aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c54fc7f98f'
${ noResults }
suricata/rust/src/dns/log.rs

212 lines
6.1 KiB
Rust
Raw Normal View History Unescape Escape

rust: DNS app-layer. A DNS application layer in Rust. This is different than the C based one, as it is partially stateless by not matching up responses to replies.
8 years ago
/* Copyright (C) 2017 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
extern crate libc;
use std;
use std::string::String;
use json::*;
use dns::dns::*;
use log::*;
rust: lua support for DNS based Rust Uses Rust wrappers around Lua to populate Lua data structures.
8 years ago
pub fn dns_rrtype_string(rrtype: u16) -> String {
rust: DNS app-layer. A DNS application layer in Rust. This is different than the C based one, as it is partially stateless by not matching up responses to replies.
8 years ago
match rrtype {
DNS_RTYPE_A => "A",
DNS_RTYPE_CNAME => "CNAME",
DNS_RTYPE_SOA => "SOA",
DNS_RTYPE_PTR => "PTR",
DNS_RTYPE_MX => "MX",
DNS_RTYPE_SSHFP => "SSHFP",
DNS_RTYPE_RRSIG => "RRSIG",
_ => {
return rrtype.to_string();
}
}.to_string()
}
fn dns_rcode_string(flags: u16) -> String {
match flags & 0x000f {
DNS_RCODE_NOERROR => "NOERROR",
DNS_RCODE_FORMERR => "FORMERR",
DNS_RCODE_NXDOMAIN => "NXDOMAIN",
_ => {
return (flags & 0x000f).to_string();
}
}.to_string()
}
/// Format bytes as an IP address string.
rust: lua support for DNS based Rust Uses Rust wrappers around Lua to populate Lua data structures.
8 years ago
pub fn dns_print_addr(addr: &Vec<u8>) -> std::string::String {
rust: DNS app-layer. A DNS application layer in Rust. This is different than the C based one, as it is partially stateless by not matching up responses to replies.
8 years ago
if addr.len() == 4 {
return format!("{}.{}.{}.{}", addr[0], addr[1], addr[2], addr[3]);
}
else if addr.len() == 16 {
return format!("{}{}:{}{}:{}{}:{}{}:{}{}:{}{}:{}{}:{}{}",
addr[0],
addr[1],
addr[2],
addr[3],
addr[4],
addr[5],
addr[6],
addr[7],
addr[8],
addr[9],
addr[10],
addr[11],
addr[12],
addr[13],
addr[14],
addr[15]);
}
else {
return "".to_string();
}
}
/// Log the SSHPF in an DNSAnswerEntry.
fn dns_log_sshfp(js: &Json, answer: &DNSAnswerEntry)
{
// Need at least 3 bytes - TODO: log something if we don't?
if answer.data_len < 3 {
return;
}
let sshfp = Json::object();
let mut hex = Vec::new();
for byte in &answer.data[2..] {
hex.push(format!("{:02x}", byte));
}
sshfp.set_string("fingerprint", &hex.join(":"));
sshfp.set_integer("algo", answer.data[0] as u64);
sshfp.set_integer("type", answer.data[1] as u64);
js.set("sshfp", sshfp);
}
#[no_mangle]
pub extern "C" fn rs_dns_log_json_query(tx: &mut DNSTransaction,
i: libc::uint16_t)
-> *mut JsonT
{
SCLogDebug!("rs_dns_log_json_query: tx_id={}, i={}", tx.id, i);
let index = i as usize;
for request in &tx.request {
if index < request.queries.len() {
let query = &request.queries[index];
let js = Json::object();
js.set_string("type", "query");
js.set_integer("id", request.header.tx_id as u64);
js.set_string("rrname", query.name());
js.set_string("rrtype", &dns_rrtype_string(query.rrtype));
js.set_integer("tx_id", tx.id - 1);
return js.unwrap();
}
}
return std::ptr::null_mut();
}
fn dns_log_json_answer(header: &DNSHeader, answer: &DNSAnswerEntry)
-> Json
{
let js = Json::object();
js.set_string("type", "answer");
js.set_integer("id", header.tx_id as u64);
js.set_string("rcode", &dns_rcode_string(header.flags));
js.set_string("rrname", answer.name());
js.set_string("rrtype", &dns_rrtype_string(answer.rrtype));
js.set_integer("ttl", answer.ttl as u64);
match answer.rrtype {
DNS_RTYPE_A | DNS_RTYPE_AAAA => {
js.set_string("rdata", &dns_print_addr(&answer.data));
}
DNS_RTYPE_CNAME |
DNS_RTYPE_MX |
DNS_RTYPE_PTR => {
js.set_string("rdata", answer.data_to_string());
},
DNS_RTYPE_SSHFP => {
dns_log_sshfp(&js, &answer);
},
_ => {}
}
return js;
}
fn dns_log_json_failure(r: &DNSResponse, index: usize) -> * mut JsonT {
if index >= r.queries.len() {
return std::ptr::null_mut();
}
let ref query = r.queries[index];
let js = Json::object();
js.set_string("type", "answer");
js.set_integer("id", r.header.tx_id as u64);
js.set_string("rcode", &dns_rcode_string(r.header.flags));
js.set_string("rrname", std::str::from_utf8(&query.name[..]).unwrap());
return js.unwrap();
}
#[no_mangle]
pub extern "C" fn rs_dns_log_json_answer(tx: &mut DNSTransaction,
i: libc::uint16_t)
-> *mut JsonT
{
let index = i as usize;
for response in &tx.response {
if response.header.flags & 0x000f > 0 {
if index == 0 {
return dns_log_json_failure(response, index);
}
break;
}
if index >= response.answers.len() {
break;
}
let answer = &response.answers[index];
let js = dns_log_json_answer(&response.header, answer);
return js.unwrap();
}
return std::ptr::null_mut();
}
#[no_mangle]
pub extern "C" fn rs_dns_log_json_authority(tx: &mut DNSTransaction,
i: libc::uint16_t)
-> *mut JsonT
{
let index = i as usize;
for response in &tx.response {
if index >= response.authorities.len() {
break;
}
let answer = &response.authorities[index];
let js = dns_log_json_answer(&response.header, answer);
return js.unwrap();
}
return std::ptr::null_mut();
}