File tree Expand file tree Collapse file tree 3 files changed +55
-0
lines changed Expand file tree Collapse file tree 3 files changed +55
-0
lines changed Original file line number Diff line number Diff line change 1+ Test the ` dns.rrtype ` value.
2+
3+ The PCAP here was reused from ./tests/dns/dns-eve-empty-format/input.pcap
4+
5+ Redmine ticket: https://redmine.openinfosecfoundation.org/issues/6666
Original file line number Diff line number Diff line change 1+ # Only alert on requests.
2+ alert dns any any -> any any (dns.rrtype:1; flow:to_server; sid:1; rev:1;)
3+
4+ # Only alert on responses.
5+ alert dns any any -> any any (dns.rrtype:1; flow:to_client; sid:2; rev:1;)
6+
7+ # Negated rrtype value
8+ alert dns any any -> any any (dns.rrtype:!2; flow:to_client; sid:3; rev:1;)
Original file line number Diff line number Diff line change 1+ requires :
2+ min-version : 8
3+
4+ pcap : ../dns-eve-empty-format/input.pcap
5+
6+ checks :
7+ - filter :
8+ count : 1
9+ match :
10+ alert.signature_id : 1
11+ dest_ip : 10.16.1.1
12+ dest_port : 53
13+ direction : to_server
14+ app_proto : dns
15+ event_type : alert
16+ dns.query[0].rrtype : A
17+ src_ip : 10.16.1.11
18+ src_port : 57634
19+ - filter :
20+ count : 1
21+ match :
22+ alert.signature_id : 2
23+ dest_ip : 10.16.1.11
24+ dest_port : 33458
25+ direction : to_client
26+ app_proto : dns
27+ event_type : alert
28+ dns.answer.rrtype : A
29+ src_ip : 10.16.1.1
30+ src_port : 53
31+ - filter :
32+ count : 1
33+ match :
34+ alert.signature_id : 3
35+ dest_ip : 10.16.1.11
36+ dest_port : 33458
37+ direction : to_client
38+ app_proto : dns
39+ event_type : alert
40+ dns.answer.rrtype : A
41+ src_ip : 10.16.1.1
42+ src_port : 53
You can’t perform that action at this time.
0 commit comments