aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

lua: add export of dns.rrname

Browse Source 
Add the capability for a lua script to ask for rrname in DNS query.
pull/1184/head
Eric Leblond 11 years ago committed by Victor Julien
parent 74ffa2b264
commit 667b9a5220
5 changed files with 155 additions and 0 deletions
Show Stats Download Patch File Download Diff File

1
src/Makefile.am
Unescape Escape View File

@ -321,6 +321,7 @@ util-logopenfile.h util-logopenfile.c \
util-logopenfile-tile.h util-logopenfile-tile.c \
util-lua.c util-lua.h \
util-lua-common.c util-lua-common.h \
util-lua-dns.c util-lua-dns.h \
util-lua-http.c util-lua-http.h \
util-magic.c util-magic.h \
util-memcmp.c util-memcmp.h \

2
src/detect-lua-extensions.c
Unescape Escape View File

@ -65,6 +65,7 @@
#include "util-lua.h"
#include "util-lua-common.h"
#include "util-lua-http.h"
#include "util-lua-dns.h"
static const char luaext_key_ld[] = "suricata:luajitdata";
static const char luaext_key_det_ctx[] = "suricata:det_ctx";
@ -613,6 +614,7 @@ int LuaRegisterExtensions(lua_State *lua_state)
LuaRegisterFunctions(lua_state);
LuaRegisterHttpFunctions(lua_state);
LuaRegisterDnsFunctions(lua_state);
return 0;
}

19
src/detect-lua.c
Unescape Escape View File

@ -155,6 +155,8 @@ void DetectLuaRegister(void)
#define DATATYPE_HTTP_RESPONSE_HEADERS (1<<13)
#define DATATYPE_HTTP_RESPONSE_HEADERS_RAW (1<<14)
#define DATATYPE_DNS_RRNAME (1<<15)
#ifdef HAVE_LUAJIT
static void *LuaStatePoolAlloc(void)
{
@ -938,7 +940,22 @@ static int DetectLuaSetupPrime(DetectEngineCtx *de_ctx, DetectLuaData *ld)
SCLogError(SC_ERR_LUA_ERROR, "alloc error");
goto error;
}
} else if (strncmp(k, "dns", 3) == 0 && strcmp(v, "true") == 0) {
ld->alproto = ALPROTO_DNS;
if (strcmp(k, "dns.rrname") == 0)
ld->flags |= DATATYPE_DNS_RRNAME;
else {
SCLogError(SC_ERR_LUA_ERROR, "unsupported dns data type %s", k);
goto error;
}
ld->buffername = SCStrdup(k);
if (ld->buffername == NULL) {
SCLogError(SC_ERR_LUA_ERROR, "alloc error");
goto error;
}
} else {
SCLogError(SC_ERR_LUA_ERROR, "unsupported data type %s", k);
goto error;
@ -1026,6 +1043,8 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HCDMATCH);
else
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
} else if (luajit->alproto == ALPROTO_DNS) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DNSQUERY_MATCH);
} else {
SCLogError(SC_ERR_LUA_ERROR, "luajit can't be used with protocol %s",
AppLayerGetProtoName(luajit->alproto));

100
src/util-lua-dns.c
Unescape Escape View File

@ -0,0 +1,100 @@
/* Copyright (C) 2014 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Eric Leblond <eric@regit.org>
*
*/
#include "suricata-common.h"
#include "debug.h"
#include "detect.h"
#include "pkt-var.h"
#include "conf.h"
#include "threads.h"
#include "threadvars.h"
#include "tm-threads.h"
#include "util-print.h"
#include "util-unittest.h"
#include "util-debug.h"
#include "output.h"
#include "app-layer-dns-common.h"
#include "app-layer.h"
#include "app-layer-parser.h"
#include "util-privs.h"
#include "util-buffer.h"
#include "util-proto-name.h"
#include "util-logopenfile.h"
#include "util-time.h"
#ifdef HAVE_LUA
#include <lua.h>
#include <lualib.h>
#include <lauxlib.h>
#include "util-lua.h"
#include "util-lua-common.h"
static int DnsGetDnsRrname(lua_State *luastate)
{
if (!(LuaStateNeedProto(luastate, ALPROTO_DNS)))
return LuaCallbackError(luastate, "error: protocol not dns");
DNSTransaction *tx = LuaStateGetTX(luastate);
if (tx == NULL)
return LuaCallbackError(luastate, "internal error: no tx");
DNSQueryEntry *query = NULL;
TAILQ_FOREACH(query, &tx->query_list, next) {
char *c;
size_t input_len;
c = BytesToString((uint8_t *)((uint8_t *)query + sizeof(DNSQueryEntry)), query->len);
if (c != NULL) {
int ret;
input_len = strlen(c);
/* sanity check */
if (input_len > (size_t)(2 * query->len)) {
SCFree(c);
return LuaCallbackError(luastate, "invalid length");
}
ret = LuaPushStringBuffer(luastate, (uint8_t *)c, input_len);
SCFree(c);
return ret;
}
}
return LuaCallbackError(luastate, "no query");
}
/** \brief register http lua extensions in a luastate */
int LuaRegisterDnsFunctions(lua_State *luastate)
{
/* registration of the callbacks */
lua_pushcfunction(luastate, DnsGetDnsRrname);
lua_setglobal(luastate, "DnsGetDnsRrname");
return 0;
}
#endif /* HAVE_LUA */

33
src/util-lua-dns.h
Unescape Escape View File

@ -0,0 +1,33 @@
/* Copyright (C) 2014 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Eric Leblond <eric@regit.org>
*/
#ifndef __UTIL_LUA_DNS_H__
#define __UTIL_LUA_DNS_H__
#ifdef HAVE_LUA
int LuaRegisterDnsFunctions(lua_State *luastate);
#endif /* HAVE_LUA */
#endif /* __UTIL_LUA_HTTP_H__ */
Write Preview
Loading…
Cancel
Save