detect-proto: add a test for DNS detected as DCERPC by PM

ilya-bakhtin · Jul 21, 2024 · fc0fedc · fc0fedc
1 parent 7fd86e8
commit fc0fedc
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 0 deletions.
diff --git a/tests/dns/dns-dcerpc-reversed/input.pcap b/tests/dns/dns-dcerpc-reversed/input.pcap
diff --git a/tests/dns/dns-dcerpc-reversed/test.yaml b/tests/dns/dns-dcerpc-reversed/test.yaml
@@ -0,0 +1,39 @@
+requires:
+  min-version: 6.0.0
+
+args:
+  - --set stream.midstream=true
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: dns
+        dns.type: request
+        src_ip: "172.28.255.122"
+        src_port: 54824
+        dest_ip: "192.168.1.12"
+        dest_port: 53
+
+  - filter:
+      count: 1
+      match:
+        event_type: dns
+        dns.type: response
+        dns.answers[0].rrtype: A
+        src_ip: "172.28.255.122"
+        src_port: 54824
+        dest_ip: "192.168.1.12"
+        dest_port: 53
+
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        app_proto: dns
+        src_ip: "172.28.255.122"
+        src_port: 54824
+        dest_ip: "192.168.1.12"
+        dest_port: 53
+