aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ab1200fbd7'
${ noResults }
suricata/src/app-layer-dns-tcp.c

848 lines
30 KiB
C
Raw Normal View History Unescape Escape

DNS TCP and UDP parser and DNS response logger
13 years ago
/* Copyright (C) 2013 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
* \author Victor Julien <victor@inliniac.net>
*/
#include "suricata-common.h"
#include "suricata.h"
#include "debug.h"
#include "decode.h"
#include "flow-util.h"
#include "threads.h"
#include "util-print.h"
#include "util-pool.h"
#include "util-debug.h"
#include "stream-tcp-private.h"
#include "stream-tcp-reassemble.h"
#include "stream-tcp.h"
#include "stream.h"
#include "app-layer-protos.h"
#include "app-layer-parser.h"
#include "util-spm.h"
#include "util-unittest.h"
#include "app-layer-dns-tcp.h"
struct DNSTcpHeader_ {
uint16_t len;
uint16_t tx_id;
uint16_t flags;
uint16_t questions;
uint16_t answer_rr;
uint16_t authority_rr;
uint16_t additional_rr;
} __attribute__((__packed__));
typedef struct DNSTcpHeader_ DNSTcpHeader;
/** \internal
* \param input_len at least enough for the DNSTcpHeader
*/
static int DNSTCPRequestParseProbe(uint8_t *input, uint32_t input_len)
{
#ifdef DEBUG
BUG_ON(input_len < sizeof(DNSTcpHeader));
#endif
SCLogDebug("starting %u", input_len);
DNSTcpHeader *dns_tcp_header = (DNSTcpHeader *)input;
if (ntohs(dns_tcp_header->len) < sizeof(DNSHeader)) {
goto bad_data;
}
if (ntohs(dns_tcp_header->len) >= input_len) {
goto insufficient_data;
}
input += 2;
input_len -= 2;
DNSHeader *dns_header = (DNSHeader *)input;
uint16_t q;
const uint8_t *data = input + sizeof(DNSHeader);
for (q = 0; q < ntohs(dns_header->questions); q++) {
uint16_t fqdn_offset = 0;
if (input + input_len < data + 1) {
SCLogDebug("input buffer too small for len field");
goto insufficient_data;
}
SCLogDebug("query length %u", *data);
while (*data != 0) {
if (*data > 63) {
/** \todo set event?*/
goto bad_data;
}
uint8_t length = *data;
data++;
if (length > 0) {
if (input + input_len < data + length) {
SCLogDebug("input buffer too small for domain of len %u", length);
goto insufficient_data;
}
//PrintRawDataFp(stdout, data, qry->length);
if ((fqdn_offset + length + 1) < DNS_MAX_SIZE) {
fqdn_offset += length;
} else {
/** \todo set event? */
goto bad_data;
}
}
data += length;
if (input + input_len < data + 1) {
SCLogDebug("input buffer too small for new len");
goto insufficient_data;
}
SCLogDebug("qry length %u", *data);
}
if (fqdn_offset) {
fqdn_offset--;
}
data++;
if (input + input_len < data + sizeof(DNSQueryTrailer)) {
SCLogDebug("input buffer too small for DNSQueryTrailer");
goto insufficient_data;
}
DNS: fix warning when debug is not enabled
12 years ago
#ifdef DEBUG
DNS TCP and UDP parser and DNS response logger
13 years ago
DNSQueryTrailer *trailer = (DNSQueryTrailer *)data;
SCLogDebug("trailer type %04x class %04x", ntohs(trailer->type), ntohs(trailer->class));
DNS: fix warning when debug is not enabled
12 years ago
#endif
DNS TCP and UDP parser and DNS response logger
13 years ago
data += sizeof(DNSQueryTrailer);
}
Added support for full parsing of the rcode header in DNS answer packets. Where rcode isn't "no error" this is displayed in both DNS and JSON logs. Note that this changes the current "No such domain" to "NXDOMAIN" in DNS logs. This could be fixed if desired to maintain compatibility with anybody crazy enough to parse the DNS log. When the rcode is not "no error" (for example NXDOMAIN or SERVFAIL) it is unlikely that there will be answer RRs. Therefore the rname from the query is used. Because the rcode applies to a whole answer packet (not individual queries) it is impossible to determine which query RR caused the error. Because of this most DNS servers currently reject multiple queries per packet. Therefore each query RR is output instead with the relevant error code, likely to be FORMERR if queries > 1.
10 years ago
SCReturnInt(1);
DNS TCP and UDP parser and DNS response logger
13 years ago
insufficient_data:
SCReturnInt(0);
bad_data:
SCReturnInt(-1);
}
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
static int BufferData(DNSState *dns_state, uint8_t *data, uint16_t len)
{
DNS TCP and UDP parser and DNS response logger
13 years ago
if (dns_state->buffer == NULL) {
dns: add memcap checking Add memuse tracking and memcap checking to the DNS parsers. Memuse is tracked globally and per flow (state). Memcaps are also checked per flow and globally before memory allocs are done.
12 years ago
if (DNSCheckMemcap(0xffff, dns_state) < 0)
return -1;
DNS TCP and UDP parser and DNS response logger
13 years ago
/** \todo be smarter about this, like use a pool or several pools for
* chunks of various sizes */
dns_state->buffer = SCMalloc(0xffff);
if (dns_state->buffer == NULL) {
return -1;
}
dns: add memcap checking Add memuse tracking and memcap checking to the DNS parsers. Memuse is tracked globally and per flow (state). Memcaps are also checked per flow and globally before memory allocs are done.
12 years ago
DNSIncrMemcap(0xffff, dns_state);
DNS TCP and UDP parser and DNS response logger
13 years ago
}
if ((uint32_t)len + (uint32_t)dns_state->offset > (uint32_t)dns_state->record_len) {
DNS: convert info logs to debugs
12 years ago
SCLogDebug("oh my, we have more data than the max record size. What do we do. WHAT DO WE DOOOOO!");
#ifdef DEBUG
DNS TCP and UDP parser and DNS response logger
13 years ago
BUG_ON(1);
DNS: convert info logs to debugs
12 years ago
#endif
DNS TCP and UDP parser and DNS response logger
13 years ago
len = dns_state->record_len - dns_state->offset;
}
memcpy(dns_state->buffer + dns_state->offset, data, len);
dns_state->offset += len;
return 0;
}
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
static void BufferReset(DNSState *dns_state)
{
DNS TCP and UDP parser and DNS response logger
13 years ago
dns_state->record_len = 0;
dns_state->offset = 0;
}
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
static int DNSRequestParseData(Flow *f, DNSState *dns_state, const uint8_t *input, const uint32_t input_len)
{
DNS TCP and UDP parser and DNS response logger
13 years ago
DNSHeader *dns_header = (DNSHeader *)input;
DNS: add support for per TX decoder events.
