KNcZ#(4y7+LHW|4P&O(&JbKwFUq`-kN@V|B-$RYYbcxAe`7dsdt-!i!M z4M7gkFTp(mA|v_;d=orM0P6VL^Bz_7(X3J37ru;!;LLEnLzkDE}<=geN51ZFSt{IeHI zLzHJ$UBres-j31`kJQ&>R7dI%j~biUH6MD;Noa_51R?i9Ni(afq1%&`F^Mtsu6=8~ z9X7);BZVsb*HrTbnu_SYWAc~Ug2-lsrzf5Rqd0YpSKNduov2#MS0mv?j{ln#kgTFu zP(3`k1(ki5EU0kT!++soA3tahc!(z}B$TYbaNpF+I|O(B|3v<3%hgvqFfEaF7_zU; z2jDTG8`j`uT5`l*cmy|U4JH!tDR2cDz(4OMR<%9vCcJ93$hrST!FhK^b-?lSMuTGS^n_?cx2`IsqvLngVZ68px)YQes79{R?K4%jz- z13qL1-aP0Vzr$a0O1yh!hy zl%>(>7VeKVi|ZcTt&P64dsE-bmtWK??_A-cyG3`1IvnE#TN^wM_!3=4uHUMwQ#0g! zmi_w^qrM9~>Eb(G_GL|VxPNw9x5ag9e-3v& zJgE1O!#W2$G{Ql=o3fG??~egP4mZy1dGmr>w?$fUanVyJ&)zlWT&SAr9(s^n@{Z%3 zb~>qFy|Aq3^n+vO&e=626_ZstvUKe6JtIY7?wn;645YJ+^9K6 zEJ6+7JlVjXa|BF@xGQ&*>r=w6wkyf-R3rnOCl?>KGBk%H1H6HN*2t8rrzXvHJLNne zm{phXJaDxUJP*pd!g&C?5Ra}vezDI3<&dmV&Ed#!`dc+38Q^de(j@_QqAtM#y1+VT zo4UBy>X5orQgrD`#s+jb1_5B#kLFZHta8ZNMOM>3&g*X;)nk21VSkpVc6s(-`+#ZH z6H=2hvKsw;XQi|(7{6%q(3{ssnv$9UZzxdVCdB*s6*FPYE|Z##5}}zbshO&PW~s<< zSvt+A4DMCGk_?(68K8dcw&XH|LflfrleWlYt&G0)N#_0#CN zzyOQqbUeKOgKXeQ}@=7}>ctDlE>;}EN-Y#WLy)#%3m27W}dz;y;|M8Z7vz3-h zwUrHyLw=x|B#VHrVI^DaB4EZR!VzYG7JfY1(kLntz(};uf)yzv9t^~g7^30r$)Lk(77T(8gQ3Hql)b}X zl_nrGnB`A5=>SVkfnlNE9a#%lOBV*P7Kg~f9sgo^YNS*GSPhMh!tLTLq#|$m$pFkF5B51o1alU!OP$#guD;m0FdW! zkue-_<=SRALO9`Y;)MgC=NNYg_veK}3S+Sr(ZiMy!|3xe`rDSO7{0GeO5XO)T`&KWa@Mf)>3zos z%7>TD%)RNS@0stg#by`lu3=F(V;Il3J=tyJZ?+EMGT5CgL5-9W6bof=W28EiK_m8f zU@Rw~3@$~6czvlDsG2gXuzV=Ej-Y6|5j0&JsZKol)tIYkG;)wS^p%Q1Sce{@4sR(s ztOXr5k?lZ_t3wv(5N!iG9Eeku#1PDd+?v6cTT}+C=3r!av7O5>0t~^z;P;rNXb5W0 z;+b$+HlxYxMH3ELwAV?+LXC+iLvTb>!tdV#PZJt~)=4}TMyy*5^0czNU#}|3^agdA zBt{oza|o%+Zi+5Vz|$A4oa?P^(q=To#w`Z*_!O@yi6Mv#P@dW>T~nGvNrq)28NkXJ z0na96n2T`8V17VV5#r(XH^5 zTkeRGL2yjFA^3mD5EQZaBFc6Y+DEbDM0^^%k}$XftvLJnkQL;p~8v>kHW2$o#%URT4uGn8h1{B|l-`@OmcLH=bbM z$iu#|ZUeV(Y=yp20Dt`lhG1%7kiE^%-2&uxMhAa0UCa6B6XR$RHxnns6}e1(c&UX2 z`ha00))16qzLnec-GKB%tMBJdOkUYzPpDtS>=Oel)pqRucJ#a`{PeCKk!BirKXl3V zYn}U8^}97`__tH-wQ5x^G~6$ZKYqgV2O@|a2hP6&Ce<(9eWPu(%;{#MR6qS1>RdU- zB}Wt+O27^bD(PRty7s8-3e;-2P&!-LDa(X5Z1d2j9;xFhDL@-tqqm9lzebsE$B zbHPV-*;Az|DUEkaX4u7FyBC4+j<_t58HYJ4){JWoCv!B8lB0P|2~YQ9juygt4`+p; z6moPcj8$Nqw!q{_muOWCnZ(Rp2xdtxc`-j#FbALRha4*DGhrhPH4|%uH7_M& z>`IAoBgFU$=KlU{Zj4_-jL)pBc9UJ{m(pkV@s(S8HkHL?EqCf*;Gf$wbaKwwDer#C zzqant*ym+|NsT*W61GR3n>Krmc4f@`43BlD`=8k5ruX;SUD*T2(E#JXPr~CS6#EF+ ziMh)AH2lvn4zY`0r;|W;_4&6^ci3o~`l1nLcPhDp=gEB5Z$dDZ8QTQ=az+@Sg~wPW zS42f}Oq0($bX+4$=WiQfIJQa{n*>H!5{Mqfw=_#lcF)s0NYT%#-5ga>d5Sp*4qWsXA_1aq5Q#GAU!>a0uhOk?jr}VRJ=eatm z;CNQqN>#Rnmxm+B5|k)df|d+xN_h4S8ewHyxh3c|l%Nu1*l#Zt12vPGC55D>u7a9A z`vx?%LL=CCI#_`Yz0e3NgUK;x8uA8oD6<2GNOhVd zM%Yh~TQm61Xexu1l|M41^9-Mngtq14(|0jT(Flv^!84z-Y#b-zel(wu<&tzP)RCbW7DnvMZ;_{!C0>&z$XWP>e8y+yam||H4hE zI0?_es6tVL#*DGX6KU@iz7q+97HzpWTLz7=;Tu~|q?vsoV3UxcXaG%;xd1YVoeRW_ zBpLEWGJp}bq?F4r2pNQh0wWB;0t}=QM>vZXk`YW3j9|752(*LDBB&^w2u_168iWkb z4QY}XVIYopBg`rg84fZ;GC&sHJtxS(Ho^>Sm(LxNUUP3(U|gZ`J@Zd+OuG@*ZiIn1 zMSj(<-3a?fzlrzNesSTe9hi8lOZ=lahvMC^=7$&p6i!j2l=JU^9C{04;qX+8<_KOp4hWQNHScQTd1- zC%3IgVGLCL&9e7=UB|U+E3XuHxjWDGoT7E^ReQ(Ksg4mbH!d#iX|}B3*nyiE?^rjQ zB;QKI92IMXSp}0hx`~pbDdt*-YAA{cOjTDw&cZp zrC<&ol7}2Tfu@e}2W}3!Lk@Z(L+vLTkqmISQRh!0j4;$?g_u<_cPsK^(CHx*T~4&> za%wYImkpqc`>J_6>t{y!YF-Fs9X)uWF{fwu%SP4}uTAofC7Mliali7+@Z^|5>rec) z=vC%iPXj@0a;2+i)0n(gIk#sbYYAcIAVRGLxa<{mSeWJngt0JY;9=j#oi z7s-%ncm2n%-#_-7`y?vH@dHgYZeJHaSA)8oaax;(?b>g%1&|7`g~G%(4JN{4vjGH3j27TC-Ye&48als3{9{vXM_P- z_yJe@_^3$9jj*nN+X%z4HNe;)o`3ZlVZVUr;*GHDr06l2>?ryv(g@q8e9(|5x)iPw zB6pXQ{leb}1L!##&kq{%!XX7R*9hyv{ze!MfhjLbnqWnu%5o;`M9-IJgyAVG)(DFk zLzbA8loDfNxwt?NrzbwV%UTa8a~loxODlErbk84>F}U%^fjztObPo03d$4)az8;fr z{87~__)*TN;yq>tTYMd}Q}?I+Q1P>^yRk#}*k}Dp9lFk47r9j}`klM!?CmDm&2p|d zp5Ij@`c*j`5C3Jl@bWPEJ&E*Pf+eUx4@%H-G{TIob4ySHlpqge*xW@b25Q-6#*8I3 zy+F})IcTbnM%dsx+}7a(nkFE_6m6*(gmqX%PD6O#7a`4-0)5b71sY*Sm0TURf(|~& zuxGKdBu3a9h=o`qEWREYX7%C5!iLb^Fi;^EvlNZ6YrpZ#rz{)iX58OuK9x(yLXC+i zBg|$&?xlgilZQswjw3u4M(lSNk*Aeq`%+~|rWUA+*c^?2MCvk#qDvm|3_=TIFsn5- z&dtbzv8jkqmc$4{2C+t1{9}?qQ6vLc7)fim3?Gm|*xwOhg#8AP63oG640gN#J?OcYd z$RI2f#|VqxER{GyXL$S*GJ*pr5xfloS(8}=Kd-``Y>krvfv%!B4-%9mF~UF`@kUtu zQ)F<<7Rdlv)IpoeKtl$$5w^;H{SSTK{$$$yqMg^LuIIzxn06zq-3V(p!tfVA|M8!s z{A&H8uXbSKtuFD8;v9;1!-3V(p!rG0nb|b8N~T02Qu$Eu1wUx(i?7613=~i9tS@W zX^CBc{530JmO0JGOz9gkN%fPkZ;ayqc@MalyM}#Z8TO634cxwQ8~O%xEaHP4T*Lgk zKM{HSfZ@?$8ncEKFM63cNBgDstkMo=t@9Il)c3g^KVIwTeBgnL&bGc0HWnW03 z#q$GiXs4YGTHft6KPKz0XRvO{RBs2}*@yCqcfldORU7nY>s%bXF1d2dnpY2}XUeVF z#Aw-nF^9f=^NKB=792ZL&=`sxbameLhBq~n3mx+_OQ#NOiJLG@=`HJ3O8KGv7YrU9 znbfBsL0xI0_YtdAdTg?!pSiJ(a8VoYh`-sg9eZKYu`>Tdc*hj~aL4ycMR= z)rPKK^?HoHLH65qF+9bc&j z^{71ia%?lkIxQB0$f{Uadct7Y-?qsRr2p0M`;hyZ`_I literal 0 HcmV?d00001 From e6d65c2a3c44d42e3ede6ec0fadd9e36267b6310 Mon Sep 17 00:00:00 2001 From: Nathan Scrivens Date: Tue, 28 May 2024 13:11:44 -0400 Subject: [PATCH 2/5] tests: dns additional section parsing feature 7011 --- .../dns/dns-udp-additionals-cookie/README.md | 4 + .../dns_additionals_cookie_udp.pcap | Bin 0 -> 506 bytes .../dns/dns-udp-additionals-cookie/test.yaml | 82 ++++++++++++++++++ tests/dns/dns-udp-additionals/README.md | 4 + .../dns_additionals_udp.pcap | Bin 0 -> 466 bytes tests/dns/dns-udp-additionals/test.yaml | 76 ++++++++++++++++ 6 files changed, 166 insertions(+) create mode 100644 tests/dns/dns-udp-additionals-cookie/README.md create mode 100755 tests/dns/dns-udp-additionals-cookie/dns_additionals_cookie_udp.pcap create mode 100644 tests/dns/dns-udp-additionals-cookie/test.yaml create mode 100644 tests/dns/dns-udp-additionals/README.md create mode 100755 tests/dns/dns-udp-additionals/dns_additionals_udp.pcap create mode 100644 tests/dns/dns-udp-additionals/test.yaml diff --git a/tests/dns/dns-udp-additionals-cookie/README.md b/tests/dns/dns-udp-additionals-cookie/README.md new file mode 100644 index 000000000..fce1cec6f --- /dev/null +++ b/tests/dns/dns-udp-additionals-cookie/README.md @@ -0,0 +1,4 @@ +Test parsing of dns response additional section records. OPT record with cookie rdata in response. + +Related issue: +https://redmine.openinfosecfoundation.org/issues/7011 diff --git a/tests/dns/dns-udp-additionals-cookie/dns_additionals_cookie_udp.pcap b/tests/dns/dns-udp-additionals-cookie/dns_additionals_cookie_udp.pcap new file mode 100755 index 0000000000000000000000000000000000000000..6739b5ad1507e57b471bc97eebeccc3469495b90 GIT binary patch literal 506 zcmca|c+)~A1{MYcU}0bca@dvQ(tLJsGQMQxhBqJFlDe7%lUDIQ2}fO0|O&ldVYR-PAYS9el7z86G&830B9Hx@Gx*O zaLjVwu_%Lo;#QDl6`foRsXzrF46_Der7HttxVQnxG9P!4MIZ|qOefA{bpD$7<4R)# z&{&ZBIngaUzyr3DY0(x2Hs-uyqXRr>BE}dZh8Q9yKoJd~4U7yRb69S?SK>P0gUnap zI$(v&SK&Gkhs;;w0_vB6>K9O8^hoevVlV-R0RscbEOa>|xSSP+oEcm$4nxiYCWi=Q c83rx}30NS1aATECi&JJ7-Z;}M_aoO;0L0&9w*UYD literal 0 HcmV?d00001 diff --git a/tests/dns/dns-udp-additionals-cookie/test.yaml b/tests/dns/dns-udp-additionals-cookie/test.yaml new file mode 100644 index 000000000..75f2b4e58 --- /dev/null +++ b/tests/dns/dns-udp-additionals-cookie/test.yaml @@ -0,0 +1,82 @@ +requires: + min-version: 8 + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: dns + dns.type: query + dns.rrname: google.com + dns.rrtype: NS + - filter: + count: 1 + match: + event_type: dns + dns.type: answer + dns.rrname: google.com + dns.rrtype: NS + dns.rcode: NOERROR + dns.answers[0].rrname: google.com + dns.answers[0].rrtype: NS + dns.answers[0].ttl: 172724 + dns.answers[0].rdata: ns2.google.com + dns.answers[1].rrname: google.com + dns.answers[1].rrtype: NS + dns.answers[1].ttl: 172724 + dns.answers[1].rdata: ns3.google.com + dns.answers[2].rrname: google.com + dns.answers[2].rrtype: NS + dns.answers[2].ttl: 172724 + dns.answers[2].rdata: ns1.google.com + dns.answers[3].rrname: google.com + dns.answers[3].rrtype: NS + dns.answers[3].ttl: 172724 + dns.answers[3].rdata: ns4.google.com + dns.grouped.NS[0]: ns2.google.com + dns.grouped.NS[1]: ns3.google.com + dns.grouped.NS[2]: ns1.google.com + dns.grouped.NS[3]: ns4.google.com + dns.additionals.__len: 9 + dns.additionals[0].rrname: ns2.google.com + dns.additionals[0].rrtype: A + dns.additionals[0].ttl: 172724 + dns.additionals[0].rdata: 216.239.34.10 + dns.additionals[1].rrname: ns1.google.com + dns.additionals[1].rrtype: A + dns.additionals[1].ttl: 172724 + dns.additionals[1].rdata: 216.239.32.10 + dns.additionals[2].rrname: ns3.google.com + dns.additionals[2].rrtype: A + dns.additionals[2].ttl: 172724 + dns.additionals[2].rdata: 216.239.36.10 + dns.additionals[3].rrname: ns4.google.com + dns.additionals[3].rrtype: A + dns.additionals[3].ttl: 172724 + dns.additionals[3].rdata: 216.239.38.10 + dns.additionals[4].rrname: ns2.google.com + dns.additionals[4].rrtype: AAAA + dns.additionals[4].ttl: 172724 + dns.additionals[4].rdata: 2001:4860:4802:0034:0000:0000:0000:000a + dns.additionals[5].rrname: ns1.google.com + dns.additionals[5].rrtype: AAAA + dns.additionals[5].ttl: 172724 + dns.additionals[5].rdata: 2001:4860:4802:0032:0000:0000:0000:000a + dns.additionals[6].rrname: ns3.google.com + dns.additionals[6].rrtype: AAAA + dns.additionals[6].ttl: 172724 + dns.additionals[6].rdata: 2001:4860:4802:0036:0000:0000:0000:000a + dns.additionals[7].rrname: ns4.google.com + dns.additionals[7].rrtype: AAAA + dns.additionals[7].ttl: 172724 + dns.additionals[7].rdata: 2001:4860:4802:0038:0000:0000:0000:000a + dns.additionals[8].rrname: '' + dns.additionals[8].rrtype: OPT + dns.additionals[8].ttl: 0 + dns.additionals[8].opt.__len: 1 + dns.additionals[8].opt[0].code: 10 + dns.additionals[8].opt[0].data: 9a47b8a2680f91b5f046051d665e230713b1994a6df10ad5 + \ No newline at end of file diff --git a/tests/dns/dns-udp-additionals/README.md b/tests/dns/dns-udp-additionals/README.md new file mode 100644 index 000000000..6d87f344c --- /dev/null +++ b/tests/dns/dns-udp-additionals/README.md @@ -0,0 +1,4 @@ +Test parsing of dns response additional section records. + +Related issue: +https://redmine.openinfosecfoundation.org/issues/7011 \ No newline at end of file diff --git a/tests/dns/dns-udp-additionals/dns_additionals_udp.pcap b/tests/dns/dns-udp-additionals/dns_additionals_udp.pcap new file mode 100755 index 0000000000000000000000000000000000000000..6e13509c5b28e38a9f5b73cd000805f4a16b676d GIT binary patch literal 466 zcmca|c+)~A1{MYcU}0bcaw@)rrU~s}Vh9AXL70O<{p{zvK$4q%2M2>I1A}wcN(Kf8 z!JiMg7#T%?m}^%OgDHc)Si+r5Mg_1D3=E8H>G}ETIjPLa`MC@XOdwHB0ia+Ob1z@qysV>WC?@mt|UhFgu*+SjSWDfKyKzlx8MK|*czrq zHyPNN^NLLl@SuqpV~7}Hh!_Dye1JAEGJwosx$$0s>wpz9Uxn*H95P>t>wpF_UyTc> qUk0jQK!MRC!Gnpx2<&YJ29R0ka%OP3I1D)xxSR%toCQn{DPRFt Date: Sat, 8 Jun 2024 17:31:39 -0600 Subject: [PATCH 3/5] dns: update for v3 dns request logging --- tests/bug-1158/test.yaml | 1128 ++++++++--------- tests/bug-856/test.yaml | 30 +- tests/bug-990/test.yaml | 9 +- tests/decode-teredo-01/test.yaml | 72 +- tests/dns-eve-log-https-only/test.yaml | 5 +- tests/dns-eve-type-filtering/test.yaml | 31 +- tests/dns-eve/test.yaml | 7 +- tests/dns-incomplete/test.yaml | 6 +- tests/dns-json-log/test.yaml | 2 +- tests/dns-reversed-tcp-1/test.yaml | 6 +- tests/dns-reversed-udp-1/test.yaml | 6 +- tests/dns-single-request/test.yaml | 11 +- tests/dns-tcp-multirequest-buffer/test.yaml | 7 +- tests/dns-tcp-ts-gap/test.yaml | 9 +- tests/dns-tcp-www-google-com/test.yaml | 11 +- .../dns-udp-double-request-response/test.yaml | 11 +- tests/dns-udp-eve-log-aaaa-only/test.yaml | 15 +- tests/dns-udp-eve-log-answer-only/test.yaml | 11 +- tests/dns-udp-eve-log-mx-only/test.yaml | 17 +- tests/dns-udp-eve-log-query-only/test.yaml | 9 +- tests/dns-udp-eve-log-srv/test.yaml | 14 +- tests/dns-udp-eve-v2-dig/test.yaml | 18 +- tests/dns-udp-eve-v2-txt/test.yaml | 31 +- tests/dns-udp-junkrequest-first/test.yaml | 8 +- tests/dns-udp-null/test.yaml | 10 +- tests/dns-udp-unsolicited-response/test.yaml | 7 +- tests/dns-z-bit/test.yaml | 15 +- tests/dns/dns-invalid-opcode/test.yaml | 49 +- tests/dns/dns-rcode/test.yaml | 4 +- tests/dns/dns-rrtype/test.yaml | 6 +- .../dns/dns-udp-additionals-cookie/test.yaml | 14 +- tests/dns/dns-udp-additionals/test.yaml | 14 +- tests/ethernet-eve/test.yaml | 7 +- tests/vxlan-decoder-03/test.yaml | 16 +- 34 files changed, 816 insertions(+), 800 deletions(-) diff --git a/tests/bug-1158/test.yaml b/tests/bug-1158/test.yaml index 04b87a23a..5da1f2444 100644 --- a/tests/bug-1158/test.yaml +++ b/tests/bug-1158/test.yaml @@ -1,5 +1,5 @@ requires: - min-version: 7 + min-version: 8 args: - -k none @@ -11,10 +11,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 49711 - dns.rrname: AAAAAO1kQA.=auth.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: AAAAAO1kQA.=auth.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 0 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 1 proto: UDP @@ -45,10 +45,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: AAAAAO1kQA.=auth.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: AAAAAO1kQA.=auth.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 2 proto: UDP @@ -60,10 +60,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 45160 - dns.rrname: hvOBgAABAEI5ODFGMjk4MEMyRTFFOEZDREI1MEZGRTA2OEIxQzMwODcyQTlBQjc.=auth.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvOBgAABAEI5ODFGMjk4MEMyRTFFOEZDREI1MEZGRTA2OEIxQzMwODcyQTlBQjc.=auth.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 2 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 3 proto: UDP @@ -94,10 +94,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvOBgAABAEI5ODFGMjk4MEMyRTFFOEZDREI1MEZGRTA2OEIxQzMwODcyQTlBQjc.=auth.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvOBgAABAEI5ODFGMjk4MEMyRTFFOEZDREI1MEZGRTA2OEIxQzMwODcyQTlBQjc.=auth.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 4 proto: UDP @@ -109,10 +109,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 45946 - dns.rrname: hvP1kF5BAHNzaA.=connect.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvP1kF5BAHNzaA.=connect.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 4 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 5 proto: UDP @@ -143,10 +143,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvP1kF5BAHNzaA.=connect.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvP1kF5BAHNzaA.=connect.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 6 proto: UDP @@ -158,10 +158,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 20792 - dns.rrname: hvMAAAABBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAAAABBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 6 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 7 proto: UDP @@ -197,10 +197,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAAAABBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAAAABBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 8 proto: UDP @@ -212,10 +212,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 6169 - dns.rrname: hvMAAQACBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAAQACBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 8 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 9 proto: UDP @@ -227,10 +227,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 3701 - dns.rrname: hvMAAAADCFNTSC0yLjAtT3BlblNTSF82LjBwMSBEZWJpYW4tNA0K.