tests/dns: add tests for task 7018

Also related to
Bug #7004

tests/dns/task-7018-dns-ids-stream-rule/README.md

@@ -0,0 +1,25 @@
+# Test Description
+
+Test earlier alert matches after trigger raw stream reassembly when there's a
+completed DNS TCP transaction.
+
+## PCAP
+
+dns-tcp-multi.pcap, crafted for this test, shared in the Redmine ticket.
+
+## Behavior
+
+The capture shows three request-response DNS transactions:
+Query 1: suricata.io
+Query 2: oisf.net
+Query 3: suricata.org
+
+We match those against a single payload rule without any DNS keywords,
+and inspecting content `suricata|02|`. Ideally, the expectation is to have 2 alerts,
+for the portion of the stream associated with Query 1 - that's because on the
+wire we observe that for Query three the content is `suricata|03|`.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/7018
+https://redmine.openinfosecfoundation.org/issues/7004

tests/dns/task-7018-dns-ids-stream-rule/test.rules

@@ -0,0 +1,3 @@
+# This rule will only match on the first DNS transaction that contains
+# `suricata`, as the second is followed by |03|
+alert dns any any -> any any (msg:"DNS suricata query - payload rule"; content:"suricata|02|"; sid:1; rev:1;)

tests/dns/task-7018-dns-ids-stream-rule/test.yaml

@@ -0,0 +1,205 @@
+args:
+- -k none
+
+pcap: ../bug-7004-ids-dns-keywords/input.pcap
+
+checks:
+- filter:
+    min-version: 7
+    count: 2
+    match:
+      event_type: alert
+- filter:
+    min-version: 8
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 7
+      alert.signature: DNS suricata query - payload rule
+      alert.signature_id: 1
+      proto: TCP
+      src_ip: 10.16.1.11
+      src_port: 36926
+      app_proto: dns
+      dest_ip: 9.9.9.9
+      dest_port: 53
+      direction: to_server
+- filter:
+    min-version: 8
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 9
+      alert.signature: DNS suricata query - payload rule
+      alert.signature_id: 1
+      app_proto: dns
+      proto: TCP
+      src_ip: 9.9.9.9
+      src_port: 53
+      dest_ip: 10.16.1.11
+      dest_port: 36926
+      direction: to_client
+- filter:
+    count: 1
+    match:
+      event_type: dns
+      pcap_cnt: 5
+      dest_ip: 9.9.9.9
+      dest_port: 53
+      dns.id: 0
+      dns.opcode: 0
+      dns.rrname: suricata.io
+      dns.rrtype: A
+      dns.tx_id: 0
+      dns.type: query
+      proto: TCP
+      src_ip: 10.16.1.11
+      src_port: 36926
+- filter:
+    count: 1
+    match:
+      event_type: dns
+      pcap_cnt: 7
+      proto: TCP
+      src_ip: 10.16.1.11
+      src_port: 36926
+      dest_ip: 9.9.9.9
+      dest_port: 53
+      dns.answers[0].rdata: 35.212.0.44
+      dns.answers[0].rrname: suricata.io
+      dns.answers[0].rrtype: A
+      dns.answers[0].ttl: 490
+      dns.flags: '8180'
+      dns.grouped.A[0]: 35.212.0.44
+      dns.id: 0
+      dns.opcode: 0
+      dns.qr: true
+      dns.ra: true
+      dns.rcode: NOERROR
+      dns.rd: true
+      dns.rrname: suricata.io
+      dns.rrtype: A
+      dns.type: answer
+      dns.version: 2
+- filter:
+    count: 1
+    match:
+      event_type: dns
+      pcap_cnt: 9
+      proto: TCP
+      src_ip: 10.16.1.11
+      src_port: 36926
+      dest_ip: 9.9.9.9
+      dest_port: 53
+      dns.id: 0
+      dns.opcode: 0
+      dns.rrname: oisf.net
+      dns.rrtype: A
+      dns.tx_id: 2
+      dns.type: query
+- filter:
+    count: 1
+    match:
+      event_type: dns
+      pcap_cnt: 10
+      proto: TCP
+      src_ip: 10.16.1.11
+      src_port: 36926
+      dest_ip: 9.9.9.9
+      dest_port: 53
+      dns.answers[0].rdata: 192.0.78.190
+      dns.answers[0].rrname: oisf.net
