From e7d6ee7dbbe413b9c5719be22c52a7183325d934 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 5 Dec 2023 14:10:42 +0100
Subject: [PATCH] dns: adds test for dns over http2

Ticket: 5773
---
 tests/dns-over-http2/README.md           |   9 +++++
 tests/dns-over-http2/dns_over_https.pcap | Bin 0 -> 5188 bytes
 tests/dns-over-http2/test.rules          |   2 +
 tests/dns-over-http2/test.yaml           |  47 +++++++++++++++++++++++
 4 files changed, 58 insertions(+)
 create mode 100644 tests/dns-over-http2/README.md
 create mode 100644 tests/dns-over-http2/dns_over_https.pcap
 create mode 100644 tests/dns-over-http2/test.rules
 create mode 100644 tests/dns-over-http2/test.yaml

diff --git a/tests/dns-over-http2/README.md b/tests/dns-over-http2/README.md
new file mode 100644
index 000000000..f9fb01d63
--- /dev/null
+++ b/tests/dns-over-http2/README.md
@@ -0,0 +1,9 @@
+# Description
+
+Test DNS over HTTP2
+https://redmine.openinfosecfoundation.org/issues/5773
+
+# PCAP
+
+The pcap comes from https://redmine.openinfosecfoundation.org/issues/5773
+
diff --git a/tests/dns-over-http2/dns_over_https.pcap b/tests/dns-over-http2/dns_over_https.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..afc2809a455419a9c6b563f44439f128e6528655
GIT binary patch
literal 5188
zcmeHLYj6`)6h50x+O#HV3knq}k3lLF0%<A8Lr5zyT0j~Kba2!{nx;^sk4aL}K_1&`
zfhd$%Dgz=<3l!=DREm`W3Td$q9UMeK5#^<Vs2z$hQh|8R-2^w0Mo0L;sAqDMyLb0~
z_dLFH@7Wx2y|Y0Ea`1}V4Zz_=YkH;WKI{y_J~gQ*VKhK5p&TF~sP?1K`Yub9O1b=i
z00!?<2ALb)-yx!O4UDphp)?T!A%OvLMBxnW5M{lH(jzd+W`@$}rwbXv8Nv}|gNQN|
zN3M99XBGBC7IEi<Erj9<xg|=Z8zNKyhLogkG2I@YG|A9EuAfdFst%p_1bqW^@i>uV
z{*y6W9)LfG-kpY5L86!CN_GdD>9IPlCth&^ew7v_E-EeWAA4w^Vv*b(mOjS0>)El>
z-)<T6vRvny9ckRH(z#T+6UD3UUtar4#F}>-UMz9Glw5FSq-t1qymz!H(zr0vxJXl<
z>#}Fiqj&N%(HWKhNxC|E__(B$4&@aI-}Rrs#mp(*Gkj6`KEuNJ;;qriZv(7h*6?Tz
zS6X!7?z3Wl&Az?FYdr=h4P8!6DvZ|#p@MN~y&oenTHJmEvY^u{n$yk`ZHzEvU}VGb
zH;6?Zyb%rqj#jH^0MO%IYEogV#R^}r)k=Ih$L+@_d(&z=G0RZoxV%VV=eM#zaHknu
zv7hq2QTav&x0-Mya7s0gaiiF=8#ljLMl2IrSVna8gNyURofmKdm&TDZIQ^-qixZqJ
zJHk@NrlclsYus@mX<3TCxZ+&J;iiK1<?~ZJ*A+UengkeeWZ<ZcU)=M-vF5cezgj+T
z>odjc&n%zB#e}t6@lDqJvi94i_P#e<-c$ZSk>zCC#12c{8EuSDS@xF8-f8SFn|ict
z|E{k}=sNXJJe^(o;lBAh!=D<qqE25q^TLE{ldrp<=HmwqPFT{itE~IXABT<^wes=;
zPM7df%X?Lt(l_QDHXT{!IH6h6sp@Rq^5lf#sE{Y48r<BPmHO37;}2cBvZ;sg#NKYu
zb>chQ*FAsr{ZGfa^)pij%a5N1?((ocv-oMZ8XTW^?W?TK3)b!I-C34>5hJ<gl`3xY
zv>Q3`pXv{NSysXg`c;5=v)`-rn|x(Ufqunnty$~7Cn`Oq;X#Y!r6v^$maMCAiGp=t
zp>MD_q^lVFeBwKIgiXX~7YayMiaN*J?e^g5R-4h5W#Ub_**FATjY_=D^#yrJYxNoA
zqqr)!5>#B7bou}LcaH~HKmn9NJ}MD;`VHVA5kp8#DvUe>3ULU@WA-Hv??f)JjU#sw
z&FRT9onKu4;lVbOwXW86fOc9h)o_RWpK4Nv{~P*5s8d7u04Gr)G7-zeOkYAN@ca=8
z^`=(z0}+-dxRTL4Jcbw4q{7b0A%)0VgnP#CoNNS8l+(dh(ShbDg9z@XaHdLAvpy6~
z;0QITFxW$m&k6Q}OMbA&y|7dE(ww!duu%xu&1Qv7cw6P!9!K?A-HhvXJv**CymrB=
zgv6}Nzcnr0RUNc<*0(<=>c=_HpN}k5=}s<;a=KQ}Vl|rj_;%OnsOP$4_4bcHly7A0
zj>J&-8nvV*6=v)wj-$-ji@wInioC{Z>@;T`Gd5VjQPJ3l+cS2sZltE(_;HnJ-cQGj
z7d3mFw^N+Dz1CI@Qp1a=F*T_$Yv(%7leN1C_z@86DL#f6Gro%EjAc8TqOBcmbsOae
z8=q1lEkDBC;?75L7&2H5?UAw6q(Yj>6pkNAv+AvWn*Hk4ERHHn&q1y5?4DF-a>^Xz
zY^^zCy7?Y!w$Wm<nk;5>PDpl^$&zc$&9q6+ZUr6f{4VI#-j=P+v*c!I?HO8=HIGf#
z*eu4(%q&y3F~>OFY~gdvHmFGeHV4o9_>TB2n`5<V&G}lp*=p0qX*12C)HCN>a`Vhe
z)2!V53}arN!Z;`2Vy@{^V-xEI2m$%MsaHq*Q7=Sby`YwQ;XmIeiae-Sv-jnj@5~;r
zF!Da?xWLH!tS?1^Kl4&#LxK1>ZFfi!-{W3J_=f9h7>ReONrmALbo|Kh?Y>(99|I8F
zOv$00L36xsGN71CkkL2P0d{D|PYlxH2l=oUa$_1n`tHz7(``32fi(S@!RGtHKJJBm
zl@%s($`1&p1!SmcDLSg{TE~F}IOd<t&$-R$+{t8oaWsL6wNCKj#)kS^)jDhk*mqFO
zd2hC&0<6}NQ7-(gY)xd9Hp@KK#ygj-v454VOFVC@?IAWe#~Q1R)5V6cOx9-PSZn$O
zWm|J*SZy`k0UnA#zr29EPhSWbDxhN?xtZE<7F2K&hyK+<g!<^KKritQ_L{sq-<MD!
ztzJUC?ny$**5D$9JM|zJ;GeaIX~fUD;eM2#3=qm2BHU0p27pjn1EUxjN|>)wp_nLq
dDnm&UQIP0?bV+9@8b4i9Q5QM=vsQ^HzXL^{>!|<$

