From d2923095bd0425068d403ad79774fbe165fe08fa Mon Sep 17 00:00:00 2001 From: Ilya Bakhtin Date: Sun, 19 May 2024 19:04:32 +0200 Subject: [PATCH] detect-proto: add a test for DNS detected as DCERPC by PM --- tests/dns/dns-dcerpc-reversed/input.pcap | Bin 0 -> 412 bytes tests/dns/dns-dcerpc-reversed/test.yaml | 41 +++++++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100755 tests/dns/dns-dcerpc-reversed/input.pcap create mode 100644 tests/dns/dns-dcerpc-reversed/test.yaml diff --git a/tests/dns/dns-dcerpc-reversed/input.pcap b/tests/dns/dns-dcerpc-reversed/input.pcap new file mode 100755 index 0000000000000000000000000000000000000000..0a71017d32e90f3c265bf0ff247821571e6208ef GIT binary patch literal 412 zcmca|c+)~A1{MYw`2U}Qff2}&a??sv-^0nU3djawh6fTGdDb!7NwLY8-Wz0=%y7V8tA6v6$_=O7Ud@9RhFj~mn5g=l@ulBa3tsC zm!<%9u_jiP7Ns&L=jVbf0$QcXzX0eKpoJipYp`%J>;keu7~*D#`{6EM@pdKygRP)a s0?5@M*E5&`-9F{Q8Wski8nA(Ma`^!ssC8TnEFy)WAAmk#xd8DA0Ku+$#Q*>R literal 0 HcmV?d00001 diff --git a/tests/dns/dns-dcerpc-reversed/test.yaml b/tests/dns/dns-dcerpc-reversed/test.yaml new file mode 100644 index 000000000..111e7350d --- /dev/null +++ b/tests/dns/dns-dcerpc-reversed/test.yaml @@ -0,0 +1,41 @@ +requires: + min-version: 6.0.0 + +args: + - --set stream.midstream=true + +checks: + + - filter: + comment: request + count: 1 + match: + event_type: dns + dns.type: query + src_ip: "172.28.255.122" + src_port: 54824 + dest_ip: "192.168.1.12" + dest_port: 53 + + - filter: + comment: response + count: 1 + match: + event_type: dns + dns.type: answer + dns.answers[0].rrtype: A + src_ip: "172.28.255.122" + src_port: 54824 + dest_ip: "192.168.1.12" + dest_port: 53 + + - filter: + count: 1 + match: + event_type: flow + app_proto: dns + src_ip: "172.28.255.122" + src_port: 54824 + dest_ip: "192.168.1.12" + dest_port: 53 +