+      dns.answers[0].rrtype: A
+      dns.answers[0].ttl: 207
+      dns.answers[1].rdata: 192.0.78.209
+      dns.answers[1].rrname: oisf.net
+      dns.answers[1].rrtype: A
+      dns.answers[1].ttl: 207
+      dns.flags: '8180'
+      dns.grouped.A[0]: 192.0.78.190
+      dns.grouped.A[1]: 192.0.78.209
+      dns.id: 0
+      dns.opcode: 0
+      dns.qr: true
+      dns.ra: true
+      dns.rcode: NOERROR
+      dns.rd: true
+      dns.rrname: oisf.net
+      dns.rrtype: A
+      dns.type: answer
+      dns.version: 2
+- filter:
+    count: 1
+    match:
+      event_type: dns
+      pcap_cnt: 11
+      proto: TCP
+      src_ip: 10.16.1.11
+      src_port: 36926
+      dest_ip: 9.9.9.9
+      dest_port: 53
+      dns.id: 0
+      dns.opcode: 0
+      dns.rrname: suricata.org
+      dns.rrtype: A
+      dns.tx_id: 4
+      dns.type: query
+- filter:
+    count: 1
+    match:
+      event_type: dns
+      pcap_cnt: 12
+      proto: TCP
+      src_ip: 10.16.1.11
+      src_port: 36926
+      dest_ip: 9.9.9.9
+      dest_port: 53
+      dns.answers[0].rdata: 15.197.148.33
+      dns.answers[0].rrname: suricata.org
+      dns.answers[0].rrtype: A
+      dns.answers[0].ttl: 600
+      dns.answers[1].rdata: 3.33.130.190
+      dns.answers[1].rrname: suricata.org
+      dns.answers[1].rrtype: A
+      dns.answers[1].ttl: 600
+      dns.flags: '8180'
+      dns.grouped.A[0]: 15.197.148.33
+      dns.grouped.A[1]: 3.33.130.190
+      dns.id: 0
+      dns.opcode: 0
+      dns.qr: true
+      dns.ra: true
+      dns.rcode: NOERROR
+      dns.rd: true
+      dns.rrname: suricata.org
+      dns.rrtype: A
+      dns.type: answer
+      dns.version: 2
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      app_proto: dns
+      proto: TCP
+      src_ip: 10.16.1.11
+      src_port: 36926
+      dest_ip: 9.9.9.9
+      dest_port: 53
+      flow.age: 0
+      flow.alerted: true
+      flow.bytes_toclient: 575
+      flow.bytes_toserver: 627
+      flow.pkts_toclient: 6
+      flow.pkts_toserver: 8
+      flow.reason: shutdown
+      flow.state: closed
+      tcp.ack: true
+      tcp.fin: true
+      tcp.psh: true
+      tcp.state: closed
+      tcp.syn: true
+      tcp.tc_max_regions: 1
+      tcp.tcp_flags: 1b
+      tcp.tcp_flags_tc: 1b
+      tcp.tcp_flags_ts: 1b
+      tcp.ts_max_regions: 1

tests/dns/task-7018-dns-ips-stream-rule/README.md

@@ -0,0 +1,28 @@
+# Test Description
+
+Test earlier alert matches after trigger raw stream reassembly when there's a
+completed DNS TCP transaction.
+
+## PCAP
+
+dns-tcp-multi.pcap, crafted for this test, shared in the Redmine ticket.
+
+The capture shows three request-response DNS transactions:
+Query 1: suricata.io
+Query 2: oisf.net
+Query 3: suricata.org
+
+## Behavior
+
+We match those against a single payload rule without any DNS keywords,
+and inspecting content `suricata|02|`. Ideally, the expectation is to have 2 alerts,
+for the portion of the stream associated with Query 1 - that's because on the
+wire we observe that for Query three the content is `suricata|03|`.
+
+For IPS mode, as a larger portion of the stream buffer is kept available, and as
+it still contains the matching bytes, we'll see more alerts triggered.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/7018
+https://redmine.openinfosecfoundation.org/issues/7004

tests/dns/task-7018-dns-ips-stream-rule/test.rules

@@ -0,0 +1,3 @@
+# This rule will only match on the first DNS transaction that contains
+# `suricata`, as the second is followed by |03|
+alert dns any any -> any any (msg:"DNS suricata query - payload rule"; content:"suricata|02|"; sid:1; rev:1;)