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAAAADCFNTSC0yLjAtT3BlblNTSF82LjBwMSBEZWJpYW4tNA0K.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 9 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 10 proto: UDP @@ -242,10 +242,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 61227 - dns.rrname: hvMAAAAEBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAAAAEBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 10 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 11 proto: UDP @@ -257,10 +257,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 25286 - dns.rrname: hvMAAAAFCAAABPQIFCP3jBGyCsqKjf9o1jmtOwgAAAC3ZWNkaC1zaGEyLW5pc3R.wMjU2LGVjZGgtc2hhMi1uaXN0cDM4NCxlY2RoLXNoYTItbmlzdHA1MjEsZGlmZm.llLWhlbGxtYW4tZ3JvdXAtZXhjaGFuZ2Utc2hhMjU2LGRpZmZp.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAAAAFCAAABPQIFCP3jBGyCsqKjf9o1jmtOwgAAAC3ZWNkaC1zaGEyLW5pc3R.wMjU2LGVjZGgtc2hhMi1uaXN0cDM4NCxlY2RoLXNoYTItbmlzdHA1MjEsZGlmZm.llLWhlbGxtYW4tZ3JvdXAtZXhjaGFuZ2Utc2hhMjU2LGRpZmZp.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 11 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 12 proto: UDP @@ -272,10 +272,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 16087 - dns.rrname: hvMAAAAGBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAAAAGBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 12 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 13 proto: UDP @@ -287,10 +287,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 35836 - dns.rrname: hvMAAAAHCGUtaGVsbG1hbi1ncm91cC1leGNoYW5nZS1zaGExLGRpZmZpZS1oZWx.sbWFuLWdyb3VwMTQtc2hhMSxkaWZmaWUtaGVsbG1hbi1ncm91cDEtc2hhMQAAAT.pzc2gtcnNhLWNlcnQtdjAxQG9wZW5zc2guY29tLHNzaC1yc2Et.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAAAAHCGUtaGVsbG1hbi1ncm91cC1leGNoYW5nZS1zaGExLGRpZmZpZS1oZWx.sbWFuLWdyb3VwMTQtc2hhMSxkaWZmaWUtaGVsbG1hbi1ncm91cDEtc2hhMQAAAT.pzc2gtcnNhLWNlcnQtdjAxQG9wZW5zc2guY29tLHNzaC1yc2Et.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 13 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 14 proto: UDP @@ -302,10 +302,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 40074 - dns.rrname: hvMAAAAIBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAAAAIBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 14 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 15 proto: UDP @@ -317,10 +317,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 12387 - dns.rrname: hvMAAAAJCGNlcnQtdjAwQG9wZW5zc2guY29tLHNzaC1yc2EsZWNkc2Etc2hhMi1.uaXN0cDI1Ni1jZXJ0LXYwMUBvcGVuc3NoLmNvbSxlY2RzYS1zaGEyLW5pc3RwMz.g0LWNlcnQtdjAxQG9wZW5zc2guY29tLGVjZHNhLXNoYTItbmlz.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAAAAJCGNlcnQtdjAwQG9wZW5zc2guY29tLHNzaC1yc2EsZWNkc2Etc2hhMi1.uaXN0cDI1Ni1jZXJ0LXYwMUBvcGVuc3NoLmNvbSxlY2RzYS1zaGEyLW5pc3RwMz.g0LWNlcnQtdjAxQG9wZW5zc2guY29tLGVjZHNhLXNoYTItbmlz.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 15 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 16 proto: UDP @@ -332,10 +332,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 38415 - dns.rrname: hvMAAAAKBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAAAAKBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 16 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 17 proto: UDP @@ -347,10 +347,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 25222 - dns.rrname: hvMAAAALCHRwNTIxLWNlcnQtdjAxQG9wZW5zc2guY29tLHNzaC1kc3MtY2VydC1.2MDFAb3BlbnNzaC5jb20sc3NoLWRzcy1jZXJ0LXYwMEBvcGVuc3NoLmNvbSxlY2.RzYS1zaGEyLW5pc3RwMjU2LGVjZHNhLXNoYTItbmlzdHAzODQs.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAAAALCHRwNTIxLWNlcnQtdjAxQG9wZW5zc2guY29tLHNzaC1kc3MtY2VydC1.2MDFAb3BlbnNzaC5jb20sc3NoLWRzcy1jZXJ0LXYwMEBvcGVuc3NoLmNvbSxlY2.RzYS1zaGEyLW5pc3RwMjU2LGVjZHNhLXNoYTItbmlzdHAzODQs.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 17 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 18 proto: UDP @@ -362,10 +362,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 20916 - dns.rrname: hvMAAAAMBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAAAAMBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 18 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 19 proto: UDP @@ -377,10 +377,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 17352 - dns.rrname: hvMAAAANCGVjZHNhLXNoYTItbmlzdHA1MjEsc3NoLWRzcwAAAJ1hZXMxMjgtY3R.yLGFlczE5Mi1jdHIsYWVzMjU2LWN0cixhcmNmb3VyMjU2LGFyY2ZvdXIxMjgsYW.VzMTI4LWNiYywzZGVzLWNiYyxibG93ZmlzaC1jYmMsY2FzdDEy.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAAAANCGVjZHNhLXNoYTItbmlzdHA1MjEsc3NoLWRzcwAAAJ1hZXMxMjgtY3R.yLGFlczE5Mi1jdHIsYWVzMjU2LWN0cixhcmNmb3VyMjU2LGFyY2ZvdXIxMjgsYW.VzMTI4LWNiYywzZGVzLWNiYyxibG93ZmlzaC1jYmMsY2FzdDEy.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 19 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 20 proto: UDP @@ -392,10 +392,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 9521 - dns.rrname: hvMAAAAOBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAAAAOBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 20 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 21 proto: UDP @@ -407,10 +407,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 36146 - dns.rrname: hvMAAAAPCDgtY2JjLGFlczE5Mi1jYmMsYWVzMjU2LWNiYyxhcmNmb3VyLHJpam5.kYWVsLWNiY0BseXNhdG9yLmxpdS5zZQAAAJ1hZXMxMjgtY3RyLGFlczE5Mi1jdH.IsYWVzMjU2LWN0cixhcmNmb3VyMjU2LGFyY2ZvdXIxMjgsYWVz.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAAAAPCDgtY2JjLGFlczE5Mi1jYmMsYWVzMjU2LWNiYyxhcmNmb3VyLHJpam5.kYWVsLWNiY0BseXNhdG9yLmxpdS5zZQAAAJ1hZXMxMjgtY3RyLGFlczE5Mi1jdH.IsYWVzMjU2LWN0cixhcmNmb3VyMjU2LGFyY2ZvdXIxMjgsYWVz.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 21 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 22 proto: UDP @@ -422,10 +422,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 30696 - dns.rrname: hvMAAAAQBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAAAAQBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 22 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 23 proto: UDP @@ -437,10 +437,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 18507 - dns.rrname: hvMAAAARCDEyOC1jYmMsM2Rlcy1jYmMsYmxvd2Zpc2gtY2JjLGNhc3QxMjgtY2J.jLGFlczE5Mi1jYmMsYWVzMjU2LWNiYyxhcmNmb3VyLHJpam5kYWVsLWNiY0BseX.NhdG9yLmxpdS5zZQAAAKdobWFjLW1kNSxobWFjLXNoYTEsdW1h.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAAAARCDEyOC1jYmMsM2Rlcy1jYmMsYmxvd2Zpc2gtY2JjLGNhc3QxMjgtY2J.jLGFlczE5Mi1jYmMsYWVzMjU2LWNiYyxhcmNmb3VyLHJpam5kYWVsLWNiY0BseX.NhdG9yLmxpdS5zZQAAAKdobWFjLW1kNSxobWFjLXNoYTEsdW1h.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 23 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 24 proto: UDP @@ -452,10 +452,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 3486 - dns.rrname: hvMAAAASCGMtNjRAb3BlbnNzaC5jb20saG1hYy1zaGEyLTI1NixobWFjLXNoYTI.tMjU2LTk2LGhtYWMtc2hhMi01MTIsaG1hYy1zaGEyLTUxMi05NixobWFjLXJpcG.VtZDE2MCxobWFjLXJpcGVtZDE2MEBvcGVuc3NoLmNvbSxobWFj.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAAAASCGMtNjRAb3BlbnNzaC5jb20saG1hYy1zaGEyLTI1NixobWFjLXNoYTI.tMjU2LTk2LGhtYWMtc2hhMi01MTIsaG1hYy1zaGEyLTUxMi05NixobWFjLXJpcG.VtZDE2MCxobWFjLXJpcGVtZDE2MEBvcGVuc3NoLmNvbSxobWFj.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 24 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 25 proto: UDP @@ -467,10 +467,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 65517 - dns.rrname: hvMAAAATCC1zaGExLTk2LGhtYWMtbWQ1LTk2AAAAp2htYWMtbWQ1LGhtYWMtc2h.hMSx1bWFjLTY0QG9wZW5zc2guY29tLGhtYWMtc2hhMi0yNTYsaG1hYy1zaGEyLT.I1Ni05NixobWFjLXNoYTItNTEyLGhtYWMtc2hhMi01MTItOTYs.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAAAATCC1zaGExLTk2LGhtYWMtbWQ1LTk2AAAAp2htYWMtbWQ1LGhtYWMtc2h.hMSx1bWFjLTY0QG9wZW5zc2guY29tLGhtYWMtc2hhMi0yNTYsaG1hYy1zaGEyLT.I1Ni05NixobWFjLXNoYTItNTEyLGhtYWMtc2hhMi01MTItOTYs.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 25 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 26 proto: UDP @@ -482,10 +482,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 23977 - dns.rrname: hvMAAAAUCGhtYWMtcmlwZW1kMTYwLGhtYWMtcmlwZW1kMTYwQG9wZW5zc2guY29.tLGhtYWMtc2hhMS05NixobWFjLW1kNS05NgAAABpub25lLHpsaWJAb3BlbnNzaC.5jb20semxpYgAAABpub25lLHpsaWJAb3BlbnNzaC5jb20semxp.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAAAAUCGhtYWMtcmlwZW1kMTYwLGhtYWMtcmlwZW1kMTYwQG9wZW5zc2guY29.tLGhtYWMtc2hhMS05NixobWFjLW1kNS05NgAAABpub25lLHpsaWJAb3BlbnNzaC.5jb20semxpYgAAABpub25lLHpsaWJAb3BlbnNzaC5jb20semxp.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 26 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 27 proto: UDP @@ -497,10 +497,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 31995 - dns.rrname: hvMAAAAVCGIAAAAAAAAAAAAAAAAAAAAAAAAAAAA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAAAAVCGIAAAAAAAAAAAAAAAAAAAAAAAAAAAA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 27 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 28 proto: UDP @@ -561,10 +561,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAAQACBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAAQACBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 29 proto: UDP @@ -620,10 +620,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAAAADCFNTSC0yLjAtT3BlblNTSF82LjBwMSBEZWJpYW4tNA0K.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAAAADCFNTSC0yLjAtT3BlblNTSF82LjBwMSBEZWJpYW4tNA0K.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 30 proto: UDP @@ -679,10 +679,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAAAAEBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAAAAEBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 31 proto: UDP @@ -694,10 +694,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 4289 - dns.rrname: hvMAAgAWBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAAgAWBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 31 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 32 proto: UDP @@ -709,10 +709,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 53836 - dns.rrname: hvMAAwAXCAAAABQGIgAABAAAAAQAAAAgAAAAAAAAAA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAAwAXCAAAABQGIgAABAAAAAQAAAAgAAAAAAAAAA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 32 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 33 proto: UDP @@ -724,10 +724,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 44271 - dns.rrname: hvMABAAYBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMABAAYBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 33 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 34 proto: UDP @@ -758,10 +758,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAAAAFCAAABPQIFCP3jBGyCsqKjf9o1jmtOwgAAAC3ZWNkaC1zaGEyLW5pc3R.wMjU2LGVjZGgtc2hhMi1uaXN0cDM4NCxlY2RoLXNoYTItbmlzdHA1MjEsZGlmZm.llLWhlbGxtYW4tZ3JvdXAtZXhjaGFuZ2Utc2hhMjU2LGRpZmZp.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAAAAFCAAABPQIFCP3jBGyCsqKjf9o1jmtOwgAAAC3ZWNkaC1zaGEyLW5pc3R.wMjU2LGVjZGgtc2hhMi1uaXN0cDM4NCxlY2RoLXNoYTItbmlzdHA1MjEsZGlmZm.llLWhlbGxtYW4tZ3JvdXAtZXhjaGFuZ2Utc2hhMjU2LGRpZmZp.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 35 proto: UDP @@ -792,10 +792,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAAAAGBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAAAAGBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 36 proto: UDP @@ -826,10 +826,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAAAAHCGUtaGVsbG1hbi1ncm91cC1leGNoYW5nZS1zaGExLGRpZmZpZS1oZWx.sbWFuLWdyb3VwMTQtc2hhMSxkaWZmaWUtaGVsbG1hbi1ncm91cDEtc2hhMQAAAT.pzc2gtcnNhLWNlcnQtdjAxQG9wZW5zc2guY29tLHNzaC1yc2Et.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAAAAHCGUtaGVsbG1hbi1ncm91cC1leGNoYW5nZS1zaGExLGRpZmZpZS1oZWx.sbWFuLWdyb3VwMTQtc2hhMSxkaWZmaWUtaGVsbG1hbi1ncm91cDEtc2hhMQAAAT.pzc2gtcnNhLWNlcnQtdjAxQG9wZW5zc2guY29tLHNzaC1yc2Et.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 37 proto: UDP @@ -860,10 +860,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAAAAIBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAAAAIBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 38 proto: UDP @@ -894,10 +894,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAAAAJCGNlcnQtdjAwQG9wZW5zc2guY29tLHNzaC1yc2EsZWNkc2Etc2hhMi1.uaXN0cDI1Ni1jZXJ0LXYwMUBvcGVuc3NoLmNvbSxlY2RzYS1zaGEyLW5pc3RwMz.g0LWNlcnQtdjAxQG9wZW5zc2guY29tLGVjZHNhLXNoYTItbmlz.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAAAAJCGNlcnQtdjAwQG9wZW5zc2guY29tLHNzaC1yc2EsZWNkc2Etc2hhMi1.uaXN0cDI1Ni1jZXJ0LXYwMUBvcGVuc3NoLmNvbSxlY2RzYS1zaGEyLW5pc3RwMz.g0LWNlcnQtdjAxQG9wZW5zc2guY29tLGVjZHNhLXNoYTItbmlz.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 39 proto: UDP @@ -909,10 +909,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 3462 - dns.rrname: hvMABQAZBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMABQAZBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 39 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 40 proto: UDP @@ -943,10 +943,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAAAAKBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAAAAKBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 41 proto: UDP @@ -977,10 +977,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAAAALCHRwNTIxLWNlcnQtdjAxQG9wZW5zc2guY29tLHNzaC1kc3MtY2VydC1.2MDFAb3BlbnNzaC5jb20sc3NoLWRzcy1jZXJ0LXYwMEBvcGVuc3NoLmNvbSxlY2.RzYS1zaGEyLW5pc3RwMjU2LGVjZHNhLXNoYTItbmlzdHAzODQs.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAAAALCHRwNTIxLWNlcnQtdjAxQG9wZW5zc2guY29tLHNzaC1kc3MtY2VydC1.2MDFAb3BlbnNzaC5jb20sc3NoLWRzcy1jZXJ0LXYwMEBvcGVuc3NoLmNvbSxlY2.RzYS1zaGEyLW5pc3RwMjU2LGVjZHNhLXNoYTItbmlzdHAzODQs.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 42 proto: UDP @@ -992,10 +992,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 52985 - dns.rrname: hvMABgAaBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMABgAaBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 42 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 43 proto: UDP @@ -1026,10 +1026,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAAAANCGVjZHNhLXNoYTItbmlzdHA1MjEsc3NoLWRzcwAAAJ1hZXMxMjgtY3R.yLGFlczE5Mi1jdHIsYWVzMjU2LWN0cixhcmNmb3VyMjU2LGFyY2ZvdXIxMjgsYW.VzMTI4LWNiYywzZGVzLWNiYyxibG93ZmlzaC1jYmMsY2FzdDEy.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAAAANCGVjZHNhLXNoYTItbmlzdHA1MjEsc3NoLWRzcwAAAJ1hZXMxMjgtY3R.yLGFlczE5Mi1jdHIsYWVzMjU2LWN0cixhcmNmb3VyMjU2LGFyY2ZvdXIxMjgsYW.VzMTI4LWNiYywzZGVzLWNiYyxibG93ZmlzaC1jYmMsY2FzdDEy.