12 years ago
if (DNSValidateRequestHeader(dns_state, dns_header) < 0)
DNS TCP and UDP parser and DNS response logger
13 years ago
goto bad_data;
//SCLogInfo("ID %04x", ntohs(dns_header->tx_id));
uint16_t q;
const uint8_t *data = input + sizeof(DNSHeader);
//PrintRawDataFp(stdout, (uint8_t*)data, input_len - (data - input));
dns: support back to back requests without a response Address the issue where a DNS response would not be logged when the traffic is like: - Request 1 - Request 2 - Response 1 - Response 2 which can happen on dual stack machines where the request for A and AAAA are sent out at the same time on the same UDP "session". A "window" is used to set the maximum number of outstanding responses before considering the olders lost.
9 years ago
if (dns_state != NULL) {
if (timercmp(&dns_state->last_req, &dns_state->last_resp, >=)) {
if (dns_state->window <= dns_state->unreplied_cnt) {
dns_state->window++;
}
}
}
DNS TCP and UDP parser and DNS response logger
13 years ago
for (q = 0; q < ntohs(dns_header->questions); q++) {
uint8_t fqdn[DNS_MAX_SIZE];
uint16_t fqdn_offset = 0;
if (input + input_len < data + 1) {
SCLogDebug("input buffer too small for DNSTcpQuery");
goto insufficient_data;
}
SCLogDebug("query length %u", *data);
while (*data != 0) {
if (*data > 63) {
/** \todo set event?*/
goto insufficient_data;
}
uint8_t length = *data;
data++;
if (length > 0) {
if (input + input_len < data + length) {
SCLogDebug("input buffer too small for domain of len %u", length);
goto insufficient_data;
}
//PrintRawDataFp(stdout, data, qry->length);
if ((size_t)(fqdn_offset + length + 1) < sizeof(fqdn)) {
memcpy(fqdn + fqdn_offset, data, length);
fqdn_offset += length;
fqdn[fqdn_offset++] = '.';
} else {
/** \todo set event? */
goto insufficient_data;
}
}
data += length;
if (input + input_len < data + 1) {
SCLogDebug("input buffer too small for DNSTcpQuery(2)");
goto insufficient_data;
}
SCLogDebug("qry length %u", *data);
}
if (fqdn_offset) {
fqdn_offset--;
}
data++;
if (input + input_len < data + sizeof(DNSQueryTrailer)) {
SCLogDebug("input buffer too small for DNSQueryTrailer");
goto insufficient_data;
}
DNSQueryTrailer *trailer = (DNSQueryTrailer *)data;
SCLogDebug("trailer type %04x class %04x", ntohs(trailer->type), ntohs(trailer->class));
data += sizeof(DNSQueryTrailer);
/* store our data */
if (dns_state != NULL) {
DNSStoreQueryInState(dns_state, fqdn, fqdn_offset,
ntohs(trailer->type), ntohs(trailer->class),
ntohs(dns_header->tx_id));
}
}
Added support for full parsing of the rcode header in DNS answer packets. Where rcode isn't "no error" this is displayed in both DNS and JSON logs. Note that this changes the current "No such domain" to "NXDOMAIN" in DNS logs. This could be fixed if desired to maintain compatibility with anybody crazy enough to parse the DNS log. When the rcode is not "no error" (for example NXDOMAIN or SERVFAIL) it is unlikely that there will be answer RRs. Therefore the rname from the query is used. Because the rcode applies to a whole answer packet (not individual queries) it is impossible to determine which query RR caused the error. Because of this most DNS servers currently reject multiple queries per packet. Therefore each query RR is output instead with the relevant error code, likely to be FORMERR if queries > 1.
10 years ago
SCReturnInt(1);
DNS TCP and UDP parser and DNS response logger
13 years ago
bad_data:
insufficient_data:
SCReturnInt(-1);
}
/** \internal
* \brief Parse DNS request packet
*/
static int DNSTCPRequestParse(Flow *f, void *dstate,
app-layer: Use opaque pointers instead of void For AppLayerThreadCtx, AppLayerParserState, AppLayerParserThreadCtx and AppLayerProtoDetectThreadCtx, use opaque pointers instead of void pointers. AppLayerParserState is declared in flow.h as it's part of the Flow structure. AppLayerThreadCtx is declared in decode.h, as it's part of the DecodeThreadVars structure.
12 years ago
AppLayerParserState *pstate,
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
uint8_t *input, uint32_t input_len,
void *local_data)
DNS TCP and UDP parser and DNS response logger
13 years ago
{
Added support for full parsing of the rcode header in DNS answer packets. Where rcode isn't "no error" this is displayed in both DNS and JSON logs. Note that this changes the current "No such domain" to "NXDOMAIN" in DNS logs. This could be fixed if desired to maintain compatibility with anybody crazy enough to parse the DNS log. When the rcode is not "no error" (for example NXDOMAIN or SERVFAIL) it is unlikely that there will be answer RRs. Therefore the rname from the query is used. Because the rcode applies to a whole answer packet (not individual queries) it is impossible to determine which query RR caused the error. Because of this most DNS servers currently reject multiple queries per packet. Therefore each query RR is output instead with the relevant error code, likely to be FORMERR if queries > 1.
10 years ago
DNSState *dns_state = (DNSState *)dstate;
DNS TCP and UDP parser and DNS response logger
13 years ago
SCLogDebug("starting %u", input_len);
app-layer: update all protocols to accept NULL+EOF Update all non-HTTP protocol parsers to accept a NULL+EOF input.
