From 28842ea97861af4719667c30c61b73e499f293ab Mon Sep 17 00:00:00 2001
From: Jason Ish <jason.ish@oisf.net>
Date: Wed, 25 Sep 2024 10:37:54 -0600
Subject: [PATCH] dns-reversed-udp-1: test that flow is reversed

Test that because this is a DNS response, that the flow is reversed.
---
 tests/dns-reversed-udp-1/suricata.yaml | 1 +
 tests/dns-reversed-udp-1/test.yaml     | 9 +++++++++
 2 files changed, 10 insertions(+)

diff --git a/tests/dns-reversed-udp-1/suricata.yaml b/tests/dns-reversed-udp-1/suricata.yaml
index c7c9cd5dd..06ffdcab3 100644
--- a/tests/dns-reversed-udp-1/suricata.yaml
+++ b/tests/dns-reversed-udp-1/suricata.yaml
@@ -8,3 +8,4 @@ outputs:
         - dns:
             enabled: true
             version: 2
+        - flow:
diff --git a/tests/dns-reversed-udp-1/test.yaml b/tests/dns-reversed-udp-1/test.yaml
index 70875fa51..02c107b34 100644
--- a/tests/dns-reversed-udp-1/test.yaml
+++ b/tests/dns-reversed-udp-1/test.yaml
@@ -30,3 +30,12 @@ checks:
         dns.type: answer
         src_ip: "10.16.1.11"
         dest_ip: "10.16.1.1"
+
+  # This pcap has one packet, 10.16.1.1 -> 10.16.1.11, but Suricata
+  # should reverse that as it detect this as a DNS response.
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        src_ip: "10.16.1.11"
+        dest_ip: "10.16.1.1"