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 44 proto: UDP @@ -1060,10 +1060,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAAAAMBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAAAAMBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 45 proto: UDP @@ -1075,10 +1075,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 12894 - dns.rrname: hvMABwAbBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMABwAbBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 45 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 46 proto: UDP @@ -1124,10 +1124,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAAAAOBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAAAAOBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 47 proto: UDP @@ -1139,10 +1139,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 50286 - dns.rrname: hvMACAAcBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMACAAcBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 47 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 48 proto: UDP @@ -1154,10 +1154,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 62058 - dns.rrname: hvMACQAdCAAAAIwGIAAAAIAx3itE7XsxfNFkKSwpm/QL2R+3hW5GnOrZviY9/TR.O7d2QlxOeCwmGsxERu0+5DKpF6kwJroS1n8v8wLvqu3jSeOjVnYb7Fo3jRoLT3z.mxMiqSuKTuBNWXb5QoROHUYVRZIqMC+OtncdVw0LG0/FO/Kq8n.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMACQAdCAAAAIwGIAAAAIAx3itE7XsxfNFkKSwpm/QL2R+3hW5GnOrZviY9/TR.O7d2QlxOeCwmGsxERu0+5DKpF6kwJroS1n8v8wLvqu3jSeOjVnYb7Fo3jRoLT3z.mxMiqSuKTuBNWXb5QoROHUYVRZIqMC+OtncdVw0LG0/FO/Kq8n.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 48 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 49 proto: UDP @@ -1169,10 +1169,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 3337 - dns.rrname: hvMACgAeBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMACgAeBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 49 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 50 proto: UDP @@ -1184,10 +1184,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 12496 - dns.rrname: hvMACwAfCJpX6DB9O+5TQ+oIfbIAAAAAAAA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMACwAfCJpX6DB9O+5TQ+oIfbIAAAAAAAA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 50 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 51 proto: UDP @@ -1233,10 +1233,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAAAAPCDgtY2JjLGFlczE5Mi1jYmMsYWVzMjU2LWNiYyxhcmNmb3VyLHJpam5.kYWVsLWNiY0BseXNhdG9yLmxpdS5zZQAAAJ1hZXMxMjgtY3RyLGFlczE5Mi1jdH.IsYWVzMjU2LWN0cixhcmNmb3VyMjU2LGFyY2ZvdXIxMjgsYWVz.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAAAAPCDgtY2JjLGFlczE5Mi1jYmMsYWVzMjU2LWNiYyxhcmNmb3VyLHJpam5.kYWVsLWNiY0BseXNhdG9yLmxpdS5zZQAAAJ1hZXMxMjgtY3RyLGFlczE5Mi1jdH.IsYWVzMjU2LWN0cixhcmNmb3VyMjU2LGFyY2ZvdXIxMjgsYWVz.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 52 proto: UDP @@ -1297,10 +1297,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAAAAQBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAAAAQBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 53 proto: UDP @@ -1346,10 +1346,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAAAARCDEyOC1jYmMsM2Rlcy1jYmMsYmxvd2Zpc2gtY2JjLGNhc3QxMjgtY2J.jLGFlczE5Mi1jYmMsYWVzMjU2LWNiYyxhcmNmb3VyLHJpam5kYWVsLWNiY0BseX.NhdG9yLmxpdS5zZQAAAKdobWFjLW1kNSxobWFjLXNoYTEsdW1h.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAAAARCDEyOC1jYmMsM2Rlcy1jYmMsYmxvd2Zpc2gtY2JjLGNhc3QxMjgtY2J.jLGFlczE5Mi1jYmMsYWVzMjU2LWNiYyxhcmNmb3VyLHJpam5kYWVsLWNiY0BseX.NhdG9yLmxpdS5zZQAAAKdobWFjLW1kNSxobWFjLXNoYTEsdW1h.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 54 proto: UDP @@ -1390,10 +1390,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAAAASCGMtNjRAb3BlbnNzaC5jb20saG1hYy1zaGEyLTI1NixobWFjLXNoYTI.tMjU2LTk2LGhtYWMtc2hhMi01MTIsaG1hYy1zaGEyLTUxMi05NixobWFjLXJpcG.VtZDE2MCxobWFjLXJpcGVtZDE2MEBvcGVuc3NoLmNvbSxobWFj.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAAAASCGMtNjRAb3BlbnNzaC5jb20saG1hYy1zaGEyLTI1NixobWFjLXNoYTI.tMjU2LTk2LGhtYWMtc2hhMi01MTIsaG1hYy1zaGEyLTUxMi05NixobWFjLXJpcG.VtZDE2MCxobWFjLXJpcGVtZDE2MEBvcGVuc3NoLmNvbSxobWFj.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 55 proto: UDP @@ -1405,10 +1405,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 24710 - dns.rrname: hvMADAAgBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMADAAgBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 55 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 56 proto: UDP @@ -1420,10 +1420,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 14096 - dns.rrname: hvMADQAhCAAAAAwKFQAAAAAAAAAAAAA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMADQAhCAAAAAwKFQAAAAAAAAAAAAA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 56 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 57 proto: UDP @@ -1435,10 +1435,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 6981 - dns.rrname: hvMADgAiCA9HZU8tQch3tlBA02t6sZzFinsHVFjV9fsbIgJzGV6aC9IX8jmSF82.xjb4dW8dzrA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMADgAiCA9HZU8tQch3tlBA02t6sZzFinsHVFjV9fsbIgJzGV6aC9IX8jmSF82.xjb4dW8dzrA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 57 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 58 proto: UDP @@ -1474,10 +1474,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAAAATCC1zaGExLTk2LGhtYWMtbWQ1LTk2AAAAp2htYWMtbWQ1LGhtYWMtc2h.hMSx1bWFjLTY0QG9wZW5zc2guY29tLGhtYWMtc2hhMi0yNTYsaG1hYy1zaGEyLT.I1Ni05NixobWFjLXNoYTItNTEyLGhtYWMtc2hhMi01MTItOTYs.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAAAATCC1zaGExLTk2LGhtYWMtbWQ1LTk2AAAAp2htYWMtbWQ1LGhtYWMtc2h.hMSx1bWFjLTY0QG9wZW5zc2guY29tLGhtYWMtc2hhMi0yNTYsaG1hYy1zaGEyLT.I1Ni05NixobWFjLXNoYTItNTEyLGhtYWMtc2hhMi01MTItOTYs.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 59 proto: UDP @@ -1489,10 +1489,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 613 - dns.rrname: hvMADwAjCDvIMWnWlrLs3njbinEmXNQVYiJ1Hf0sRyNE7D/1NF1b8clSdB/dmtu.UbGQcz7UrbBHNGJWtlVUBLpj6DTggRC0.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMADwAjCDvIMWnWlrLs3njbinEmXNQVYiJ1Hf0sRyNE7D/1NF1b8clSdB/dmtu.UbGQcz7UrbBHNGJWtlVUBLpj6DTggRC0.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 59 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 60 proto: UDP @@ -1528,10 +1528,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAAAAUCGhtYWMtcmlwZW1kMTYwLGhtYWMtcmlwZW1kMTYwQG9wZW5zc2guY29.tLGhtYWMtc2hhMS05NixobWFjLW1kNS05NgAAABpub25lLHpsaWJAb3BlbnNzaC.5jb20semxpYgAAABpub25lLHpsaWJAb3BlbnNzaC5jb20semxp.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAAAAUCGhtYWMtcmlwZW1kMTYwLGhtYWMtcmlwZW1kMTYwQG9wZW5zc2guY29.tLGhtYWMtc2hhMS05NixobWFjLW1kNS05NgAAABpub25lLHpsaWJAb3BlbnNzaC.5jb20semxpYgAAABpub25lLHpsaWJAb3BlbnNzaC5jb20semxp.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 61 proto: UDP @@ -1562,10 +1562,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAAAAVCGIAAAAAAAAAAAAAAAAAAAAAAAAAAAA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAAAAVCGIAAAAAAAAAAAAAAAAAAAAAAAAAAAA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 62 proto: UDP @@ -1596,10 +1596,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAAwAXCAAAABQGIgAABAAAAAQAAAAgAAAAAAAAAA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAAwAXCAAAABQGIgAABAAAAAQAAAAgAAAAAAAAAA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 63 proto: UDP @@ -1630,10 +1630,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAAgAWBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAAgAWBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 64 proto: UDP @@ -1664,10 +1664,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMABgAaBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMABgAaBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 65 proto: UDP @@ -1698,10 +1698,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMABwAbBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMABwAbBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 66 proto: UDP @@ -1732,10 +1732,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMABAAYBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMABAAYBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 67 proto: UDP @@ -1766,10 +1766,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMACgAeBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMACgAeBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 68 proto: UDP @@ -1800,10 +1800,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMACwAfCJpX6DB9O+5TQ+oIfbIAAAAAAAA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMACwAfCJpX6DB9O+5TQ+oIfbIAAAAAAAA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 69 proto: UDP @@ -1834,10 +1834,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMADQAhCAAAAAwKFQAAAAAAAAAAAAA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMADQAhCAAAAAwKFQAAAAAAAAAAAAA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 70 proto: UDP @@ -1868,10 +1868,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMADgAiCA9HZU8tQch3tlBA02t6sZzFinsHVFjV9fsbIgJzGV6aC9IX8jmSF82.xjb4dW8dzrA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMADgAiCA9HZU8tQch3tlBA02t6sZzFinsHVFjV9fsbIgJzGV6aC9IX8jmSF82.xjb4dW8dzrA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 71 proto: UDP @@ -1902,10 +1902,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMADAAgBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMADAAgBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 72 proto: UDP @@ -1936,10 +1936,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMABQAZBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMABQAZBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 73 proto: UDP @@ -1951,10 +1951,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 21974 - dns.rrname: hvMAEAAkBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAEAAkBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 73 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 74 proto: UDP @@ -1985,10 +1985,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMACAAcBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMACAAcBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 75 proto: UDP @@ -2019,10 +2019,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMACQAdCAAAAIwGIAAAAIAx3itE7XsxfNFkKSwpm/QL2R+3hW5GnOrZviY9/TR.O7d2QlxOeCwmGsxERu0+5DKpF6kwJroS1n8v8wLvqu3jSeOjVnYb7Fo3jRoLT3z.mxMiqSuKTuBNWXb5QoROHUYVRZIqMC+OtncdVw0LG0/FO/Kq8n.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMACQAdCAAAAIwGIAAAAIAx3itE7XsxfNFkKSwpm/QL2R+3hW5GnOrZviY9/TR.O7d2QlxOeCwmGsxERu0+5DKpF6kwJroS1n8v8wLvqu3jSeOjVnYb7Fo3jRoLT3z.mxMiqSuKTuBNWXb5QoROHUYVRZIqMC+OtncdVw0LG0/FO/Kq8n.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 76 proto: UDP @@ -2034,10 +2034,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 22814 - dns.rrname: hvMAEQAlBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAEQAlBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 76 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 77 proto: UDP @@ -2068,10 +2068,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMADwAjCDvIMWnWlrLs3njbinEmXNQVYiJ1Hf0sRyNE7D/1NF1b8clSdB/dmtu.UbGQcz7UrbBHNGJWtlVUBLpj6DTggRC0.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMADwAjCDvIMWnWlrLs3njbinEmXNQVYiJ1Hf0sRyNE7D/1NF1b8clSdB/dmtu.UbGQcz7UrbBHNGJWtlVUBLpj6DTggRC0.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 78 proto: UDP @@ -2083,10 +2083,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 34425 - dns.rrname: hvMAEgAmBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAEgAmBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 78 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 79 proto: UDP @@ -2117,10 +2117,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAEAAkBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAEAAkBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 80 proto: UDP @@ -2151,10 +2151,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAEgAmBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAEgAmBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 81 proto: UDP @@ -2185,10 +2185,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAEQAlBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAEQAlBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 82 proto: UDP @@ -2200,10 +2200,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 28769 - dns.rrname: hvMAEwAnBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAEwAnBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 82 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 83 proto: UDP @@ -2234,10 +2234,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAEwAnBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAEwAnBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 85 proto: UDP @@ -2249,10 +2249,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 51221 - dns.rrname: hvMAFAAoBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAFAAoBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 84 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 86 proto: UDP @@ -2264,10 +2264,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 15585 - dns.rrname: hvMAFQApCOmk2dTdJciDeU1HxaGwOxqdUoJGVho6Jcrgg3EXVwhzTkpRmB3Xrlz.lp2FAtTgUIZC5aeEQm7x/NitPsl8n+xyl8BtH2fraIRJb3eGrIteLsXobanq4+P.pJZNPyaIW2oKX3+ZSx3BKNpSkJpD232RvTt1J7dNuhqFQgFcnd.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAFQApCOmk2dTdJciDeU1HxaGwOxqdUoJGVho6Jcrgg3EXVwhzTkpRmB3Xrlz.lp2FAtTgUIZC5aeEQm7x/NitPsl8n+xyl8BtH2fraIRJb3eGrIteLsXobanq4+P.pJZNPyaIW2oKX3+ZSx3BKNpSkJpD232RvTt1J7dNuhqFQgFcnd.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 85 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 88 proto: UDP @@ -2279,10 +2279,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 61116 - dns.rrname: hvMAFgAqBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAFgAqBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 86 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 89 proto: UDP @@ -2294,10 +2294,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 39265 - dns.rrname: hvMAFwArCMfOP+frB4IA0L7UWQjJpzeyMOo.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAFwArCMfOP+frB4IA0L7UWQjJpzeyMOo.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 87 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 90 proto: UDP @@ -2309,10 +2309,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 21179 - dns.rrname: hvMAGAAsBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAGAAsBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 88 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 91 proto: UDP @@ -2343,10 +2343,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAFAAoBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAFAAoBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 92 proto: UDP @@ -2377,10 +2377,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAFQApCOmk2dTdJciDeU1HxaGwOxqdUoJGVho6Jcrgg3EXVwhzTkpRmB3Xrlz.lp2FAtTgUIZC5aeEQm7x/NitPsl8n+xyl8BtH2fraIRJb3eGrIteLsXobanq4+P.pJZNPyaIW2oKX3+ZSx3BKNpSkJpD232RvTt1J7dNuhqFQgFcnd.