10 years ago
if (input == NULL && AppLayerParserStateIssetFlag(pstate, APP_LAYER_PARSER_EOF)) {
SCReturnInt(1);
}
DNS TCP and UDP parser and DNS response logger
13 years ago
/** \todo remove this when PP is fixed to enforce ipproto */
if (f != NULL && f->proto != IPPROTO_TCP)
SCReturnInt(-1);
/* probably a rst/fin sending an eof */
app-layer: update all protocols to accept NULL+EOF Update all non-HTTP protocol parsers to accept a NULL+EOF input.
10 years ago
if (input == NULL || input_len == 0) {
DNS TCP and UDP parser and DNS response logger
13 years ago
goto insufficient_data;
}
next_record:
/* if this is the beginning of a record, we need at least the header */
if (dns_state->offset == 0 && input_len < sizeof(DNSTcpHeader)) {
SCLogDebug("ilen too small, hoped for at least %"PRIuMAX, (uintmax_t)sizeof(DNSTcpHeader));
goto insufficient_data;
}
SCLogDebug("input_len %u offset %u record %u",
input_len, dns_state->offset, dns_state->record_len);
/* this is the first data of this record */
if (dns_state->offset == 0) {
DNSTcpHeader *dns_tcp_header = (DNSTcpHeader *)input;
SCLogDebug("DNS %p", dns_tcp_header);
if (ntohs(dns_tcp_header->len) < sizeof(DNSHeader)) {
/* bogus len, doesn't fit even basic dns header */
goto bad_data;
} else if (ntohs(dns_tcp_header->len) == (input_len-2)) {
/* we have all data, so process w/o buffering */
if (DNSRequestParseData(f, dns_state, input+2, input_len-2) < 0)
goto bad_data;
} else if ((input_len-2) > ntohs(dns_tcp_header->len)) {
/* we have all data, so process w/o buffering */
if (DNSRequestParseData(f, dns_state, input+2, ntohs(dns_tcp_header->len)) < 0)
goto bad_data;
/* treat the rest of the data as a (potential) new record */
tcp dns: fix advancement to next request in buffer The advancement through the buffer was not taking into account the size of the length field resulting in the second request being detected as bad data.
9 years ago
input += (2 + ntohs(dns_tcp_header->len));
input_len -= (2 + ntohs(dns_tcp_header->len));
DNS TCP and UDP parser and DNS response logger
13 years ago
goto next_record;
} else {
/* not enough data, store record length and buffer */
dns_state->record_len = ntohs(dns_tcp_header->len);
BufferData(dns_state, input+2, input_len-2);
}
} else if (input_len + dns_state->offset < dns_state->record_len) {
/* we don't have the full record yet, buffer */
BufferData(dns_state, input, input_len);
} else if (input_len > (uint32_t)(dns_state->record_len - dns_state->offset)) {
/* more data than expected, we may have another record coming up */
uint16_t need = (dns_state->record_len - dns_state->offset);
BufferData(dns_state, input, need);
int r = DNSRequestParseData(f, dns_state, dns_state->buffer, dns_state->record_len);
BufferReset(dns_state);
if (r < 0)
goto bad_data;
/* treat the rest of the data as a (potential) new record */
input += need;
input_len -= need;
goto next_record;
} else {
/* implied exactly the amount of data we want
* add current to buffer, then inspect buffer */
BufferData(dns_state, input, input_len);
int r = DNSRequestParseData(f, dns_state, dns_state->buffer, dns_state->record_len);
BufferReset(dns_state);
if (r < 0)
goto bad_data;
}
dns (tcp) - fix coverity CIDs 1374306, 1374305 CID 1374306 (#1 of 1): Dereference before null check (REVERSE_INULL) check_after_deref: Null-checking dns_state suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 585 if (dns_state != NULL && f != NULL) { 586 dns_state->last_req = f->lastts; 587 } CID 1374305 (#1 of 1): Dereference before null check (REVERSE_INULL) check_after_deref: Null-checking dns_state suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 366 if (dns_state != NULL && f != NULL) { 367 dns_state->last_req = f->lastts; 368 }
9 years ago
if (f != NULL) {
dns: support back to back requests without a response Address the issue where a DNS response would not be logged when the traffic is like: - Request 1 - Request 2 - Response 1 - Response 2 which can happen on dual stack machines where the request for A and AAAA are sent out at the same time on the same UDP "session". A "window" is used to set the maximum number of outstanding responses before considering the olders lost.
9 years ago
dns_state->last_req = f->lastts;
}
Added support for full parsing of the rcode header in DNS answer packets. Where rcode isn't "no error" this is displayed in both DNS and JSON logs. Note that this changes the current "No such domain" to "NXDOMAIN" in DNS logs. This could be fixed if desired to maintain compatibility with anybody crazy enough to parse the DNS log. When the rcode is not "no error" (for example NXDOMAIN or SERVFAIL) it is unlikely that there will be answer RRs. Therefore the rname from the query is used. Because the rcode applies to a whole answer packet (not individual queries) it is impossible to determine which query RR caused the error. Because of this most DNS servers currently reject multiple queries per packet. Therefore each query RR is output instead with the relevant error code, likely to be FORMERR if queries > 1.
10 years ago
SCReturnInt(1);
DNS TCP and UDP parser and DNS response logger
13 years ago
insufficient_data:
SCReturnInt(-1);
bad_data:
SCReturnInt(-1);
}
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
static int DNSReponseParseData(Flow *f, DNSState *dns_state, const uint8_t *input, const uint32_t input_len)
{
DNS TCP and UDP parser and DNS response logger
13 years ago
DNSHeader *dns_header = (DNSHeader *)input;
DNS: add support for per TX decoder events.
12 years ago
if (DNSValidateResponseHeader(dns_state, dns_header) < 0)
DNS TCP and UDP parser and DNS response logger
13 years ago
goto bad_data;
DNSTransaction *tx = NULL;
int found = 0;
dns: detect case of request flooding In the case where DNS requests are sent over the same flow w/o a reply being received, we now set an event in the flow and refuse to add more transactions to the state. This protects the DNS handling from getting overloaded slowing down everything. A new option to configure this behaviour was added: app-layer: protocols: dnsudp: enabled: yes detection-ports: udp: toserver: 53 request-flood: 750 The request-flood parameter can be 0 (disabling this feature) or a positive integer. It defaults to 500. This means that if 500 unreplied requests are seen in a row an event is set. Rule 2240007 was added to dns-events.rules to match on this.
