testing/validation/dns_cname.yml

name: DNS CNAME Request
description: Check that the canonical name from DNS response to CNAME request is present
  in the flow.
requirements:
  protocols: [dns]
marks: [dns]
pcap: dns_cname.pcap
probe:
  protocols: [dns]
at_least_one: [dns_id, dns_flags, dns_req_query_type, dns_req_query_class, dns_req_query_name,
  dns_resp_rcode, dns_resp_rr.name, dns_resp_rr.type, dns_resp_rr.class, dns_resp_rr.ttl,
  dns_resp_rr.data, dns_resp_rr.flowmon_data]

flows:
  - src_ip: 192.168.233.84
    dst_ip: 192.168.179.148
    ip_version: 4
    protocol: 17
    bytes: 62
    bytes@rev: 87
    packets: 1
    packets@rev: 1
    src_port: 59961
    dst_port: 53
    dns_id: 38661
    _forward:
      dns_flags: 0x0100
      dns_req_query_type: 5
      dns_req_query_class: 1
      dns_req_query_name: se-ssl-cloud.com
    _reverse:
      dns_flags: 0x8180
      dns_resp_rcode: 0
      dns_resp_rr:
        - name: se-ssl-cloud.com
          type: 5
          class: 1
          ttl: 300
          data: glaston.net
          flowmon_data: '0x676C6173746F6E2E6E6574'