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAFQApCOmk2dTdJciDeU1HxaGwOxqdUoJGVho6Jcrgg3EXVwhzTkpRmB3Xrlz.lp2FAtTgUIZC5aeEQm7x/NitPsl8n+xyl8BtH2fraIRJb3eGrIteLsXobanq4+P.pJZNPyaIW2oKX3+ZSx3BKNpSkJpD232RvTt1J7dNuhqFQgFcnd.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 93 proto: UDP @@ -2411,10 +2411,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAFgAqBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAFgAqBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 94 proto: UDP @@ -2445,10 +2445,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAFwArCMfOP+frB4IA0L7UWQjJpzeyMOo.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAFwArCMfOP+frB4IA0L7UWQjJpzeyMOo.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 95 proto: UDP @@ -2479,10 +2479,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAGAAsBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAGAAsBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 96 proto: UDP @@ -2494,10 +2494,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 54669 - dns.rrname: hvMAGQAtBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAGQAtBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 94 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 97 proto: UDP @@ -2528,10 +2528,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAGQAtBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAGQAtBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 98 proto: UDP @@ -2543,10 +2543,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 14161 - dns.rrname: hvMAGgAuBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAGgAuBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 96 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 99 proto: UDP @@ -2558,10 +2558,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 8495 - dns.rrname: hvMAGwAvCIkrV/ReccpWoXylVptppBSwm4rQVj+LUzMpFyro3rmKmtRhPMMj0V1.cj60bkoYzh0QlrH6vAMPPSOm7RzOWJNTchkHY5KGt+pyYHPD9I6/81p1PCZuPXi.XMBHf6s08VExh7KxEtR8jggl/dxizgPmqbsBFw1yAsoWmDeEHj.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAGwAvCIkrV/ReccpWoXylVptppBSwm4rQVj+LUzMpFyro3rmKmtRhPMMj0V1.cj60bkoYzh0QlrH6vAMPPSOm7RzOWJNTchkHY5KGt+pyYHPD9I6/81p1PCZuPXi.XMBHf6s08VExh7KxEtR8jggl/dxizgPmqbsBFw1yAsoWmDeEHj.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 97 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 100 proto: UDP @@ -2573,10 +2573,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 27970 - dns.rrname: hvMAHAAwBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAHAAwBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 98 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 101 proto: UDP @@ -2588,10 +2588,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 5825 - dns.rrname: hvMAHQAxCMctAA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAHQAxCMctAA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 99 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 102 proto: UDP @@ -2603,10 +2603,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 5562 - dns.rrname: hvMAHgAyBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAHgAyBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 100 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 103 proto: UDP @@ -2642,10 +2642,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAGgAuBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAGgAuBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 104 proto: UDP @@ -2657,10 +2657,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 53290 - dns.rrname: hvMAHwAzBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAHwAzBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 102 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 105 proto: UDP @@ -2672,10 +2672,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 37620 - dns.rrname: hvMAIAA0CIUaLlwuNSK5phv3q0D7jN6FjRu9RhxF2jLcd4ePd/Ssv/fMHo1x7lZ.IJnb9FnEAoCBZUQqizMnd8d+FTgkJK7USPgmxOyR63Yy6sNxUuGdIvZ2Kd8OWaG.qrHQleDgvLDVxhdkeZ4jOUkbqywhagjgn+6LosU/HVT0V2Oql1.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAIAA0CIUaLlwuNSK5phv3q0D7jN6FjRu9RhxF2jLcd4ePd/Ssv/fMHo1x7lZ.IJnb9FnEAoCBZUQqizMnd8d+FTgkJK7USPgmxOyR63Yy6sNxUuGdIvZ2Kd8OWaG.qrHQleDgvLDVxhdkeZ4jOUkbqywhagjgn+6LosU/HVT0V2Oql1.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 103 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 106 proto: UDP @@ -2687,10 +2687,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 11415 - dns.rrname: hvMAIQA1BA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAIQA1BA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 104 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 107 proto: UDP @@ -2702,10 +2702,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 41507 - dns.rrname: hvMAIgA2CCeD1WxPA+m6eHkF1n4qobRCBC/O73OvopuCyJypzQ25p3ZMZeGznpo.Ugpn1L9G8f6H8rrjflBw9YW6C5VxOgiByMyvi1C8xpbuu19dr/b78i9BWGXlzHB.dai5EtV2d2YHxl6AjuP7vZNbkgVL99AScD38jT145YVJuQ2v2j.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAIgA2CCeD1WxPA+m6eHkF1n4qobRCBC/O73OvopuCyJypzQ25p3ZMZeGznpo.Ugpn1L9G8f6H8rrjflBw9YW6C5VxOgiByMyvi1C8xpbuu19dr/b78i9BWGXlzHB.dai5EtV2d2YHxl6AjuP7vZNbkgVL99AScD38jT145YVJuQ2v2j.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 105 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 108 proto: UDP @@ -2717,10 +2717,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 58854 - dns.rrname: hvMAIwA3BA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAIwA3BA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 106 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 109 proto: UDP @@ -2732,10 +2732,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 30729 - dns.rrname: hvMAJAA4CIA3u9zI4HdwAkw2T+n7SYuJHT590+/Y/WkV2jlx6OOhrYYBrH+fF/x.LeqpHbkkYohzQd/aIDDnUnhr+xtyHzrK4Chm5Q9UJmpATyFkU2wWdLs6S3sTeji.sy9fNH+znOgkge5l3POd3slPeZcbLITaDsTaHWEnrwDLMIQ9lw.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAJAA4CIA3u9zI4HdwAkw2T+n7SYuJHT590+/Y/WkV2jlx6OOhrYYBrH+fF/x.LeqpHbkkYohzQd/aIDDnUnhr+xtyHzrK4Chm5Q9UJmpATyFkU2wWdLs6S3sTeji.sy9fNH+znOgkge5l3POd3slPeZcbLITaDsTaHWEnrwDLMIQ9lw.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 107 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 110 proto: UDP @@ -2747,10 +2747,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 23354 - dns.rrname: hvMAJQA5BA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAJQA5BA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 108 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 111 proto: UDP @@ -2762,10 +2762,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 13941 - dns.rrname: hvMAJgA6CNgjb+jJ6jrjge2Jq6S6yufEuid5p1tRS8WmR2IHxwpt6vjhkRJFI8o.9XnSTflh5C6a068gKqhfPSR4M2a/Fo0+L4l+m5yIvRoc.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAJgA6CNgjb+jJ6jrjge2Jq6S6yufEuid5p1tRS8WmR2IHxwpt6vjhkRJFI8o.9XnSTflh5C6a068gKqhfPSR4M2a/Fo0+L4l+m5yIvRoc.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 109 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 112 proto: UDP @@ -2777,10 +2777,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 27613 - dns.rrname: hvMAJwA7BA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAJwA7BA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 110 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 113 proto: UDP @@ -2821,10 +2821,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAGwAvCIkrV/ReccpWoXylVptppBSwm4rQVj+LUzMpFyro3rmKmtRhPMMj0V1.cj60bkoYzh0QlrH6vAMPPSOm7RzOWJNTchkHY5KGt+pyYHPD9I6/81p1PCZuPXi.XMBHf6s08VExh7KxEtR8jggl/dxizgPmqbsBFw1yAsoWmDeEHj.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAGwAvCIkrV/ReccpWoXylVptppBSwm4rQVj+LUzMpFyro3rmKmtRhPMMj0V1.cj60bkoYzh0QlrH6vAMPPSOm7RzOWJNTchkHY5KGt+pyYHPD9I6/81p1PCZuPXi.XMBHf6s08VExh7KxEtR8jggl/dxizgPmqbsBFw1yAsoWmDeEHj.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 114 proto: UDP @@ -2836,10 +2836,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 22948 - dns.rrname: hvMAKAA8BA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAKAA8BA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 112 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 115 proto: UDP @@ -2900,10 +2900,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAHAAwBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAHAAwBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 116 proto: UDP @@ -2949,10 +2949,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAHQAxCMctAA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAHQAxCMctAA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 117 proto: UDP @@ -2964,10 +2964,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 62607 - dns.rrname: hvMAKQA9BA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAKQA9BA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 115 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 118 proto: UDP @@ -3003,10 +3003,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAHgAyBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAHgAyBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 119 proto: UDP @@ -3018,10 +3018,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 5125 - dns.rrname: hvMAKgA+BA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAKgA+BA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 117 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 120 proto: UDP @@ -3052,10 +3052,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAKAA8BA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAKAA8BA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 122 proto: UDP @@ -3086,10 +3086,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAHwAzBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAHwAzBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 123 proto: UDP @@ -3120,10 +3120,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAIAA0CIUaLlwuNSK5phv3q0D7jN6FjRu9RhxF2jLcd4ePd/Ssv/fMHo1x7lZ.IJnb9FnEAoCBZUQqizMnd8d+FTgkJK7USPgmxOyR63Yy6sNxUuGdIvZ2Kd8OWaG.qrHQleDgvLDVxhdkeZ4jOUkbqywhagjgn+6LosU/HVT0V2Oql1.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAIAA0CIUaLlwuNSK5phv3q0D7jN6FjRu9RhxF2jLcd4ePd/Ssv/fMHo1x7lZ.IJnb9FnEAoCBZUQqizMnd8d+FTgkJK7USPgmxOyR63Yy6sNxUuGdIvZ2Kd8OWaG.qrHQleDgvLDVxhdkeZ4jOUkbqywhagjgn+6LosU/HVT0V2Oql1.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 124 proto: UDP @@ -3154,10 +3154,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAIQA1BA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAIQA1BA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 125 proto: UDP @@ -3188,10 +3188,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAKQA9BA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAKQA9BA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 126 proto: UDP @@ -3203,10 +3203,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 64110 - dns.rrname: hvMAKwA/BA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAKwA/BA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 123 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 127 proto: UDP @@ -3237,10 +3237,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAIgA2CCeD1WxPA+m6eHkF1n4qobRCBC/O73OvopuCyJypzQ25p3ZMZeGznpo.Ugpn1L9G8f6H8rrjflBw9YW6C5VxOgiByMyvi1C8xpbuu19dr/b78i9BWGXlzHB.dai5EtV2d2YHxl6AjuP7vZNbkgVL99AScD38jT145YVJuQ2v2j.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAIgA2CCeD1WxPA+m6eHkF1n4qobRCBC/O73OvopuCyJypzQ25p3ZMZeGznpo.Ugpn1L9G8f6H8rrjflBw9YW6C5VxOgiByMyvi1C8xpbuu19dr/b78i9BWGXlzHB.dai5EtV2d2YHxl6AjuP7vZNbkgVL99AScD38jT145YVJuQ2v2j.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 128 proto: UDP @@ -3271,10 +3271,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAIwA3BA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAIwA3BA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 129 proto: UDP @@ -3305,10 +3305,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAJAA4CIA3u9zI4HdwAkw2T+n7SYuJHT590+/Y/WkV2jlx6OOhrYYBrH+fF/x.LeqpHbkkYohzQd/aIDDnUnhr+xtyHzrK4Chm5Q9UJmpATyFkU2wWdLs6S3sTeji.sy9fNH+znOgkge5l3POd3slPeZcbLITaDsTaHWEnrwDLMIQ9lw.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAJAA4CIA3u9zI4HdwAkw2T+n7SYuJHT590+/Y/WkV2jlx6OOhrYYBrH+fF/x.LeqpHbkkYohzQd/aIDDnUnhr+xtyHzrK4Chm5Q9UJmpATyFkU2wWdLs6S3sTeji.sy9fNH+znOgkge5l3POd3slPeZcbLITaDsTaHWEnrwDLMIQ9lw.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 130 proto: UDP @@ -3339,10 +3339,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAJQA5BA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAJQA5BA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 131 proto: UDP @@ -3373,10 +3373,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAJgA6CNgjb+jJ6jrjge2Jq6S6yufEuid5p1tRS8WmR2IHxwpt6vjhkRJFI8o.9XnSTflh5C6a068gKqhfPSR4M2a/Fo0+L4l+m5yIvRoc.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAJgA6CNgjb+jJ6jrjge2Jq6S6yufEuid5p1tRS8WmR2IHxwpt6vjhkRJFI8o.9XnSTflh5C6a068gKqhfPSR4M2a/Fo0+L4l+m5yIvRoc.