12 years ago
if ((tx = DNSTransactionFindByTxId(dns_state, ntohs(dns_header->tx_id))) != NULL)
found = 1;
if (!found) {
SCLogDebug("DNS_DECODER_EVENT_UNSOLLICITED_RESPONSE");
DNSSetEvent(dns_state, DNS_DECODER_EVENT_UNSOLLICITED_RESPONSE);
dns: support back to back requests without a response Address the issue where a DNS response would not be logged when the traffic is like: - Request 1 - Request 2 - Response 1 - Response 2 which can happen on dual stack machines where the request for A and AAAA are sent out at the same time on the same UDP "session". A "window" is used to set the maximum number of outstanding responses before considering the olders lost.
9 years ago
} else if (dns_state->unreplied_cnt > 0) {
dns_state->unreplied_cnt--;
DNS TCP and UDP parser and DNS response logger
13 years ago
}
uint16_t q;
const uint8_t *data = input + sizeof(DNSHeader);
for (q = 0; q < ntohs(dns_header->questions); q++) {
uint8_t fqdn[DNS_MAX_SIZE];
uint16_t fqdn_offset = 0;
if (input + input_len < data + 1) {
SCLogDebug("input buffer too small for len field");
goto insufficient_data;
}
SCLogDebug("qry length %u", *data);
while (*data != 0) {
uint8_t length = *data;
data++;
if (length > 0) {
if (input + input_len < data + length) {
SCLogDebug("input buffer too small for domain of len %u", length);
goto insufficient_data;
}
//PrintRawDataFp(stdout, data, length);
if ((size_t)(fqdn_offset + length + 1) < sizeof(fqdn)) {
memcpy(fqdn + fqdn_offset, data, length);
fqdn_offset += length;
fqdn[fqdn_offset++] = '.';
}
}
data += length;
if (input + input_len < data + 1) {
SCLogDebug("input buffer too small for len field");
goto insufficient_data;
}
dns: suppress minor scan-build warnings These were only used if debug is enabled. app-layer-dns-tcp.c:407:13: warning: Value stored to 'length' is never read length = *data; app-layer-dns-udp.c:236:13: warning: Value stored to 'length' is never read length = *data;
12 years ago
SCLogDebug("length %u", *data);
DNS TCP and UDP parser and DNS response logger
13 years ago
}
if (fqdn_offset) {
fqdn_offset--;
}
data++;
if (input + input_len < data + sizeof(DNSQueryTrailer)) {
SCLogDebug("input buffer too small for DNSQueryTrailer");
goto insufficient_data;
}
#if DEBUG
DNSQueryTrailer *trailer = (DNSQueryTrailer *)data;
SCLogDebug("trailer type %04x class %04x", ntohs(trailer->type), ntohs(trailer->class));
#endif
data += sizeof(DNSQueryTrailer);
}
for (q = 0; q < ntohs(dns_header->answer_rr); q++) {
data = DNSReponseParse(dns_state, dns_header, q, DNS_LIST_ANSWER,
input, input_len, data);
if (data == NULL) {
goto insufficient_data;
}
}
//PrintRawDataFp(stdout, (uint8_t *)data, input_len - (data - input));
for (q = 0; q < ntohs(dns_header->authority_rr); q++) {
data = DNSReponseParse(dns_state, dns_header, q, DNS_LIST_AUTHORITY,
input, input_len, data);
if (data == NULL) {
goto insufficient_data;
}
}
Added support for full parsing of the rcode header in DNS answer packets. Where rcode isn't "no error" this is displayed in both DNS and JSON logs. Note that this changes the current "No such domain" to "NXDOMAIN" in DNS logs. This could be fixed if desired to maintain compatibility with anybody crazy enough to parse the DNS log. When the rcode is not "no error" (for example NXDOMAIN or SERVFAIL) it is unlikely that there will be answer RRs. Therefore the rname from the query is used. Because the rcode applies to a whole answer packet (not individual queries) it is impossible to determine which query RR caused the error. Because of this most DNS servers currently reject multiple queries per packet. Therefore each query RR is output instead with the relevant error code, likely to be FORMERR if queries > 1.
10 years ago
/* parse rcode, e.g. "noerror" or "nxdomain" */
uint8_t rcode = ntohs(dns_header->flags) & 0x0F;
Fix rcode parsing, as noticed by Coverity. Without support for OPT RR from RFC6891 (Extension mechanisms for DNS) values of RCODE above 15 are not possible. Remove dead code which will never match.
10 years ago
if (rcode <= DNS_RCODE_NOTZONE) {
Added support for full parsing of the rcode header in DNS answer packets. Where rcode isn't "no error" this is displayed in both DNS and JSON logs. Note that this changes the current "No such domain" to "NXDOMAIN" in DNS logs. This could be fixed if desired to maintain compatibility with anybody crazy enough to parse the DNS log. When the rcode is not "no error" (for example NXDOMAIN or SERVFAIL) it is unlikely that there will be answer RRs. Therefore the rname from the query is used. Because the rcode applies to a whole answer packet (not individual queries) it is impossible to determine which query RR caused the error. Because of this most DNS servers currently reject multiple queries per packet. Therefore each query RR is output instead with the relevant error code, likely to be FORMERR if queries > 1.
10 years ago
SCLogDebug("rcode %u", rcode);
dns: tag each tx we get a reply for as replied Also, detect and print when server says recursion is desired.
12 years ago
if (tx != NULL)
Added support for full parsing of the rcode header in DNS answer packets. Where rcode isn't "no error" this is displayed in both DNS and JSON logs. Note that this changes the current "No such domain" to "NXDOMAIN" in DNS logs. This could be fixed if desired to maintain compatibility with anybody crazy enough to parse the DNS log. When the rcode is not "no error" (for example NXDOMAIN or SERVFAIL) it is unlikely that there will be answer RRs. Therefore the rname from the query is used. Because the rcode applies to a whole answer packet (not individual queries) it is impossible to determine which query RR caused the error. Because of this most DNS servers currently reject multiple queries per packet. Therefore each query RR is output instead with the relevant error code, likely to be FORMERR if queries > 1.
