Skip to content

Commit

Permalink
Merge pull request #1 from tsg/feature/udp-dns-plugin
Browse files Browse the repository at this point in the history
Add integration tests for the DNS protocol.
  • Loading branch information
andrewkroh committed Aug 28, 2015
2 parents 330a95e + 3ea88da commit cab839b
Show file tree
Hide file tree
Showing 10 changed files with 208 additions and 0 deletions.
18 changes: 18 additions & 0 deletions etc/fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -269,6 +269,12 @@ event:
The data describing the resource. The meaning of this data depends
on the type and class of the resource record.
- name: dns.authorities
type: dict
description: >
An array containing a dictionary for each authority section from the
answer.
- name: dns.authorities_count
type: int
description: >
Expand All @@ -288,6 +294,12 @@ event:
description: Class of DNS data contained in this resource record.
example: IN

- name: dns.answers
type: dict
description: >
An array containing a dictionary about each answer section returned by
the server.
- name: dns.answers.ttl
description: >
Time interval in seconds that this resource record may be cached
Expand All @@ -300,6 +312,12 @@ event:
The data describing the resource. The meaning of this data depends
on the type and class of the resource record.
- name: dns.additionals
type: dict
description: >
An array containing a dictionary for each additional section from the
answer.
- name: dns.additionals_count
type: int
description: >
Expand Down
Binary file added tests/pcaps/dns_additional.pcap
Binary file not shown.
Binary file added tests/pcaps/dns_google_com.pcap
Binary file not shown.
Binary file added tests/pcaps/dns_mx.pcap
Binary file not shown.
Binary file added tests/pcaps/dns_not_found.pcap
Binary file not shown.
Binary file added tests/pcaps/dns_ns.pcap
Binary file not shown.
Binary file added tests/pcaps/dns_txt.pcap
Binary file not shown.
7 changes: 7 additions & 0 deletions tests/templates/packetbeat.yml.j2
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,13 @@ protocols:
{% if mongodb_max_docs is not none %} max_docs: {{mongodb_max_docs}}{%endif %}
{% if mongodb_max_doc_length is not none %} max_doc_length: {{mongodb_max_doc_length}}{%endif%}

dns:
ports: [{{ dns_ports|default([53])|join(", ") }}]
{% if dns_include_authorities %} include_authorities: true{% endif %}
{% if dns_include_additionals %} include_additionals: true{% endif %}
{% if dns_send_request %} send_request: true{% endif %}
{% if dns_send_response %} send_response: true{% endif %}


############################# Filters ############################################

Expand Down
2 changes: 2 additions & 0 deletions tests/test_0012_http_basicauth.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ class Test(TestCase):

def test_http_auth(self):
self.render_config_template(
dns_ports=[], # disable dns because the pcap
# contains the DNS query
http_send_all_headers=1,
http_strip_authorization=1,
http_send_request=True
Expand Down
181 changes: 181 additions & 0 deletions tests/test_0032_dns.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,181 @@
from pbtests.packetbeat import TestCase

"""
Tests for the DNS protocol.
"""


class Test(TestCase):
def test_A(self):
"""
Should correctly interpret an A query to google.com
"""
self.render_config_template(
dns_ports=[53],
)
self.run_packetbeat(pcap="dns_google_com.pcap")

objs = self.read_output()
assert len(objs) == 1
o = objs[0]

assert o["type"] == "dns"
assert o["transport"] == "udp"
assert o["method"] == "QUERY"
assert o["query"] == "class IN, type A, google.com"
assert o["dns.question.type"] == "A"
assert o["status"] == "OK"
assert len(o["dns.answers"]) == 16
assert all(x["type"] == "A" for x in o["dns.answers"])

def test_A_not_found(self):
"""
Should correctly interpret an A query to google.com
"""
self.render_config_template(
dns_ports=[53],
)
self.run_packetbeat(pcap="dns_not_found.pcap")

objs = self.read_output()
assert len(objs) == 1
o = objs[0]

assert o["type"] == "dns"
assert o["transport"] == "udp"
assert o["method"] == "QUERY"
assert o["query"] == "class IN, type A, nothing.elastic.co"
assert o["dns.question.type"] == "A"
assert o["status"] == "Error"
assert o["dns.response_code"] == "NXDOMAIN"
assert o["dns.answers_count"] == 0
assert o["dns.authorities_count"] == 1
assert "dns.authorities" not in o # include authorities defaults to 0

def test_MX(self):
"""
Should correctly interpret an MX query to elastic.co
"""
self.render_config_template(
dns_ports=[53],
)
self.run_packetbeat(pcap="dns_mx.pcap")

objs = self.read_output()
assert len(objs) == 1
o = objs[0]

assert o["type"] == "dns"
assert o["transport"] == "udp"
assert o["method"] == "QUERY"
assert o["query"] == "class IN, type MX, elastic.co"
assert o["dns.question.type"] == "MX"
assert o["status"] == "OK"

def test_NS(self):
"""
Should correctly interpret an NS query to elastic.co
"""
self.render_config_template(
dns_ports=[53],
)
self.run_packetbeat(pcap="dns_ns.pcap")

objs = self.read_output()
assert len(objs) == 1
o = objs[0]

assert o["type"] == "dns"
assert o["transport"] == "udp"
assert o["method"] == "QUERY"
assert o["query"] == "class IN, type NS, elastic.co"
assert o["dns.question.type"] == "NS"
assert o["status"] == "OK"

def test_TXT(self):
"""
Should correctly interpret an TXT query to elastic.co
"""
self.render_config_template(
dns_ports=[53],
)
self.run_packetbeat(pcap="dns_txt.pcap")

objs = self.read_output()
assert len(objs) == 1
o = objs[0]

assert o["type"] == "dns"
assert o["transport"] == "udp"
assert o["method"] == "QUERY"
assert o["ip"] == "8.8.8.8"
assert o["query"] == "class IN, type TXT, elastic.co"
assert o["dns.question.type"] == "TXT"
assert o["status"] == "OK"
assert len(o["dns.answers"]) == 2
assert all(x["type"] == "TXT" for x in o["dns.answers"])
assert "request" not in o
assert "response" not in o

def test_include_authorities(self):
"""
Should include DNS authorities when configured.
"""
self.render_config_template(
dns_ports=[53],
dns_include_authorities=True
)

self.run_packetbeat(pcap="dns_not_found.pcap")

objs = self.read_output()
assert len(objs) == 1
o = objs[0]

assert o["type"] == "dns"
assert o["dns.authorities_count"] == 1
assert "dns.authorities" in o
assert len(o["dns.authorities"]) == 1

def test_include_additionals(self):
"""
Should include DNS authorities when configured.
"""
self.render_config_template(
dns_ports=[53],
dns_include_additionals=True
)

self.run_packetbeat(pcap="dns_additional.pcap")

objs = self.read_output()
assert len(objs) == 1
o = objs[0]

assert o["type"] == "dns"
assert o["dns.additionals_count"] == 1
assert "dns.additionals" in o
assert len(o["dns.additionals"]) == 1

def test_send_request_response(self):
"""
Should correctly interpret an TXT query to elastic.co
"""
self.render_config_template(
dns_ports=[53],
dns_send_request=True,
dns_send_response=True
)
self.run_packetbeat(pcap="dns_txt.pcap")

objs = self.read_output()
assert len(objs) == 1
o = objs[0]

assert o["type"] == "dns"
assert o["transport"] == "udp"
assert o["method"] == "QUERY"
assert "request" in o
assert "response" in o
assert "elastic.co" in o["request"]
assert "include:_spf.google.com" in o["response"]

0 comments on commit cab839b

Please sign in to comment.