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 132 proto: UDP @@ -3388,10 +3388,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 15010 - dns.rrname: hvMALABABA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMALABABA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 129 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 133 proto: UDP @@ -3422,10 +3422,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAJwA7BA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAJwA7BA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 134 proto: UDP @@ -3437,10 +3437,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 824 - dns.rrname: hvMALQBBBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMALQBBBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 131 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 135 proto: UDP @@ -3471,10 +3471,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAKwA/BA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAKwA/BA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 136 proto: UDP @@ -3505,10 +3505,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMALABABA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMALABABA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 137 proto: UDP @@ -3539,10 +3539,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAKgA+BA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAKgA+BA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 138 proto: UDP @@ -3573,10 +3573,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMALQBBBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMALQBBBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 139 proto: UDP @@ -3588,10 +3588,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 30595 - dns.rrname: hvMALgBCBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMALgBCBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 136 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 140 proto: UDP @@ -3622,10 +3622,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMALgBCBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMALgBCBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 141 proto: UDP @@ -3637,10 +3637,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 59164 - dns.rrname: hvMALwBDBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMALwBDBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 138 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 142 proto: UDP @@ -3671,10 +3671,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMALwBDBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMALwBDBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 143 proto: UDP @@ -3686,10 +3686,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 11618 - dns.rrname: hvMAMABEBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAMABEBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 140 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 144 proto: UDP @@ -3720,10 +3720,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAMABEBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAMABEBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 145 proto: UDP @@ -3735,10 +3735,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 8037 - dns.rrname: hvMAMQBFBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAMQBFBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 142 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 146 proto: UDP @@ -3769,10 +3769,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAMQBFBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAMQBFBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 147 proto: UDP @@ -3784,10 +3784,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 3379 - dns.rrname: hvMAMgBGBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAMgBGBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 144 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 148 proto: UDP @@ -3818,10 +3818,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAMgBGBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAMgBGBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 149 proto: UDP @@ -3833,10 +3833,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 40311 - dns.rrname: hvMAMwBHBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAMwBHBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 146 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 150 proto: UDP @@ -3867,10 +3867,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAMwBHBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAMwBHBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 151 proto: UDP @@ -3882,10 +3882,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 8006 - dns.rrname: hvMANABIBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMANABIBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 148 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 152 proto: UDP @@ -3916,10 +3916,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMANABIBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMANABIBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 153 proto: UDP @@ -3931,10 +3931,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 32072 - dns.rrname: hvMANQBJBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMANQBJBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 150 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 154 proto: UDP @@ -3965,10 +3965,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMANQBJBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMANQBJBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 155 proto: UDP @@ -3980,10 +3980,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 14229 - dns.rrname: hvMANgBKBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMANgBKBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 152 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 156 proto: UDP @@ -4014,10 +4014,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMANgBKBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMANgBKBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 157 proto: UDP @@ -4029,10 +4029,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 17107 - dns.rrname: hvMANwBLBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMANwBLBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 154 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 158 proto: UDP @@ -4063,10 +4063,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMANwBLBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMANwBLBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 159 proto: UDP @@ -4078,10 +4078,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 38783 - dns.rrname: hvMAOABMBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAOABMBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 156 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 160 proto: UDP @@ -4112,10 +4112,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAOABMBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAOABMBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 161 proto: UDP @@ -4127,10 +4127,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 64639 - dns.rrname: hvMAOQBNBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAOQBNBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 158 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 162 proto: UDP @@ -4161,10 +4161,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: hvMAOQBNBA.srv.tunnel.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: hvMAOQBNBA.srv.tunnel.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 163 proto: UDP @@ -4176,10 +4176,10 @@ checks: dest_ip: 10.30.28.94 dest_port: 53 dns.id: 41923 - dns.rrname: hvMAOgBOBA.srv.tunnel.com - dns.rrtype: TXT + dns.queries[0].rrname: hvMAOgBOBA.srv.tunnel.com + dns.queries[0].rrtype: TXT dns.tx_id: 160 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 164 proto: UDP diff --git a/tests/bug-856/test.yaml b/tests/bug-856/test.yaml index e77f135c7..11a95afb7 100644 --- a/tests/bug-856/test.yaml +++ b/tests/bug-856/test.yaml @@ -1,7 +1,7 @@ pcap: ../dns-udp-z-flag-fp/suricatafpdnsdecoder.pcap requires: - min-version: 6 + min-version: 8 args: - -k none @@ -13,10 +13,10 @@ checks: dest_ip: 192.168.42.129 dest_port: 53 dns.id: 59165 - dns.rrname: static.programme-tv.net - dns.rrtype: A + dns.queries[0].rrname: static.programme-tv.net + dns.queries[0].rrtype: A dns.tx_id: 0 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 1 proto: UDP @@ -28,10 +28,10 @@ checks: dest_ip: 192.168.42.129 dest_port: 53 dns.id: 25783 - dns.rrname: static.programme-tv.net - dns.rrtype: AAAA + dns.queries[0].rrname: static.programme-tv.net + dns.queries[0].rrtype: AAAA dns.tx_id: 1 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 2 proto: UDP @@ -68,10 +68,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: static.programme-tv.net - dns.rrtype: A - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: static.programme-tv.net + dns.queries[0].rrtype: A + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 3 proto: UDP @@ -108,10 +108,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: static.programme-tv.net - dns.rrtype: AAAA - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: static.programme-tv.net + dns.queries[0].rrtype: AAAA + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 4 proto: UDP diff --git a/tests/bug-990/test.yaml b/tests/bug-990/test.yaml index 4499ae802..4b61a4295 100644 --- a/tests/bug-990/test.yaml +++ b/tests/bug-990/test.yaml @@ -1,3 +1,6 @@ +requires: + min-version: 8 + args: - -k none @@ -12,10 +15,10 @@ checks: dest_ip: 192.38.129.234 dest_port: 53 dns.id: 28390 - dns.rrname: code.msdn.microsoft.com - dns.rrtype: A + dns.queries[0].rrname: code.msdn.microsoft.com + dns.queries[0].rrtype: A dns.tx_id: 0 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 1 proto: UDP diff --git a/tests/decode-teredo-01/test.yaml b/tests/decode-teredo-01/test.yaml index fa107662a..85014e83a 100644 --- a/tests/decode-teredo-01/test.yaml +++ b/tests/decode-teredo-01/test.yaml @@ -1,5 +1,5 @@ requires: - min-version: 7 + min-version: 8 args: - -k none @@ -11,10 +11,10 @@ checks: dest_ip: 192.168.2.1 dest_port: 53 dns.id: 16995 - dns.rrname: ipv6.google.com - dns.rrtype: AAAA + dns.queries[0].rrname: ipv6.google.com + dns.queries[0].rrtype: AAAA dns.tx_id: 0 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 21 proto: UDP @@ -69,10 +69,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: ipv6.google.com - dns.rrtype: AAAA - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: ipv6.google.com + dns.queries[0].rrtype: AAAA + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 22 proto: UDP @@ -84,10 +84,10 @@ checks: dest_ip: 192.168.2.1 dest_port: 53 dns.id: 19995 - dns.rrname: ipv6.google.com - dns.rrtype: A + dns.queries[0].rrname: ipv6.google.com + dns.queries[0].rrtype: A dns.tx_id: 2 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 23 proto: UDP @@ -141,10 +141,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: ipv6.google.com - dns.rrtype: A - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: ipv6.google.com + dns.queries[0].rrtype: A + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 24 proto: UDP @@ -156,10 +156,10 @@ checks: dest_ip: 192.168.2.1 dest_port: 53 dns.id: 38477 - dns.rrname: www.wireshark.org - dns.rrtype: AAAA + dns.queries[0].rrname: www.wireshark.org + dns.queries[0].rrtype: AAAA dns.tx_id: 4 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 58 proto: UDP @@ -177,10 +177,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: www.wireshark.org - dns.rrtype: AAAA - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: www.wireshark.org + dns.queries[0].rrtype: AAAA + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 59 proto: UDP @@ -211,10 +211,10 @@ checks: dest_ip: 192.168.2.1 dest_port: 53 dns.id: 26746 - dns.rrname: www.wireshark.org.gateway.2wire.net - dns.rrtype: AAAA + dns.queries[0].rrname: www.wireshark.org.gateway.2wire.net + dns.queries[0].rrtype: AAAA dns.tx_id: 6 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 60 proto: UDP @@ -231,10 +231,10 @@ checks: dns.qr: true dns.rcode: REFUSED dns.rd: true - dns.rrname: www.wireshark.org.gateway.2wire.net - dns.rrtype: AAAA - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: www.wireshark.org.gateway.2wire.net + dns.queries[0].rrtype: AAAA + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 61 proto: UDP @@ -246,10 +246,10 @@ checks: dest_ip: 192.168.2.1 dest_port: 53 dns.id: 34278 - dns.rrname: www.wireshark.org - dns.rrtype: A + dns.queries[0].rrname: www.wireshark.org + dns.queries[0].rrtype: A dns.tx_id: 8 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 62 proto: UDP @@ -272,10 +272,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: www.wireshark.org - dns.rrtype: A - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: www.wireshark.org + dns.queries[0].rrtype: A + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 63 proto: UDP diff --git a/tests/dns-eve-log-https-only/test.yaml b/tests/dns-eve-log-https-only/test.yaml index 43aaf832e..4617f0f79 100644 --- a/tests/dns-eve-log-https-only/test.yaml +++ b/tests/dns-eve-log-https-only/test.yaml @@ -1,7 +1,10 @@ +requires: + min-version: 8 + checks: # Check that we only have requests and responses for HTTPS records. - filter: count: 1 match: event_type: "dns" - dns.rrtype: "HTTPS" + dns.queries[0].rrtype: "HTTPS" diff --git a/tests/dns-eve-type-filtering/test.yaml b/tests/dns-eve-type-filtering/test.yaml index 24dc33066..946b13038 100644 --- a/tests/dns-eve-type-filtering/test.yaml +++ b/tests/dns-eve-type-filtering/test.yaml @@ -1,5 +1,5 @@ requires: - min-version: 4.1 + min-version: 8 checks: @@ -15,12 +15,23 @@ checks: count: 4 match: event_type: "dns" + + # 2 should be DNS requests - filter: filename: only-a.json - count: 4 + count: 2 + match: + event_type: "dns" + dns.type: request + dns.queries[0].rrtype: "A" + + # 2 should be DNS responses + - filter: + filename: only-a.json + count: 2 match: event_type: "dns" - dns.rrtype: "A" + dns.answers[1].rrtype: "A" # Also check that the source and destination addresses and ports are # as expected. @@ -33,7 +44,7 @@ checks: src_port: 54888 dest_ip: "8.8.8.8" dest_port: 53 - dns.type: "query" + dns.type: "request" - filter: filename: only-a.json count: 1 @@ -43,7 +54,7 @@ checks: src_port: 54888 dest_ip: "8.8.8.8" dest_port: 53 - dns.type: "answer" + dns.type: "response" # Check that we only have A and AAAA requests. - filter: @@ -56,19 +67,19 @@ checks: count: 2 match: event_type: "dns" - dns.rrtype: "A" + dns.queries[0].rrtype: "A" - filter: filename: a-and-aaaa-requests-only.json count: 2 match: event_type: "dns" - dns.rrtype: "AAAA" + dns.queries[0].rrtype: "AAAA" - filter: filename: a-and-aaaa-requests-only.json count: 4 match: event_type: "dns" - dns.type: "query" + dns.type: "request" # Check that we only have 3 log entries, and that they are all MX # responses. @@ -82,10 +93,10 @@ checks: count: 3 match: event_type: "dns" - dns.type: "answer" + dns.type: "response" - filter: filename: mx-responses-only.json count: 3 match: event_type: "dns" - dns.rrtype: "MX" + dns.queries[0].rrtype: "MX" diff --git a/tests/dns-eve/test.yaml b/tests/dns-eve/test.yaml index ef6d02622..d969acbae 100644 --- a/tests/dns-eve/test.yaml +++ b/tests/dns-eve/test.yaml @@ -1,13 +1,12 @@ requires: - features: - - HAVE_LIBJANSSON + min-version: 8 checks: - filter: count: 4 match: - dns.type: query + dns.type: request - filter: count: 4 match: - dns.type: answer + dns.type: response diff --git a/tests/dns-incomplete/test.yaml b/tests/dns-incomplete/test.yaml index 85a743807..2c3fb679a 100644 --- a/tests/dns-incomplete/test.yaml +++ b/tests/dns-incomplete/test.yaml @@ -1,5 +1,5 @@ requires: - min-version: 6.0 + min-version: 8 # disables checksum verification args: @@ -10,8 +10,8 @@ checks: count: 1 match: event_type: dns - dns.rrname: google.com - dns.type: query + dns.queries[0].rrname: google.com + dns.type: request - filter: count: 1 match: diff --git