10 years ago
tx->rcode = rcode;
} else {
/* this is not invalid, rcodes can be user defined */
SCLogDebug("unexpected DNS rcode %u", rcode);
dns: tag each tx we get a reply for as replied Also, detect and print when server says recursion is desired.
12 years ago
}
if (ntohs(dns_header->flags) & 0x0080) {
SCLogDebug("recursion desired");
if (tx != NULL)
tx->recursion_desired = 1;
}
if (tx != NULL) {
tx->replied = 1;
}
Added support for full parsing of the rcode header in DNS answer packets. Where rcode isn't "no error" this is displayed in both DNS and JSON logs. Note that this changes the current "No such domain" to "NXDOMAIN" in DNS logs. This could be fixed if desired to maintain compatibility with anybody crazy enough to parse the DNS log. When the rcode is not "no error" (for example NXDOMAIN or SERVFAIL) it is unlikely that there will be answer RRs. Therefore the rname from the query is used. Because the rcode applies to a whole answer packet (not individual queries) it is impossible to determine which query RR caused the error. Because of this most DNS servers currently reject multiple queries per packet. Therefore each query RR is output instead with the relevant error code, likely to be FORMERR if queries > 1.
10 years ago
SCReturnInt(1);
DNS TCP and UDP parser and DNS response logger
13 years ago
bad_data:
insufficient_data:
SCReturnInt(-1);
}
/** \internal
* \brief DNS TCP record parser, entry function
*
* Parses a DNS TCP record and fills the DNS state
*
* As TCP records can be 64k we'll have to buffer the data. Streaming parsing
* would have been _very_ tricky due to the way names are compressed in DNS
*
*/
static int DNSTCPResponseParse(Flow *f, void *dstate,
app-layer: Use opaque pointers instead of void For AppLayerThreadCtx, AppLayerParserState, AppLayerParserThreadCtx and AppLayerProtoDetectThreadCtx, use opaque pointers instead of void pointers. AppLayerParserState is declared in flow.h as it's part of the Flow structure. AppLayerThreadCtx is declared in decode.h, as it's part of the DecodeThreadVars structure.
12 years ago
AppLayerParserState *pstate,
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
uint8_t *input, uint32_t input_len,
void *local_data)
DNS TCP and UDP parser and DNS response logger
13 years ago
{
Added support for full parsing of the rcode header in DNS answer packets. Where rcode isn't "no error" this is displayed in both DNS and JSON logs. Note that this changes the current "No such domain" to "NXDOMAIN" in DNS logs. This could be fixed if desired to maintain compatibility with anybody crazy enough to parse the DNS log. When the rcode is not "no error" (for example NXDOMAIN or SERVFAIL) it is unlikely that there will be answer RRs. Therefore the rname from the query is used. Because the rcode applies to a whole answer packet (not individual queries) it is impossible to determine which query RR caused the error. Because of this most DNS servers currently reject multiple queries per packet. Therefore each query RR is output instead with the relevant error code, likely to be FORMERR if queries > 1.
10 years ago
DNSState *dns_state = (DNSState *)dstate;
DNS TCP and UDP parser and DNS response logger
13 years ago
app-layer: update all protocols to accept NULL+EOF Update all non-HTTP protocol parsers to accept a NULL+EOF input.
10 years ago
if (input == NULL && AppLayerParserStateIssetFlag(pstate, APP_LAYER_PARSER_EOF)) {
SCReturnInt(1);
}
DNS TCP and UDP parser and DNS response logger
13 years ago
/** \todo remove this when PP is fixed to enforce ipproto */
if (f != NULL && f->proto != IPPROTO_TCP)
SCReturnInt(-1);
/* probably a rst/fin sending an eof */
app-layer: fix coverity warnings
10 years ago
if (input == NULL || input_len == 0) {
DNS TCP and UDP parser and DNS response logger
13 years ago
goto insufficient_data;
}
next_record:
/* if this is the beginning of a record, we need at least the header */
if (dns_state->offset == 0 && input_len < sizeof(DNSTcpHeader)) {
SCLogDebug("ilen too small, hoped for at least %"PRIuMAX, (uintmax_t)sizeof(DNSTcpHeader));
goto insufficient_data;
}
SCLogDebug("input_len %u offset %u record %u",
input_len, dns_state->offset, dns_state->record_len);
/* this is the first data of this record */
if (dns_state->offset == 0) {
DNSTcpHeader *dns_tcp_header = (DNSTcpHeader *)input;
SCLogDebug("DNS %p", dns_tcp_header);
dns: reject bad response data
10 years ago
if (ntohs(dns_tcp_header->len) == 0) {
goto bad_data;
} else if (ntohs(dns_tcp_header->len) == (input_len-2)) {
DNS TCP and UDP parser and DNS response logger
13 years ago
/* we have all data, so process w/o buffering */
if (DNSReponseParseData(f, dns_state, input+2, input_len-2) < 0)
goto bad_data;
} else if ((input_len-2) > ntohs(dns_tcp_header->len)) {
/* we have all data, so process w/o buffering */
if (DNSReponseParseData(f, dns_state, input+2, ntohs(dns_tcp_header->len)) < 0)
goto bad_data;
/* treat the rest of the data as a (potential) new record */
tcp dns: fix advancement to next request in buffer The advancement through the buffer was not taking into account the size of the length field resulting in the second request being detected as bad data.
9 years ago
input += (2 + ntohs(dns_tcp_header->len));
input_len -= (2 + ntohs(dns_tcp_header->len));
DNS TCP and UDP parser and DNS response logger
13 years ago
goto next_record;
} else {
/* not enough data, store record length and buffer */
dns_state->record_len = ntohs(dns_tcp_header->len);
BufferData(dns_state, input+2, input_len-2);
}
} else if (input_len + dns_state->offset < dns_state->record_len) {
/* we don't have the full record yet, buffer */
BufferData(dns_state, input, input_len);
} else if (input_len > (uint32_t)(dns_state->record_len - dns_state->offset)) {
/* more data than expected, we may have another record coming up */
uint16_t need = (dns_state->record_len - dns_state->offset);
BufferData(dns_state, input, need);
int r = DNSReponseParseData(f, dns_state, dns_state->buffer, dns_state->record_len);
BufferReset(dns_state);
if (r < 0)
goto bad_data;
/* treat the rest of the data as a (potential) new record */
input += need;
input_len -= need;
goto next_record;
} else {
/* implied exactly the amount of data we want
* add current to buffer, then inspect buffer */
BufferData(dns_state, input, input_len);
int r = DNSReponseParseData(f, dns_state, dns_state->buffer, dns_state->record_len);
BufferReset(dns_state);
if (r < 0)
goto bad_data;
}
dns: support back to back requests without a response Address the issue where a DNS response would not be logged when the traffic is like: - Request 1 - Request 2 - Response 1 - Response 2 which can happen on dual stack machines where the request for A and AAAA are sent out at the same time on the same UDP "session". A "window" is used to set the maximum number of outstanding responses before considering the olders lost.