literal 0
HcmV?d00001

diff --git a/tests/dns-over-http2/test.rules b/tests/dns-over-http2/test.rules
new file mode 100644
index 000000000..deebb56d5
--- /dev/null
+++ b/tests/dns-over-http2/test.rules
@@ -0,0 +1,2 @@
+alert http2 any any -> any any (http.uri; content: "/dns"; sid:10; )
+alert dns any any -> any any (dns.query; content: "www.gstatic.com"; sid:20; )
diff --git a/tests/dns-over-http2/test.yaml b/tests/dns-over-http2/test.yaml
new file mode 100644
index 000000000..22161e704
--- /dev/null
+++ b/tests/dns-over-http2/test.yaml
@@ -0,0 +1,47 @@
+requires:
+  min-version: 8.0.0
+
+# disables checksum verification
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 10
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 20
+  - filter:
+      count: 2
+      match:
+        event_type: dns
+        dns.type: query
+        dns.rrname: www.gstatic.com
+  - filter:
+      count: 2
+      match:
+        event_type: dns
+        dns.type: query
+        dns.rrname: nav-edge.smartscreen.microsoft.com
+  - filter:
+      count: 2
+      match:
+        event_type: dns
+        dns.type: answer
+        dns.rrname: www.gstatic.com
+  - filter:
+      count: 2
+      match:
+        event_type: dns
+        dns.type: answer
+        dns.rrname: nav-edge.smartscreen.microsoft.com
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        app_proto: http2