a/tests/dns-json-log/test.yaml b/tests/dns-json-log/test.yaml index bfafe7446..356210c9b 100644 --- a/tests/dns-json-log/test.yaml +++ b/tests/dns-json-log/test.yaml @@ -22,4 +22,4 @@ checks: filename: dns.json match: event_type: dns - dns.type: answer + dns.type: response diff --git a/tests/dns-reversed-tcp-1/test.yaml b/tests/dns-reversed-tcp-1/test.yaml index 025ebfcc0..abe2c0e9f 100644 --- a/tests/dns-reversed-tcp-1/test.yaml +++ b/tests/dns-reversed-tcp-1/test.yaml @@ -1,5 +1,5 @@ requires: - min-version: 5.0.0 + min-version: 8 args: - --set stream.midstream=true @@ -15,12 +15,12 @@ checks: count: 1 match: event_type: dns - dns.type: answer + dns.type: response - filter: count: 1 match: event_type: dns - dns.type: answer + dns.type: response src_ip: "10.16.1.11" dest_ip: "8.8.4.4" diff --git a/tests/dns-reversed-udp-1/test.yaml b/tests/dns-reversed-udp-1/test.yaml index 70875fa51..123d942df 100644 --- a/tests/dns-reversed-udp-1/test.yaml +++ b/tests/dns-reversed-udp-1/test.yaml @@ -1,5 +1,5 @@ requires: - min-version: 5.0.0 + min-version: 8 args: - --set stream.midstream=true @@ -18,7 +18,7 @@ checks: count: 1 match: event_type: dns - dns.type: answer + dns.type: response dns.answers[0].rrtype: CNAME dns.answers[1].rrtype: A dns.answers[2].rrtype: A @@ -27,6 +27,6 @@ checks: count: 1 match: event_type: dns - dns.type: answer + dns.type: response src_ip: "10.16.1.11" dest_ip: "10.16.1.1" diff --git a/tests/dns-single-request/test.yaml b/tests/dns-single-request/test.yaml index a3a2cde7f..8a39d6163 100644 --- a/tests/dns-single-request/test.yaml +++ b/tests/dns-single-request/test.yaml @@ -1,15 +1,14 @@ -pcap: ../dns-single-request-v1/input.pcap - requires: - features: - - HAVE_LIBJANSSON + min-version: 8 + +pcap: ../dns-single-request-v1/input.pcap checks: - filter: count: 1 match: - dns.type: query + dns.type: request - filter: count: 1 match: - dns.type: answer + dns.type: response diff --git a/tests/dns-tcp-multirequest-buffer/test.yaml b/tests/dns-tcp-multirequest-buffer/test.yaml index 9bdb3c8b4..2e08d628a 100644 --- a/tests/dns-tcp-multirequest-buffer/test.yaml +++ b/tests/dns-tcp-multirequest-buffer/test.yaml @@ -1,13 +1,12 @@ requires: - features: - - HAVE_LIBJANSSON + min-version: 8 checks: - filter: count: 20 match: - dns.type: query + dns.type: request - filter: count: 20 match: - dns.type: answer + dns.type: response diff --git a/tests/dns-tcp-ts-gap/test.yaml b/tests/dns-tcp-ts-gap/test.yaml index 2a8791658..f7bb04c6a 100644 --- a/tests/dns-tcp-ts-gap/test.yaml +++ b/tests/dns-tcp-ts-gap/test.yaml @@ -1,18 +1,15 @@ requires: - # App-layer gap handling didn't happen until v4. - min-version: 4.0.0 - features: - - HAVE_LIBJANSSON + min-version: 8 checks: - filter: count: 2 match: event_type: dns - dns.type: query + dns.type: request - filter: count: 3 match: event_type: dns - dns.type: answer + dns.type: response dns.answers.__len: 12 diff --git a/tests/dns-tcp-www-google-com/test.yaml b/tests/dns-tcp-www-google-com/test.yaml index 9dbe5d5bd..39d820df6 100644 --- a/tests/dns-tcp-www-google-com/test.yaml +++ b/tests/dns-tcp-www-google-com/test.yaml @@ -1,8 +1,7 @@ -pcap: ../dns-tcp-www-google-com-v1/dns.pcap - requires: - features: - - HAVE_LIBJANSSON + min-version: 8 + +pcap: ../dns-tcp-www-google-com-v1/dns.pcap checks: - filter: @@ -11,11 +10,11 @@ checks: src_ip: "10.16.1.11" dest_ip: "8.8.4.4" event_type: dns - dns.type: query + dns.type: request - filter: count: 1 match: src_ip: "10.16.1.11" dest_ip: "8.8.4.4" event_type: dns - dns.type: answer + dns.type: response diff --git a/tests/dns-udp-double-request-response/test.yaml b/tests/dns-udp-double-request-response/test.yaml index 5df0f6337..81e3e61d2 100644 --- a/tests/dns-udp-double-request-response/test.yaml +++ b/tests/dns-udp-double-request-response/test.yaml @@ -1,17 +1,16 @@ -pcap: ../dns-udp-double-request-response-v1/dns-udp-double-request-response.pcap - requires: - features: - - HAVE_LIBJANSSON + min-version: 8 + +pcap: ../dns-udp-double-request-response-v1/dns-udp-double-request-response.pcap checks: - filter: count: 2 match: event_type: dns - dns.type: query + dns.type: request - filter: count: 2 match: event_type: dns - dns.type: answer + dns.type: response diff --git a/tests/dns-udp-eve-log-aaaa-only/test.yaml b/tests/dns-udp-eve-log-aaaa-only/test.yaml index c20ca3273..84bbb95b5 100644 --- a/tests/dns-udp-eve-log-aaaa-only/test.yaml +++ b/tests/dns-udp-eve-log-aaaa-only/test.yaml @@ -1,21 +1,20 @@ -pcap: ../dns-udp-eve-log-query-only-v1/dns-udp-google.com-a-aaaa-mx.pcap - requires: - features: - - HAVE_LIBJANSSON + min-version: 8 + +pcap: ../dns-udp-eve-log-query-only-v1/dns-udp-google.com-a-aaaa-mx.pcap checks: - filter: count: 1 match: - dns.type: query - dns.rrtype: AAAA + dns.type: request + dns.queries[0].rrtype: AAAA - filter: count: 1 match: - dns.type: answer + dns.type: response dns.answers[0].rrtype: AAAA - filter: count: 0 match: - dns.rrtype: A + dns.queries[0].rrtype: A diff --git a/tests/dns-udp-eve-log-answer-only/test.yaml b/tests/dns-udp-eve-log-answer-only/test.yaml index f2cab03aa..f588c9346 100644 --- a/tests/dns-udp-eve-log-answer-only/test.yaml +++ b/tests/dns-udp-eve-log-answer-only/test.yaml @@ -1,16 +1,15 @@ -pcap: ../dns-udp-eve-log-query-only-v1/dns-udp-google.com-a-aaaa-mx.pcap - requires: - features: - - HAVE_LIBJANSSON + min-version: 8 + +pcap: ../dns-udp-eve-log-query-only-v1/dns-udp-google.com-a-aaaa-mx.pcap checks: - filter: count: 0 match: - dns.type: query + dns.type: request - filter: count: 3 match: - dns.type: answer + dns.type: response diff --git a/tests/dns-udp-eve-log-mx-only/test.yaml b/tests/dns-udp-eve-log-mx-only/test.yaml index 59f7ddb6d..95de024cd 100644 --- a/tests/dns-udp-eve-log-mx-only/test.yaml +++ b/tests/dns-udp-eve-log-mx-only/test.yaml @@ -1,25 +1,24 @@ -pcap: ../dns-udp-eve-log-query-only-v1/dns-udp-google.com-a-aaaa-mx.pcap - requires: - features: - - HAVE_LIBJANSSON + min-version: 8 + +pcap: ../dns-udp-eve-log-query-only-v1/dns-udp-google.com-a-aaaa-mx.pcap checks: - filter: count: 1 match: - dns.type: query - dns.rrtype: "MX" + dns.type: request + dns.queries[0].rrtype: "MX" - filter: count: 1 match: - dns.type: query + dns.type: request - filter: count: 1 match: - dns.type: answer + dns.type: response dns.answers[0].rrtype: "MX" - filter: count: 1 match: - dns.type: answer + dns.type: response diff --git a/tests/dns-udp-eve-log-query-only/test.yaml b/tests/dns-udp-eve-log-query-only/test.yaml index 7d00d3610..9ba0c09e9 100644 --- a/tests/dns-udp-eve-log-query-only/test.yaml +++ b/tests/dns-udp-eve-log-query-only/test.yaml @@ -1,14 +1,13 @@ -pcap: ../dns-udp-eve-log-query-only-v1/dns-udp-google.com-a-aaaa-mx.pcap - requires: - features: - - HAVE_LIBJANSSON + min-version: 8 + +pcap: ../dns-udp-eve-log-query-only-v1/dns-udp-google.com-a-aaaa-mx.pcap checks: - filter: count: 3 match: - dns.type: query + dns.type: request - filter: count: 3 match: diff --git a/tests/dns-udp-eve-log-srv/test.yaml b/tests/dns-udp-eve-log-srv/test.yaml index a1791329a..3b9a0ca69 100644 --- a/tests/dns-udp-eve-log-srv/test.yaml +++ b/tests/dns-udp-eve-log-srv/test.yaml @@ -1,5 +1,5 @@ requires: - min-version: 7 + min-version: 8 args: - -k none @@ -10,17 +10,17 @@ checks: count: 1 match: event_type: dns - dns.type: query - dns.rrname: _sip._udp.sip.voice.google.com - dns.rrtype: SRV + dns.type: request + dns.queries[0].rrname: _sip._udp.sip.voice.google.com + dns.queries[0].rrtype: SRV - filter: count: 1 match: event_type: dns - dns.type: answer - dns.rrname: _sip._udp.sip.voice.google.com - dns.rrtype: SRV + dns.type: response + dns.queries[0].rrname: _sip._udp.sip.voice.google.com + dns.queries[0].rrtype: SRV dns.rcode: NOERROR dns.answers[0].srv.priority: 20 dns.answers[0].srv.weight: 1 diff --git a/tests/dns-udp-eve-v2-dig/test.yaml b/tests/dns-udp-eve-v2-dig/test.yaml index 5f6dc7213..60a6c5745 100644 --- a/tests/dns-udp-eve-v2-dig/test.yaml +++ b/tests/dns-udp-eve-v2-dig/test.yaml @@ -1,3 +1,6 @@ +requires: + min-version: 8 + pcap: ../cond-log-dns-dig/input.pcap checks: @@ -11,10 +14,9 @@ checks: dest_ip: 10.16.1.1 dest_port: 53 dns.id: 36146 - dns.rrname: www.suricata-ids.org - dns.rrtype: A - dns.tx_id: 0 - dns.type: query + dns.queries[0].rrname: www.suricata-ids.org + dns.queries[0].rrtype: A + dns.type: request event_type: dns pcap_cnt: 1 proto: UDP @@ -46,10 +48,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: www.suricata-ids.org - dns.rrtype: A - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: www.suricata-ids.org + dns.queries[0].rrtype: A + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 2 proto: UDP diff --git a/tests/dns-udp-eve-v2-txt/test.yaml b/tests/dns-udp-eve-v2-txt/test.yaml index 5f7461fc7..24e825148 100644 --- a/tests/dns-udp-eve-v2-txt/test.yaml +++ b/tests/dns-udp-eve-v2-txt/test.yaml @@ -1,4 +1,5 @@ -# *** Add configuration here *** +requires: + min-version: 8 checks: - filter: @@ -7,10 +8,10 @@ checks: dest_ip: 10.16.1.1 dest_port: 53 dns.id: 39372 - dns.rrname: textsecure-service-ca.whispersystems.org - dns.rrtype: A dns.tx_id: 0 - dns.type: query + dns.type: request + dns.queries[0].rrname: textsecure-service-ca.whispersystems.org + dns.queries[0].rrtype: A event_type: dns pcap_cnt: 3 proto: UDP @@ -22,10 +23,10 @@ checks: dest_ip: 10.16.1.1 dest_port: 53 dns.id: 28243 - dns.rrname: google.com - dns.rrtype: TXT + dns.queries[0].rrname: google.com + dns.queries[0].rrtype: TXT dns.tx_id: 0 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 1 proto: UDP @@ -47,10 +48,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: textsecure-service-ca.whispersystems.org - dns.rrtype: A - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: textsecure-service-ca.whispersystems.org + dns.queries[0].rrtype: A + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 4 proto: UDP @@ -72,10 +73,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: google.com - dns.rrtype: TXT - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: google.com + dns.queries[0].rrtype: TXT + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 2 proto: UDP diff --git a/tests/dns-udp-junkrequest-first/test.yaml b/tests/dns-udp-junkrequest-first/test.yaml index f4860936b..268957a94 100644 --- a/tests/dns-udp-junkrequest-first/test.yaml +++ b/tests/dns-udp-junkrequest-first/test.yaml @@ -1,7 +1,5 @@ requires: - min-version: 7 - features: - - HAVE_LIBJANSSON + min-version: 8 checks: @@ -10,8 +8,8 @@ checks: count: 1 match: event_type: dns - dns.type: query - dns.rrname: catenacyber.Fr + dns.type: request + dns.queries[0].rrname: catenacyber.Fr # Check that there is one flow event with DNS. - filter: count: 1 diff --git a/tests/dns-udp-null/test.yaml b/tests/dns-udp-null/test.yaml index 46ea076c4..d86af6459 100644 --- a/tests/dns-udp-null/test.yaml +++ b/tests/dns-udp-null/test.yaml @@ -1,18 +1,18 @@ requires: - min-version: 7 + min-version: 8 checks: - filter: count: 1 match: event_type: dns - dns.type: query - dns.rrtype: "NULL" + dns.type: request + dns.queries[0].rrtype: "NULL" - filter: count: 1 match: event_type: dns - dns.type: answer + dns.type: response dns.rcode: NOERROR - dns.rrtype: "NULL" + dns.queries[0].rrtype: "NULL" dns.answers[0].rdata: "VACKD\u0003\\xc5\\xe9\u0001" diff --git a/tests/dns-udp-unsolicited-response/test.yaml b/tests/dns-udp-unsolicited-response/test.yaml index 0c6222324..c669e1d8d 100644 --- a/tests/dns-udp-unsolicited-response/test.yaml +++ b/tests/dns-udp-unsolicited-response/test.yaml @@ -1,3 +1,6 @@ +requires: + min-version: 8 + pcap: ../dns-udp-unsolicited-response-v1/dns-response-2x.pcap checks: @@ -5,9 +8,9 @@ checks: count: 1 match: event_type: dns - dns.type: query + dns.type: request - filter: count: 2 match: event_type: dns - dns.type: answer + dns.type: response diff --git a/tests/dns-z-bit/test.yaml b/tests/dns-z-bit/test.yaml index bb5c377dd..1332fde69 100644 --- a/tests/dns-z-bit/test.yaml +++ b/tests/dns-z-bit/test.yaml @@ -1,3 +1,6 @@ +requires: + min-version: 8 + args: - -k none @@ -6,14 +9,14 @@ checks: count: 1 match: event_type: dns - dns.type: query + dns.type: request dns.z: true - filter: count: 1 match: event_type: alert alert.signature_id: 2240006 - dns.query[0].z: true + dns.z: true - filter: count: 1 match: @@ -30,10 +33,10 @@ checks: dns.ra: true dns.rcode: NOERROR dns.rd: true - dns.rrname: www.google.com - dns.rrtype: A - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: www.google.com + dns.queries[0].rrtype: A + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 2 proto: UDP diff --git a/tests/dns/dns-invalid-opcode/test.yaml b/tests/dns/dns-invalid-opcode/test.yaml index de64bae65..8983dc93e 100644 --- a/tests/dns/dns-invalid-opcode/test.yaml +++ b/tests/dns/dns-invalid-opcode/test.yaml @@ -1,5 +1,5 @@ requires: - min-version: 7 + min-version: 8 args: - -k none @@ -11,14 +11,14 @@ checks: count: 1 match: event_type: dns - dns.type: query + dns.type: request # Simple check for one answer. - filter: count: 1 match: event_type: dns - dns.type: answer + dns.type: response # One alert in to_server direction. - filter: @@ -50,12 +50,11 @@ checks: dest_ip: 2.2.2.2 dest_port: 53 direction: to_server - dns.query[0].id: 1 - dns.query[0].opcode: 9 - dns.query[0].rrname: suricata.io - dns.query[0].rrtype: A - dns.query[0].tx_id: 0 - dns.query[0].type: query + dns.id: 1 + dns.opcode: 9 + dns.queries[0].rrname: suricata.io + dns.queries[0].rrtype: A + dns.tx_id: 0 event_type: alert flow.bytes_toclient: 0 flow.bytes_toserver: 71 @@ -94,10 +93,10 @@ checks: dest_port: 53 dns.id: 1 dns.opcode: 9 - dns.rrname: suricata.io - dns.rrtype: A + dns.queries[0].rrname: suricata.io + dns.queries[0].rrtype: A dns.tx_id: 0 - dns.type: query + dns.type: request event_type: dns pcap_cnt: 1 pkt_src: wire/pcap @@ -118,15 +117,15 @@ checks: dest_ip: 1.1.1.1 dest_port: 5333 direction: to_client - dns.answer.flags: c800 - dns.answer.id: 1 - dns.answer.opcode: 9 - dns.answer.qr: true - dns.answer.rcode: NOERROR - dns.answer.rrname: suricata.io - dns.answer.rrtype: A - dns.answer.type: answer - dns.answer.version: 2 + dns.flags: c800 + dns.id: 1 + dns.opcode: 9 + dns.qr: true + dns.rcode: NOERROR + dns.queries[0].rrname: suricata.io + dns.queries[0].rrtype: A + dns.type: response + dns.version: 3 event_type: alert flow.bytes_toclient: 98 flow.bytes_toserver: 71 @@ -173,10 +172,10 @@ checks: dns.opcode: 9 dns.qr: true dns.rcode: NOERROR - dns.rrname: suricata.io - dns.rrtype: A - dns.type: answer - dns.version: 2 + dns.queries[0].rrname: suricata.io + dns.queries[0].rrtype: A + dns.type: response + dns.version: 3 event_type: dns pcap_cnt: 2 pkt_src: wire/pcap diff --git a/tests/dns/dns-rcode/test.yaml b/tests/dns/dns-rcode/test.yaml index 412f042e3..c07a83661 100644 --- a/tests/dns/dns-rcode/test.yaml +++ b/tests/dns/dns-rcode/test.yaml @@ -11,7 +11,7 @@ checks: direction: to_client app_proto: dns event_type: alert - dns.answer.rcode: NXDOMAIN + dns.rcode: NXDOMAIN src_ip: 8.8.4.4 src_port: 53 - filter: @@ -23,7 +23,7 @@ checks: direction: to_client app_proto: dns event_type: alert - dns.answer.rcode: NXDOMAIN + dns.rcode: NXDOMAIN src_ip: 8.8.4.4 src_port: 53 - filter: diff --git a/tests/dns/dns-rrtype/test.yaml b/tests/dns/dns-rrtype/test.yaml index ca8b156f0..66ba5ad11 100644 --- a/tests/dns/dns-rrtype/test.yaml +++ b/tests/dns/dns-rrtype/test.yaml @@ -13,7 +13,7 @@ checks: direction: to_server app_proto: dns event_type: alert - dns.query[0].rrtype: A + dns.queries[0].rrtype: A src_ip: 10.16.1.11 src_port: 57634 - filter: @@ -25,7 +25,7 @@ checks: direction: to_client app_proto: dns event_type: alert - dns.answer.rrtype: A + dns.queries[0].rrtype: A src_ip: 10.16.1.1 src_port: 53 - filter: @@ -37,6 +37,6 @@ checks: direction: to_client app_proto: dns event_type: alert - dns.answer.rrtype: A + dns.queries[0].rrtype: A src_ip: 10.16.1.1 src_port: 53 diff --git a/tests/dns/dns-udp-additionals-cookie/test.yaml b/tests/dns/dns-udp-additionals-cookie/test.yaml index 75f2b4e58..824f73ec9 100644 --- a/tests/dns/dns-udp-additionals-cookie/test.yaml +++ b/tests/dns/dns-udp-additionals-cookie/test.yaml @@ -9,17 +9,17 @@ checks: count: 1 match: event_type: dns - dns.type: query - dns.rrname: google.com - dns.rrtype: NS + dns.type: request + dns.queries[0].rrname: google.com + dns.queries[0].rrtype: NS - filter: count: 1 match: event_type: dns - dns.type: answer - dns.rrname: google.com - dns.rrtype: NS + dns.type: response dns.rcode: NOERROR + dns.queries[0].rrname: google.com + dns.queries[0].rrtype: NS dns.answers[0].rrname: google.com dns.answers[0].rrtype: NS dns.answers[0].ttl: 172724 @@ -79,4 +79,4 @@ checks: dns.additionals[8].opt.