9 years ago
dns (tcp) - fix coverity CIDs 1374306, 1374305 CID 1374306 (#1 of 1): Dereference before null check (REVERSE_INULL) check_after_deref: Null-checking dns_state suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 585 if (dns_state != NULL && f != NULL) { 586 dns_state->last_req = f->lastts; 587 } CID 1374305 (#1 of 1): Dereference before null check (REVERSE_INULL) check_after_deref: Null-checking dns_state suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 366 if (dns_state != NULL && f != NULL) { 367 dns_state->last_req = f->lastts; 368 }
9 years ago
if (f != NULL) {
dns: support back to back requests without a response Address the issue where a DNS response would not be logged when the traffic is like: - Request 1 - Request 2 - Response 1 - Response 2 which can happen on dual stack machines where the request for A and AAAA are sent out at the same time on the same UDP "session". A "window" is used to set the maximum number of outstanding responses before considering the olders lost.
9 years ago
dns_state->last_req = f->lastts;
}
Added support for full parsing of the rcode header in DNS answer packets. Where rcode isn't "no error" this is displayed in both DNS and JSON logs. Note that this changes the current "No such domain" to "NXDOMAIN" in DNS logs. This could be fixed if desired to maintain compatibility with anybody crazy enough to parse the DNS log. When the rcode is not "no error" (for example NXDOMAIN or SERVFAIL) it is unlikely that there will be answer RRs. Therefore the rname from the query is used. Because the rcode applies to a whole answer packet (not individual queries) it is impossible to determine which query RR caused the error. Because of this most DNS servers currently reject multiple queries per packet. Therefore each query RR is output instead with the relevant error code, likely to be FORMERR if queries > 1.
10 years ago
SCReturnInt(1);
DNS TCP and UDP parser and DNS response logger
13 years ago
insufficient_data:
SCReturnInt(-1);
bad_data:
SCReturnInt(-1);
}
Now supports accepting port addresses as strings, like the ones accepted in our rules. As a consequence we now accept port range, and other such combination. Support PP for ports based on ipproto as well.
12 years ago
static uint16_t DNSTcpProbingParser(uint8_t *input, uint32_t ilen, uint32_t *offset)
DNS TCP and UDP parser and DNS response logger
13 years ago
{
if (ilen == 0 || ilen < sizeof(DNSTcpHeader)) {
SCLogDebug("ilen too small, hoped for at least %"PRIuMAX, (uintmax_t)sizeof(DNSTcpHeader));
return ALPROTO_UNKNOWN;
}
DNSTcpHeader *dns_header = (DNSTcpHeader *)input;
if (ntohs(dns_header->len) < sizeof(DNSHeader)) {
/* length field bogus, won't even fit a minimal DNS header. */
return ALPROTO_FAILED;
} else if (ntohs(dns_header->len) > ilen) {
int r = DNSTCPRequestParseProbe(input, ilen);
if (r == -1) {
/* probing parser told us "bad data", so it's not
* DNS */
return ALPROTO_FAILED;
} else if (ilen > 512) {
SCLogDebug("all the parser told us was not enough data, which is expected. Lets assume it's DNS");
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
return ALPROTO_DNS;
DNS TCP and UDP parser and DNS response logger
13 years ago
}
SCLogDebug("not yet enough info %u > %u", ntohs(dns_header->len), ilen);
return ALPROTO_UNKNOWN;
}
int r = DNSTCPRequestParseProbe(input, ilen);
if (r != 1)
return ALPROTO_FAILED;
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
SCLogDebug("ALPROTO_DNS");
return ALPROTO_DNS;
DNS TCP and UDP parser and DNS response logger
13 years ago
}
dns (tcp): register a to_client (response) probing parser Just a minimal parser to make sure the data contains at least a header.
9 years ago
/**
* \brief Probing parser for TCP DNS responses.
*
* This is a minimal parser that just checks that the input contains enough
* data for a TCP DNS response.
*/
static uint16_t DNSTcpProbeResponse(uint8_t *input, uint32_t len,
uint32_t *offset)
{
if (len == 0 || len < sizeof(DNSTcpHeader)) {
return ALPROTO_UNKNOWN;
}
DNSTcpHeader *dns_header = (DNSTcpHeader *)input;
if (ntohs(dns_header->len) < sizeof(DNSHeader)) {
return ALPROTO_FAILED;
}
return ALPROTO_DNS;
}
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
void RegisterDNSTCPParsers(void)
{
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
const char *proto_name = "dns";
DNS TCP and UDP parser and DNS response logger
13 years ago
/** DNS */
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", proto_name)) {
AppLayerProtoDetectRegisterProtocol(ALPROTO_DNS, proto_name);
Allow detection ports for alproto to be specified via the conf file. To understand the option have a look at the option app-layer.protocols.tls.detection-ports
12 years ago
if (RunmodeIsUnittests()) {
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
AppLayerProtoDetectPPRegister(IPPROTO_TCP,
Allow detection ports for alproto to be specified via the conf file. To understand the option have a look at the option app-layer.protocols.tls.detection-ports
12 years ago
"53",
Update rule engine relationship with regard to setting ip protocol between specifying protocol after action, ip_proto and app-layer-protocol. Now we can specify alproto, ip_proto combinations this way alert dns (ip_proto:[tcp/udp];) alert ip (app-layer-protocol:dns;) alert ip (app-layer-protocol:dns; ip_proto:tcp;) alert tcp (app-layer-protocol:dns:) so on. Neater than using dnstcp/dnsudp. This is related to feature #424.