__len: 1 dns.additionals[8].opt[0].code: 10 dns.additionals[8].opt[0].data: 9a47b8a2680f91b5f046051d665e230713b1994a6df10ad5 - \ No newline at end of file + diff --git a/tests/dns/dns-udp-additionals/test.yaml b/tests/dns/dns-udp-additionals/test.yaml index 76cd6bb59..c3a422344 100644 --- a/tests/dns/dns-udp-additionals/test.yaml +++ b/tests/dns/dns-udp-additionals/test.yaml @@ -9,17 +9,17 @@ checks: count: 1 match: event_type: dns - dns.type: query - dns.rrname: google.com - dns.rrtype: NS + dns.type: request + dns.queries[0].rrname: google.com + dns.queries[0].rrtype: NS - filter: count: 1 match: event_type: dns - dns.type: answer - dns.rrname: google.com - dns.rrtype: NS + dns.type: response dns.rcode: NOERROR + dns.queries[0].rrname: google.com + dns.queries[0].rrtype: NS dns.answers[0].rrname: google.com dns.answers[0].rrtype: NS dns.answers[0].ttl: 172761 @@ -73,4 +73,4 @@ checks: dns.additionals[7].rrtype: AAAA dns.additionals[7].ttl: 172761 dns.additionals[7].rdata: 2001:4860:4802:0038:0000:0000:0000:000a - \ No newline at end of file + diff --git a/tests/ethernet-eve/test.yaml b/tests/ethernet-eve/test.yaml index 5c5b50e59..dded96f2a 100644 --- a/tests/ethernet-eve/test.yaml +++ b/tests/ethernet-eve/test.yaml @@ -11,21 +11,21 @@ checks: event_type: dns src_ip: 10.16.1.11 ether.src_mac: d8:cb:8a:ed:a1:46 - dns.type: query + dns.type: request - filter: count: 5 match: event_type: dns src_ip: 10.16.1.11 ether.src_mac: d8:cb:8a:ed:a1:46 - dns.type: answer + dns.type: response - filter: count: 0 match: event_type: dns src_ip: 10.16.1.11 ether.dest_mac: d8:cb:8a:ed:a1:46 - dns.type: answer + dns.type: response - filter: count: 5 match: @@ -75,4 +75,3 @@ checks: event_type: fileinfo dest_ip: 192.168.118.10 ether.dest_mac: 00:11:2f:8f:a0:76 - diff --git a/tests/vxlan-decoder-03/test.yaml b/tests/vxlan-decoder-03/test.yaml index d8b017df3..12a4fa53b 100644 --- a/tests/vxlan-decoder-03/test.yaml +++ b/tests/vxlan-decoder-03/test.yaml @@ -1,7 +1,6 @@ requires: - features: - - HAVE_LIBJANSSON - - RUST + min-version: 8 + args: - --set decoder.vxlan.enabled=true @@ -25,7 +24,14 @@ checks: app_proto: ntp dest_port: 123 - filter: - count: 8 + count: 4 + match: + event_type: dns + dns.type: request + dns.queries[0].rrname: "ec2-18-196-145-224.eu-central-1.compute.amazonaws.com" + - filter: + count: 4 match: event_type: dns - dns.rrname: "ec2-18-196-145-224.eu-central-1.compute.amazonaws.com" + dns.type: response + dns.queries[0].rrname: "ec2-18-196-145-224.eu-central-1.compute.amazonaws.com" From 67a6569147d99c798aae725639c1e576b7e55991 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Mon, 10 Jun 2024 14:05:47 -0600 Subject: [PATCH 4/5] tests: remove tests for versions less than 6 --- tests/7.0/dns-json-log/expected/dns.json | 9 --- tests/7.0/dns-json-log/suricata.yaml | 8 -- tests/7.0/dns-json-log/test.yaml | 25 ------- tests/bug-4953/test.yaml | 10 --- tests/decode-erspan-typeI-03/README.md | 1 - tests/decode-erspan-typeI-03/test.yaml | 20 ----- tests/dhcp-eve-extended-pre-6/suricata.yaml | 11 --- tests/dhcp-eve-extended-pre-6/test.yaml | 74 ------------------- tests/dns-json-log/expected/dns.json | 9 --- tests/dns-json-log/suricata.yaml | 8 -- tests/dns-json-log/test.yaml | 25 ------- tests/filestore-v1-stream-depth/suricata.yaml | 23 ------ tests/filestore-v1-stream-depth/test.rules | 1 - tests/filestore-v1-stream-depth/test.yaml | 19 ----- tests/test-bad-byte-extract-rule-3/eve.json | 40 ---------- .../suricata.yaml | 10 --- tests/test-bad-byte-extract-rule-3/test.rules | 1 - tests/test-bad-byte-extract-rule-3/test.yaml | 24 ------ 18 files changed, 318 deletions(-) delete mode 100644 tests/7.0/dns-json-log/expected/dns.json delete mode 100644 tests/7.0/dns-json-log/suricata.yaml delete mode 100644 tests/7.0/dns-json-log/test.yaml delete mode 100644 tests/decode-erspan-typeI-03/README.md delete mode 100644 tests/decode-erspan-typeI-03/test.yaml delete mode 100644 tests/dhcp-eve-extended-pre-6/suricata.yaml delete mode 100644 tests/dhcp-eve-extended-pre-6/test.yaml delete mode 100644 tests/dns-json-log/expected/dns.json delete mode 100644 tests/dns-json-log/suricata.yaml delete mode 100644 tests/dns-json-log/test.yaml delete mode 100644 tests/filestore-v1-stream-depth/suricata.yaml delete mode 100644 tests/filestore-v1-stream-depth/test.rules delete mode 100644 tests/filestore-v1-stream-depth/test.yaml delete mode 100644 tests/test-bad-byte-extract-rule-3/eve.json delete mode 100644 tests/test-bad-byte-extract-rule-3/suricata.yaml delete mode 100644 tests/test-bad-byte-extract-rule-3/test.rules delete mode 100644 tests/test-bad-byte-extract-rule-3/test.yaml diff --git a/tests/7.0/dns-json-log/expected/dns.json b/tests/7.0/dns-json-log/expected/dns.json deleted file mode 100644 index afec32e8f..000000000 --- a/tests/7.0/dns-json-log/expected/dns.json +++ /dev/null @@ -1,9 +0,0 @@ -{"timestamp":"2016-05-24T23:27:01.960780+0000","flow_id":15684738590988,"pcap_cnt":1,"event_type":"dns","src_ip":"10.16.1.11","src_port":53679,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39339,"rrname":"client-cf.dropbox.com","rrtype":"A","tx_id":0}} -{"timestamp":"2016-05-24T23:27:02.333141+0000","flow_id":15684738590988,"pcap_cnt":2,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":53679,"proto":"UDP","dns":{"type":"answer","id":39339,"rcode":"NOERROR","rrname":"client-cf.dropbox.com","rrtype":"A","ttl":47,"rdata":"52.85.112.21"}} -{"timestamp":"2016-05-24T23:27:02.832606+0000","flow_id":542660046009438,"pcap_cnt":3,"event_type":"dns","src_ip":"10.16.1.11","src_port":49697,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3407,"rrname":"block.dropbox.com","rrtype":"A","tx_id":0}} -{"timestamp":"2016-05-24T23:27:03.085375+0000","flow_id":1585332076629375,"pcap_cnt":4,"event_type":"dns","src_ip":"10.16.1.11","src_port":33458,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":44779,"rrname":"codemonkey.net","rrtype":"A","tx_id":0}} -{"timestamp":"2016-05-24T23:27:03.213624+0000","flow_id":542660046009438,"pcap_cnt":5,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":49697,"proto":"UDP","dns":{"type":"answer","id":3407,"rcode":"NOERROR","rrname":"block.dropbox.com","rrtype":"CNAME","ttl":9,"rdata":"block.g1.dropbox.com"}} -{"timestamp":"2016-05-24T23:27:03.213624+0000","flow_id":542660046009438,"pcap_cnt":5,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":49697,"proto":"UDP","dns":{"type":"answer","id":3407,"rcode":"NOERROR","rrname":"block.g1.dropbox.com","rrtype":"A","ttl":8,"rdata":"45.58.70.33"}} -{"timestamp":"2016-05-24T23:27:03.493333+0000","flow_id":1585332076629375,"pcap_cnt":6,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":33458,"proto":"UDP","dns":{"type":"answer","id":44779,"rcode":"NOERROR","rrname":"codemonkey.net","rrtype":"A","ttl":435,"rdata":"104.131.202.103"}} -{"timestamp":"2016-05-24T23:27:04.653864+0000","flow_id":848126710184488,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":57634,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":14681,"rrname":"client-cf.dropbox.com","rrtype":"A","tx_id":0}} -{"timestamp":"2016-05-24T23:27:04.654238+0000","flow_id":848126710184488,"pcap_cnt":8,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":57634,"proto":"UDP","dns":{"type":"answer","id":14681,"rcode":"NOERROR","rrname":"client-cf.dropbox.com","rrtype":"A","ttl":45,"rdata":"52.85.112.21"}} diff --git a/tests/7.0/dns-json-log/suricata.yaml b/tests/7.0/dns-json-log/suricata.yaml deleted file mode 100644 index 4daa2b75f..000000000 --- a/tests/7.0/dns-json-log/suricata.yaml +++ /dev/null @@ -1,8 +0,0 @@ -%YAML 1.1 ---- - -outputs: - - dns-json-log: - version: 1 - enabled: yes - filename: dns.json diff --git a/tests/7.0/dns-json-log/test.yaml b/tests/7.0/dns-json-log/test.yaml deleted file mode 100644 index 8bea7cd6e..000000000 --- a/tests/7.0/dns-json-log/test.yaml +++ /dev/null @@ -1,25 +0,0 @@ -pcap: ../../dns-eve/input.pcap - -requires: - lt-version: 6 - features: - - HAVE_LIBJANSSON - -checks: - - filter: - count: 9 - filename: dns.json - match: - event_type: dns - - filter: - count: 4 - filename: dns.json - match: - event_type: dns - dns.type: query - - filter: - count: 5 - filename: dns.json - match: - event_type: dns - dns.type: answer diff --git a/tests/bug-4953/test.yaml b/tests/bug-4953/test.yaml index 9e4577edc..761f6cea8 100644 --- a/tests/bug-4953/test.yaml +++ b/tests/bug-4953/test.yaml @@ -16,16 +16,6 @@ checks: fileinfo.gaps: true fileinfo.state: TRUNCATED fileinfo.size: 137708 - - filter: - requires: - lt-version: 6 - count: 1 - match: - event_type: fileinfo - fileinfo.filename: "/IEyF/EN3GUkgHakZ3iVe/YBqssWlF8iWaHTr/" - fileinfo.gaps: false - fileinfo.state: TRUNCATED - fileinfo.size: 1176 - filter: count: 1 match: diff --git a/tests/decode-erspan-typeI-03/README.md b/tests/decode-erspan-typeI-03/README.md deleted file mode 100644 index 18aaf211d..000000000 --- a/tests/decode-erspan-typeI-03/README.md +++ /dev/null @@ -1 +0,0 @@ -Ensure ERSPAN Type I packets are decoded when configured diff --git a/tests/decode-erspan-typeI-03/test.yaml b/tests/decode-erspan-typeI-03/test.yaml deleted file mode 100644 index 17aee506c..000000000 --- a/tests/decode-erspan-typeI-03/test.yaml +++ /dev/null @@ -1,20 +0,0 @@ -pcap: ../decode-erspan-typeI-02/input.pcap - -requires: - - min-version: 5 - lt-version: 6 - - -args: - - --set decoder.erspan.typeI.enabled=false - -checks: - - - filter: - count: 0 - match: - event_type: flow - - - stats: - decoder.erspan: 0 diff --git a/tests/dhcp-eve-extended-pre-6/suricata.yaml b/tests/dhcp-eve-extended-pre-6/suricata.yaml deleted file mode 100644 index 7f2fafa63..000000000 --- a/tests/dhcp-eve-extended-pre-6/suricata.yaml +++ /dev/null @@ -1,11 +0,0 @@ -%YAML 1.1 ---- - -outputs: - - eve-log: - enabled: true - filename: eve.json - types: - - dhcp: - extended: true - - flow diff --git a/tests/dhcp-eve-extended-pre-6/test.yaml b/tests/dhcp-eve-extended-pre-6/test.yaml deleted file mode 100644 index 0220ccba3..000000000 --- a/tests/dhcp-eve-extended-pre-6/test.yaml +++ /dev/null @@ -1,74 +0,0 @@ -pcap: ../dhcp-eve-extended/input.pcap - -requires: - lt-version: 6.0.0 - features: - - HAVE_LIBJANSSON - - RUST - -checks: -- filter: - count: 1 - match: - dest_ip: 10.16.1.1 - dest_port: 67 - dhcp.assigned_ip: 0.0.0.0 - dhcp.client_id: 00:11:32:17:49:f0 - dhcp.client_ip: 10.16.1.4 - dhcp.client_mac: 00:11:32:17:49:f0 - dhcp.dhcp_type: request - dhcp.hostname: nas1\x00 - dhcp.id: 4016330564 - dhcp.params[0]: subnet_mask - dhcp.params[1]: router - dhcp.params[2]: domain - dhcp.params[3]: dns_server - dhcp.type: request - event_type: dhcp - pcap_cnt: 1 - proto: UDP - src_ip: 10.16.1.4 - src_port: 68 -- filter: - count: 1 - match: - dest_ip: 10.16.1.4 - dest_port: 68 - dhcp.assigned_ip: 10.16.1.4 - dhcp.client_ip: 10.16.1.4 - dhcp.client_mac: 00:11:32:17:49:f0 - dhcp.dhcp_type: ack - dhcp.dns_servers[0]: 10.16.1.1 - dhcp.hostname: nas1\x00 - dhcp.id: 4016330564 - dhcp.lease_time: 3600 - dhcp.next_server_ip: 10.16.1.1 - dhcp.rebinding_time: 3031 - dhcp.relay_ip: 0.0.0.0 - dhcp.renewal_time: 1681 - dhcp.routers[0]: 10.16.1.1 - dhcp.subnet_mask: 255.255.0.0 - dhcp.type: reply - event_type: dhcp - pcap_cnt: 2 - proto: UDP - src_ip: 10.16.1.1 - src_port: 67 -- filter: - count: 1 - match: - app_proto: dhcp - dest_ip: 10.16.1.1 - dest_port: 67 - event_type: flow - flow.age: 0 - flow.alerted: false - flow.bytes_toclient: 350 - flow.bytes_toserver: 342 - flow.pkts_toclient: 1 - flow.pkts_toserver: 1 - flow.reason: shutdown - flow.state: established - proto: UDP - src_ip: 10.16.1.4 - src_port: 68 diff --git a/tests/dns-json-log/expected/dns.json b/tests/dns-json-log/expected/dns.json deleted file mode 100644 index afec32e8f..000000000 --- a/tests/dns-json-log/expected/dns.json +++ /dev/null @@ -1,9 +0,0 @@ -{"timestamp":"2016-05-24T23:27:01.960780+0000","flow_id":15684738590988,"pcap_cnt":1,"event_type":"dns","src_ip":"10.16.1.11","src_port":53679,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39339,"rrname":"client-cf.dropbox.com","rrtype":"A","tx_id":0}} -{"timestamp":"2016-05-24T23:27:02.333141+0000","flow_id":15684738590988,"pcap_cnt":2,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":53679,"proto":"UDP","dns":{"type":"answer","id":39339,"rcode":"NOERROR","rrname":"client-cf.dropbox.com","rrtype":"A","ttl":47,"rdata":"52.85.112.21"}} -{"timestamp":"2016-05-24T23:27:02.832606+0000","flow_id":542660046009438,"pcap_cnt":3,"event_type":"dns","src_ip":"10.16.1.11","src_port":49697,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3407,"rrname":"block.dropbox.com","rrtype":"A","tx_id":0}} -{"timestamp":"2016-05-24T23:27:03.085375+0000","flow_id":1585332076629375,"pcap_cnt":4,"event_type":"dns","src_ip":"10.16.1.11","src_port":33458,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":44779,"rrname":"codemonkey.net","rrtype":"A","tx_id":0}} -{"timestamp":"2016-05-24T23:27:03.213624+0000","flow_id":542660046009438,"pcap_cnt":5,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":49697,"proto":"UDP","dns":{"type":"answer","id":3407,"rcode":"NOERROR","rrname":"block.dropbox.com","rrtype":"CNAME","ttl":9,"rdata":"block.g1.dropbox.com"}} -{"timestamp":"2016-05-24T23:27:03.213624+0000","flow_id":542660046009438,"pcap_cnt":5,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":49697,"proto":"UDP","dns":{"type":"answer","id":3407,"rcode":"NOERROR","rrname":"block.g1.dropbox.com","rrtype":"A","ttl":8,"rdata":"45.58.70.33"}} -{"timestamp":"2016-05-24T23:27:03.493333+0000","flow_id":1585332076629375,"pcap_cnt":6,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":33458,"proto":"UDP","dns":{"type":"answer","id":44779,"rcode":"NOERROR","rrname":"codemonkey.net","rrtype":"A","ttl":435,"rdata":"104.131.202.103"}} -{"timestamp":"2016-05-24T23:27:04.653864+0000","flow_id":848126710184488,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":57634,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":14681,"rrname":"client-cf.dropbox.com","rrtype":"A","tx_id":0}} -{"timestamp":"2016-05-24T23:27:04.654238+0000","flow_id":848126710184488,"pcap_cnt":8,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":57634,"proto":"UDP","dns":{"type":"answer","id":14681,"rcode":"NOERROR","rrname":"client-cf.dropbox.com","rrtype":"A","ttl":45,"rdata":"52.85.112.21"}} diff --git a/tests/dns-json-log/suricata.yaml b/tests/dns-json-log/suricata.yaml deleted file mode 100644 index 4daa2b75f..000000000 --- a/tests/dns-json-log/suricata.yaml +++ /dev/null @@ -1,8 +0,0 @@ -%YAML 1.1 ---- - -outputs: - - dns-json-log: - version: 1 - enabled: yes - filename: dns.json diff --git a/tests/dns-json-log/test.yaml b/tests/dns-json-log/test.yaml deleted file mode 100644 index 356210c9b..000000000 --- a/tests/dns-json-log/test.yaml +++ /dev/null @@ -1,25 +0,0 @@ -pcap: ../dns-eve/input.pcap - -requires: - lt-version: 6 - features: - - HAVE_LIBJANSSON - -checks: - - filter: - count: 9 - filename: dns.json - match: - event_type: dns - - filter: - count: 4 - filename: dns.json - match: - event_type: dns - dns.type: query - - filter: - count: 5 - filename: dns.json - match: - event_type: dns - dns.type: response diff --git a/tests/filestore-v1-stream-depth/suricata.yaml b/tests/filestore-v1-stream-depth/suricata.yaml deleted file mode 100644 index 7e3cc1577..000000000 --- a/tests/filestore-v1-stream-depth/suricata.yaml +++ /dev/null @@ -1,23 +0,0 @@ -%YAML 1.1 ---- - -outputs: - - eve-log: - enabled: yes - types: - - files - - stats - - file-store: - version: 1 - enabled: yes - force-filestore: yes - stream-depth: 0 - -app-layer: - protocols: - http: - enabled: yes - libhtp: - default-config: - personality: IDS - response-body-limit: 100kb diff --git a/tests/filestore-v1-stream-depth/test.rules b/tests/filestore-v1-stream-depth/test.rules deleted file mode 100644 index 582397ffc..000000000 --- a/tests/filestore-v1-stream-depth/test.rules +++ /dev/null @@ -1 +0,0 @@ -alert http any any -> any any (filestore; sid:1; rev:1;) diff --git a/tests/filestore-v1-stream-depth/test.yaml b/tests/filestore-v1-stream-depth/test.yaml deleted file mode 100644 index 3fe361b0e..000000000 --- a/tests/filestore-v1-stream-depth/test.yaml +++ /dev/null @@ -1,19 +0,0 @@ -requires: - features: - - HAVE_LIBJANSSON - min-version: 5.0.0 - lt-version: 6 - -args: - - -k none - -pcap: ../filestore-v2.1-forced/suricata-update-pdf.pcap - -checks: - - - filter: - count: 1 - match: - event_type: fileinfo - fileinfo.state: "CLOSED" - fileinfo.stored: true diff --git a/tests/test-bad-byte-extract-rule-3/eve.json b/tests/test-bad-byte-extract-rule-3/eve.json deleted file mode 100644 index aa71d9143..000000000 --- a/tests/test-bad-byte-extract-rule-3/eve.json +++ /dev/null @@ -1,40 +0,0 @@ -{"timestamp":"2020-06-07T21:15:31.170962+0000","log_level":"Notice","event_type":"engine","engine":{"message":"This is Suricata version 4.1.0-dev (rev 32990c9ad)"}} -{"timestamp":"2020-06-07T21:15:31.171398+0000","log_level":"Info","event_type":"engine","engine":{"message":"CPUs\/cores online: 2"}} -{"timestamp":"2020-06-07T21:15:31.179917+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":307,"error":"SC_ERR_SMB_CONFIG","message":"no SMB TCP config found, enabling SMB detection on port 445."}} -{"timestamp":"2020-06-07T21:15:31.183113+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":240,"error":"SC_ERR_DNS_CONFIG","message":"no DNS UDP config found, enabling DNS detection on port 53."}} -{"timestamp":"2020-06-07T21:15:31.183282+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":240,"error":"SC_ERR_DNS_CONFIG","message":"no DNS TCP config found, enabling DNS detection on port 53."}} -{"timestamp":"2020-06-07T21:15:31.197576+0000","log_level":"Info","event_type":"engine","engine":{"message":"No 'host-mode': suricata is in IDS mode, using default setting 'sniffer-only'"}} -{"timestamp":"2020-06-07T21:15:31.219781+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":261,"error":"SC_WARN_NO_STATS_LOGGERS","message":"stats are enabled but no loggers are active"}} -{"timestamp":"2020-06-07T21:15:31.220772+0000","log_level":"Info","event_type":"engine","engine":{"message":"Added \"42\" classification types from the classification file"}} -{"timestamp":"2020-06-07T21:15:31.220967+0000","log_level":"Info","event_type":"engine","engine":{"message":"Added \"19\" reference types from the reference.config file"}} -{"timestamp":"2020-06-07T21:15:31.221365+0000","log_level":"Error","event_type":"engine","engine":{"error_code":39,"error":"SC_ERR_INVALID_SIGNATURE","message":"unknown byte_extract var seen in depth - d\n"}} -{"timestamp":"2020-06-07T21:15:31.221461+0000","log_level":"Error","event_type":"engine","engine":{"error_code":39,"error":"SC_ERR_INVALID_SIGNATURE","message":"error parsing signature \"alert tcp any any -> any any (msg:\"Byte_Extract Example Using depth\"; content:\"Alice\"; depth:d; byte_extract:2,1,size; content:\"Bob\"; sid:1111;)\" from file \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/test.rules at line 1"}} -{"timestamp":"2020-06-07T21:15:31.221578+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":43,"error":"SC_ERR_NO_RULES_LOADED","message":"1 rule files specified, but no rule was loaded at all!"}} -{"timestamp":"2020-06-07T21:15:31.221749+0000","log_level":"Info","event_type":"engine","engine":{"message":"Threshold config parsed: 0 rule(s) found"}} -{"timestamp":"2020-06-07T21:15:31.222071+0000","log_level":"Info","event_type":"engine","engine":{"message":"0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only"}} -{"timestamp":"2020-06-07T21:15:31.227159+0000","log_level":"Info","event_type":"engine","engine":{"message":"Checking file or directory \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/"}} -{"timestamp":"2020-06-07T21:15:31.227479+0000","log_level":"Info","event_type":"engine","engine":{"message":"Argument \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/ was a directory"}} -{"timestamp":"2020-06-07T21:15:31.253874+0000","log_level":"Notice","event_type":"engine","engine":{"message":"all 3 packet processing threads, 2 management threads initialized, engine started."}} -{"timestamp":"2020-06-07T21:15:31.254027+0000","log_level":"Info","event_type":"engine","engine":{"message":"Starting directory run for \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/"}} -{"timestamp":"2020-06-07T21:15:31.254116+0000","log_level":"Info","event_type":"engine","engine":{"message":"Processing pcaps directory \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/, files must be newer than 0 and older than 18446744073709550616"}} -{"timestamp":"2020-06-07T21:15:31.254266+0000","log_level":"Info","event_type":"engine","engine":{"message":"Found \"\/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/eve.json\" at 1591564531251"}} -{"timestamp":"2020-06-07T21:15:31.254327+0000","log_level":"Info","event_type":"engine","engine":{"message":"Found \"\/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/test.yaml\" at 1591564527947"}} -{"timestamp":"2020-06-07T21:15:31.254369+0000","log_level":"Info","event_type":"engine","engine":{"message":"Found \"\/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/.test.yaml.swp\" at 1591564527951"}} -{"timestamp":"2020-06-07T21:15:31.254426+0000","log_level":"Info","event_type":"engine","engine":{"message":"Found \"\/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/suricata.yaml\" at 1562592701002"}} -{"timestamp":"2020-06-07T21:15:31.254468+0000","log_level":"Info","event_type":"engine","engine":{"message":"Found \"\/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/test.rules\" at 1562592701002"}} -{"timestamp":"2020-06-07T21:15:31.254636+0000","log_level":"Error","event_type":"engine","engine":{"error_code":44,"error":"SC_ERR_FOPEN","message":"unknown file format"}} -{"timestamp":"2020-06-07T21:15:31.254687+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":20,"error":"SC_ERR_PCAP_DISPATCH","message":"Failed to init pcap file \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/suricata.yaml, skipping"}} -{"timestamp":"2020-06-07T21:15:31.254779+0000","log_level":"Error","event_type":"engine","engine":{"error_code":44,"error":"SC_ERR_FOPEN","message":"unknown file format"}} -{"timestamp":"2020-06-07T21:15:31.254807+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":20,"error":"SC_ERR_PCAP_DISPATCH","message":"Failed to init pcap file \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/test.rules, skipping"}} -{"timestamp":"2020-06-07T21:15:31.254869+0000","log_level":"Error","event_type":"engine","engine":{"error_code":44,"error":"SC_ERR_FOPEN","message":"unknown file format"}} -{"timestamp":"2020-06-07T21:15:31.254896+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":20,"error":"SC_ERR_PCAP_DISPATCH","message":"Failed to init pcap file \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/test.yaml, skipping"}} -{"timestamp":"2020-06-07T21:15:31.254956+0000","log_level":"Error","event_type":"engine","engine":{"error_code":44,"error":"SC_ERR_FOPEN","message":"unknown file format"}} -{"timestamp":"2020-06-07T21:15:31.254984+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":20,"error":"SC_ERR_PCAP_DISPATCH","message":"Failed to init pcap file \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/.test.yaml.swp, skipping"}} -{"timestamp":"2020-06-07T21:15:31.255056+0000","log_level":"Error","event_type":"engine","engine":{"error_code":44,"error":"SC_ERR_FOPEN","message":"unknown file format"}} -{"timestamp":"2020-06-07T21:15:31.255096+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":20,"error":"SC_ERR_PCAP_DISPATCH","message":"Failed to init pcap file \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/eve.json, skipping"}} -{"timestamp":"2020-06-07T21:15:31.255127+0000","log_level":"Info","event_type":"engine","engine":{"message":"Directory run mode complete"}} -{"timestamp":"2020-06-07T21:15:31.264063+0000","log_level":"Notice","event_type":"engine","engine":{"message":"Signal Received. Stopping engine."}} -{"timestamp":"2020-06-07T21:15:31.279036+0000","log_level":"Info","event_type":"engine","engine":{"message":"time elapsed 0.056s"}} -{"timestamp":"2020-06-07T21:15:31.286147+0000","log_level":"Notice","event_type":"engine","engine":{"message":"Pcap-file module read 0 files, 0 packets, 0 bytes"}} -{"timestamp":"2020-06-07T21:15:31.288407+0000","log_level":"Info","event_type":"engine","engine":{"message":"Alerts: 0"}} -{"timestamp":"2020-06-07T21:15:31.302139+0000","log_level":"Info","event_type":"engine","engine":{"message":"cleaning up signature grouping structure... complete"}} diff --git a/tests/test-bad-byte-extract-rule-3/suricata.yaml b/tests/test-bad-byte-extract-rule-3/suricata.yaml deleted file mode 100644 index dcaae57fe..000000000 --- a/tests/test-bad-byte-extract-rule-3/suricata.yaml +++ /dev/null @@ -1,10 +0,0 @@ -%YAML 1.1 ---- - -logging: - default-log-level: info - outputs: - - file: - enabled: yes - filename: eve.json - type: json diff --git a/tests/test-bad-byte-extract-rule-3/test.rules b/tests/test-bad-byte-extract-rule-3/test.rules deleted file mode 100644 index ede658126..000000000 --- a/tests/test-bad-byte-extract-rule-3/test.rules +++ /dev/null @@ -1 +0,0 @@ -alert tcp any any -> any any (msg:"Byte_Extract Example Using depth"; content:"Alice"; depth:d; byte_extract:2,1,size; content:"Bob"; sid:1111;) diff --git a/tests/test-bad-byte-extract-rule-3/test.yaml b/tests/test-bad-byte-extract-rule-3/test.yaml deleted file mode 100644 index b432da4c4..000000000 --- a/tests/test-bad-byte-extract-rule-3/test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -requires: - version: 5 - lt-version: 6 - - features: - - HAVE_LIBJANSSON - -command: | - ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/classification.config" --set reference-config-file="${SRCDIR}/reference.config" -l ${OUTPUT_DIR} -c ${TEST_DIR}/suricata.yaml -r ${TEST_DIR}/ -S ${TEST_DIR}/test.rules - -checks: - # check that we have the following entries in eve.json - # match 1 specific rule load failure reason - - filter: - count: 1 - match: - event_type: engine - engine.message: "unknown byte_extract var seen in depth - d." - - - filter: - count: 1 - match: - event_type: engine - engine.error: "SC_ERR_NO_RULES_LOADED" From 3931ca06f3bd6dd1562c65666efaa14ed857fdc7 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Thu, 13 Jun 2024 14:06:06 -0600 Subject: [PATCH 5/5] test: add test for answers in dns request The pcap for dns-opcode being a zone update also has answers in its request. Add a test to make sure they are logged in Suricata 8. Related ticket: https://redmine.openinfosecfoundation.org/issues/7011 --- tests/dns-opcode/test.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/tests/dns-opcode/test.yaml b/tests/dns-opcode/test.yaml index a1f6fb1cd..da2ad37e2 100644 --- a/tests/dns-opcode/test.yaml +++ b/tests/dns-opcode/test.yaml @@ -19,3 +19,14 @@ checks: count: 2 match: event_type: alert + + # This PCAP being a zone change has a request with answers in it. + - filter: + requires: + min-version: 8 + count: 1 + match: + pcap_cnt: 1 + event_type: "dns" + dns.type: "request" + dns.answers[0].rrname: "bortzmeyer.42"