12 years ago
ALPROTO_DNS,
Allow detection ports for alproto to be specified via the conf file. To understand the option have a look at the option app-layer.protocols.tls.detection-ports
12 years ago
0, sizeof(DNSTcpHeader),
STREAM_TOSERVER,
app-layer: support to server and to client probing parsers When registering a probing parser allow to_server and to_client parsers to be registered. Previously the probing parser may be called for both directions which in some cases works OK, but in others can cause the to_client side to be detected as failed.
9 years ago
DNSTcpProbingParser, NULL);
Allow detection ports for alproto to be specified via the conf file. To understand the option have a look at the option app-layer.protocols.tls.detection-ports
12 years ago
} else {
dns: if no (valid) config is found, use defaults This patch will set up probing parsers if no (valid) config is found. Add a warning in those cases.
12 years ago
int have_cfg = AppLayerProtoDetectPPParseConfPorts("tcp", IPPROTO_TCP,
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
proto_name, ALPROTO_DNS,
0, sizeof(DNSTcpHeader),
dns (tcp): register a to_client (response) probing parser Just a minimal parser to make sure the data contains at least a header.
9 years ago
DNSTcpProbingParser,
DNSTcpProbeResponse);
dns: if no (valid) config is found, use defaults This patch will set up probing parsers if no (valid) config is found. Add a warning in those cases.
12 years ago
/* if we have no config, we enable the default port 53 */
if (!have_cfg) {
SCLogWarning(SC_ERR_DNS_CONFIG, "no DNS TCP config found, "
"enabling DNS detection on "
"port 53.");
AppLayerProtoDetectPPRegister(IPPROTO_TCP, "53",
ALPROTO_DNS, 0, sizeof(DNSTcpHeader),
dns (tcp): register a to_client (response) probing parser Just a minimal parser to make sure the data contains at least a header.
9 years ago
STREAM_TOSERVER, DNSTcpProbingParser,
DNSTcpProbeResponse);
dns: if no (valid) config is found, use defaults This patch will set up probing parsers if no (valid) config is found. Add a warning in those cases.
12 years ago
}
Allow detection ports for alproto to be specified via the conf file. To understand the option have a look at the option app-layer.protocols.tls.detection-ports
12 years ago
}
Introduce new options into the conf file to enable/disable - 1. Proto detection 2. Parsers For app layer protocols. libhtp has now been moved to the section under app-layer.protocols.http, but we still provide backward compatibility with older conf files.
12 years ago
} else {
SCLogInfo("Protocol detection and parser disabled for %s protocol.",
proto_name);
return;
}
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
if (AppLayerParserConfParserEnabled("tcp", proto_name)) {
AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_DNS, STREAM_TOSERVER,
DNSTCPRequestParse);
AppLayerParserRegisterParser(IPPROTO_TCP , ALPROTO_DNS, STREAM_TOCLIENT,
DNSTCPResponseParse);
AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_DNS, DNSStateAlloc,
DNSStateFree);
AppLayerParserRegisterTxFreeFunc(IPPROTO_TCP, ALPROTO_DNS,
DNSStateTransactionFree);
AppLayerParserRegisterGetEventsFunc(IPPROTO_TCP, ALPROTO_DNS, DNSGetEvents);
AppLayerParserRegisterHasEventsFunc(IPPROTO_TCP, ALPROTO_DNS, DNSHasEvents);
dns: implement tx de_state
11 years ago
AppLayerParserRegisterDetectStateFuncs(IPPROTO_TCP, ALPROTO_DNS,
app-layer: de_state optimization Add API to bypass expensive TX list walks. This API call is optional. Implement it for HTTP and DNS.
10 years ago
DNSStateHasTxDetectState,
dns: implement tx de_state
11 years ago
DNSGetTxDetectState, DNSSetTxDetectState);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
AppLayerParserRegisterGetTx(IPPROTO_TCP, ALPROTO_DNS, DNSGetTx);
AppLayerParserRegisterGetTxCnt(IPPROTO_TCP, ALPROTO_DNS, DNSGetTxCnt);
dns: register logger functions
9 years ago
AppLayerParserRegisterLoggerFuncs(IPPROTO_TCP, ALPROTO_DNS, DNSGetTxLogged,
DNSSetTxLogged);
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
AppLayerParserRegisterGetStateProgressFunc(IPPROTO_TCP, ALPROTO_DNS,
DNSGetAlstateProgress);
tx: do not store ProgressCompletionStatus per ipproto Change AppLayerParserRegisterGetStateProgressCompletionStatus to only store one ProgressCompletionStatus callback function for each alproto, instead of storing one for each ipproto. This enables us to use AppLayerParserGetStateProgressCompletionStatus in functions where we do not know the ipproto used.
9 years ago
AppLayerParserRegisterGetStateProgressCompletionStatus(ALPROTO_DNS,
App layer API rewritten. The main files in question are: app-layer.[ch], app-layer-detect-proto.[ch] and app-layer-parser.[ch]. Things addressed in this commit: - Brings out a proper separation between protocol detection phase and the parser phase. - The dns app layer now is registered such that we don't use "dnstcp" and "dnsudp" in the rules. A user who previously wrote a rule like this - "alert dnstcp....." or "alert dnsudp....." would now have to use, alert dns (ipproto:tcp;) or alert udp (app-layer-protocol:dns;) or alert ip (ipproto:udp; app-layer-protocol:dns;) The same rules extend to other another such protocol, dcerpc. - The app layer parser api now takes in the ipproto while registering callbacks. - The app inspection/detection engine also takes an ipproto. - All app layer parser functions now take direction as STREAM_TOSERVER or STREAM_TOCLIENT, as opposed to 0 or 1, which was taken by some of the functions. - FlowInitialize() and FlowRecycle() now resets proto to 0. This is needed by unittests, which would try to clean the flow, and that would call the api, AppLayerParserCleanupParserState(), which would try to clean the app state, but the app layer now needs an ipproto to figure out which api to internally call to clean the state, and if the ipproto is 0, it would return without trying to clean the state. - A lot of unittests are now updated where if they are using a flow and they need to use the app layer, we would set a flow ipproto. - The "app-layer" section in the yaml conf has also been updated as well.
12 years ago
DNSGetAlstateProgressCompletionStatus);
DNSAppLayerRegisterGetEventInfo(IPPROTO_TCP, ALPROTO_DNS);
Introduce new options into the conf file to enable/disable - 1. Proto detection 2. Parsers For app layer protocols. libhtp has now been moved to the section under app-layer.protocols.http, but we still provide backward compatibility with older conf files.
12 years ago
} else {
SCLogInfo("Parsed disabled for %s protocol. Protocol detection"
"still on.", proto_name);
}
DNS TCP and UDP parser and DNS response logger
13 years ago
tcp dns: unit test for multi-request buffer
9 years ago
#ifdef UNITTESTS
AppLayerParserRegisterProtocolUnittests(IPPROTO_TCP, ALPROTO_DNS,
DNSTCPParserRegisterTests);
#endif
Add and use EventGetInfo for getting info on an event. Also update existing parsers and app-layer-event Setup to use this.
12 years ago
return;
DNS TCP and UDP parser and DNS response logger
13 years ago
}
/* UNITTESTS */
#ifdef UNITTESTS
tcp dns: unit test for multi-request buffer
9 years ago
#include "util-unittest-helper.h"
static int DNSTCPParserTestMultiRecord(void)
{
/* This is a buffer containing 20 DNS requests each prefixed by
* the request length for transport over TCP. It was generated with Scapy,
* where each request is:
* DNS(id=i, rd=1, qd=DNSQR(qname="%d.google.com" % i, qtype="A"))
* where i is 0 to 19.
*/
uint8_t req[] = {
0x00, 0x1e, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x30,
0x06, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x03,
0x63, 0x6f, 0x6d, 0x00, 0x00, 0x01, 0x00, 0x01,
0x00, 0x1e, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x31,
0x06, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x03,
0x63, 0x6f, 0x6d, 0x00, 0x00, 0x01, 0x00, 0x01,
0x00, 0x1e, 0x00, 0x02, 0x01, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x32,
0x06, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x03,
0x63, 0x6f, 0x6d, 0x00, 0x00, 0x01, 0x00, 0x01,
0x00, 0x1e, 0x00, 0x03, 0x01, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x33,
0x06, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x03,
0x63, 0x6f, 0x6d, 0x00, 0x00, 0x01, 0x00, 0x01,
0x00, 0x1e, 0x00, 0x04, 0x01, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x34,
0x06, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x03,
0x63, 0x6f, 0x6d, 0x00, 0x00, 0x01, 0x00, 0x01,
0x00, 0x1e, 0x00, 0x05, 0x01, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x35,
0x06, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x03,
0x63, 0x6f, 0x6d, 0x00, 0x00, 0x01, 0x00, 0x01,
0x00, 0x1e, 0x00, 0x06, 0x01, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x36,
0x06, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x03,
0x63, 0x6f, 0x6d, 0x00, 0x00, 0x01, 0x00, 0x01,
0x00, 0x1e, 0x00, 0x07, 0x01, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x37,
0x06, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x03,
0x63, 0x6f, 0x6d, 0x00, 0x00, 0x01, 0x00, 0x01,
0x00, 0x1e, 0x00, 0x08, 0x01, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x38,
0x06, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x03,
0x63, 0x6f, 0x6d, 0x00, 0x00, 0x01, 0x00, 0x01,
0x00, 0x1e, 0x00, 0x09, 0x01, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x39,
0x06, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x03,
0x63, 0x6f, 0x6d, 0x00, 0x00, 0x01, 0x00, 0x01,
0x00, 0x1f, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x31,
0x30, 0x06, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
0x03, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x01, 0x00,
0x01, 0x00, 0x1f, 0x00, 0x0b, 0x01, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
0x31, 0x31, 0x06, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
0x65, 0x03, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x01,
0x00, 0x01, 0x00, 0x1f, 0x00, 0x0c, 0x01, 0x00,
0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x02, 0x31, 0x32, 0x06, 0x67, 0x6f, 0x6f, 0x67,
0x6c, 0x65, 0x03, 0x63, 0x6f, 0x6d, 0x00, 0x00,
0x01, 0x00, 0x01, 0x00, 0x1f, 0x00, 0x0d, 0x01,
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x02, 0x31, 0x33, 0x06, 0x67, 0x6f, 0x6f,
0x67, 0x6c, 0x65, 0x03, 0x63, 0x6f, 0x6d, 0x00,
0x00, 0x01, 0x00, 0x01, 0x00, 0x1f, 0x00, 0x0e,
0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x02, 0x31, 0x34, 0x06, 0x67, 0x6f,
0x6f, 0x67, 0x6c, 0x65, 0x03, 0x63, 0x6f, 0x6d,
0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x1f, 0x00,
0x0f, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x02, 0x31, 0x35, 0x06, 0x67,
0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x03, 0x63, 0x6f,
0x6d, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x1f,
0x00, 0x10, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x31, 0x36, 0x06,
0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x03, 0x63,
0x6f, 0x6d, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
0x1f, 0x00, 0x11, 0x01, 0x00, 0x00, 0x01, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x31, 0x37,
0x06, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x03,
0x63, 0x6f, 0x6d, 0x00, 0x00, 0x01, 0x00, 0x01,
0x00, 0x1f, 0x00, 0x12, 0x01, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x31,
0x38, 0x06, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
0x03, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x01, 0x00,
0x01, 0x00, 0x1f, 0x00, 0x13, 0x01, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
0x31, 0x39, 0x06, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
0x65, 0x03, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x01,
0x00, 0x01
};
size_t reqlen = sizeof(req);
DNSState *state = DNSStateAlloc();
FAIL_IF_NULL(state);
Flow *f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 53);
FAIL_IF_NULL(f);
f->proto = IPPROTO_TCP;
f->alproto = ALPROTO_DNS;
f->alstate = state;
FAIL_IF_NOT(DNSTCPRequestParse(f, f->alstate, NULL, req, reqlen, NULL));
FAIL_IF(state->transaction_max != 20);
UTHFreeFlow(f);
PASS;
}
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
void DNSTCPParserRegisterTests(void)
{
tcp dns: unit test for multi-request buffer
9 years ago
UtRegisterTest("DNSTCPParserTestMultiRecord", DNSTCPParserTestMultiRecord);
DNS TCP and UDP parser and DNS response logger
13 years ago
}
tcp dns: unit test for multi-request buffer
9 years ago
#endif /* UNITTESTS */