diff --git a/src/detect-dns-query.h b/src/detect-dns-query.h index 4065c41034..ef6dac2c91 100644 --- a/src/detect-dns-query.h +++ b/src/detect-dns-query.h @@ -28,6 +28,4 @@ void DetectDnsQueryRegister (void); -uint32_t DetectDnsQueryInspectMpm(DetectEngineThreadCtx *det_ctx, void *txv); - #endif /* __DETECT_DNS_QUERY_H__ */ diff --git a/src/detect-engine-dns.c b/src/detect-engine-dns.c index f3441e1afc..fafb6987b0 100644 --- a/src/detect-engine-dns.c +++ b/src/detect-engine-dns.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2013 Open Information Security Foundation +/* Copyright (C) 2013-2016 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -31,6 +31,7 @@ #include "detect-parse.h" #include "detect-engine-state.h" #include "detect-engine-content-inspection.h" +#include "detect-engine-prefilter.h" #include "flow-util.h" #include "util-debug.h" @@ -94,63 +95,47 @@ int DetectEngineInspectDnsQueryName(ThreadVars *tv, return r; } -/** - * \brief DNS query match -- searches for one pattern per signature. +/** \brief DNS Query Mpm prefilter callback * - * \param det_ctx Detection engine thread ctx. - * \param hrh Buffer to inspect. - * \param hrh_len buffer length. - * \param flags Flags - * - * \retval ret Number of matches. + * \param det_ctx detection engine thread ctx + * \param p packet to inspect + * \param f flow to inspect + * \param txv tx to inspect + * \param pectx inspection context */ -static inline uint32_t DnsQueryPatternSearch(DetectEngineThreadCtx *det_ctx, - const uint8_t *buffer, const uint32_t buffer_len) -{ - SCEnter(); - - uint32_t ret = 0; - - DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_dnsquery_ctx_ts == NULL); - - if (buffer_len >= det_ctx->sgh->mpm_dnsquery_ctx_ts->minlen) { - ret = mpm_table[det_ctx->sgh->mpm_dnsquery_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_dnsquery_ctx_ts, &det_ctx->mtcu, - &det_ctx->pmq, buffer, buffer_len); - } - - SCReturnUInt(ret); -} - -/** - * \brief Run the pattern matcher against the queries - * - * \param f locked flow - * \param dns_state initialized dns state - * - * \todo what should we return? Just the fact that we matched? - */ -uint32_t DetectDnsQueryInspectMpm(DetectEngineThreadCtx *det_ctx, void *txv) +static void PrefilterTxDnsQuery(DetectEngineThreadCtx *det_ctx, + const void *pectx, + Packet *p, Flow *f, void *txv, + const uint64_t idx, const uint8_t flags) { SCEnter(); + const MpmCtx *mpm_ctx = (MpmCtx *)pectx; DNSTransaction *tx = (DNSTransaction *)txv; DNSQueryEntry *query = NULL; - uint8_t *buffer; - uint16_t buffer_len; - uint32_t cnt = 0; TAILQ_FOREACH(query, &tx->query_list, next) { SCLogDebug("tx %p query %p", tx, query); - buffer = (uint8_t *)((uint8_t *)query + sizeof(DNSQueryEntry)); - buffer_len = query->len; + const uint8_t *buffer = + (const uint8_t *)((uint8_t *)query + sizeof(DNSQueryEntry)); + const uint32_t buffer_len = query->len; - cnt += DnsQueryPatternSearch(det_ctx, - buffer, buffer_len); + if (buffer_len >= mpm_ctx->minlen) { + (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx, + &det_ctx->mtcu, &det_ctx->pmq, + buffer, buffer_len); + } } +} + +int PrefilterTxDnsQueryRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx) +{ + SCEnter(); - SCReturnUInt(cnt); + return PrefilterAppendTxEngine(sgh, PrefilterTxDnsQuery, + ALPROTO_DNS, 1, + mpm_ctx, NULL); } int DetectEngineInspectDnsRequest(ThreadVars *tv, diff --git a/src/detect-engine-dns.h b/src/detect-engine-dns.h index 801a22d421..5b2367a660 100644 --- a/src/detect-engine-dns.h +++ b/src/detect-engine-dns.h @@ -23,6 +23,8 @@ #ifndef __DETECT_ENGINE_DNS_H__ #define __DETECT_ENGINE_DNS_H__ +int PrefilterTxDnsQueryRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx); + int DetectEngineInspectDnsQueryName(ThreadVars *, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *, Signature *, Flow *, uint8_t, void *, void *, uint64_t); diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 165d48c668..6ad75e8624 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -51,6 +51,7 @@ #include "detect-engine-payload.h" #include "detect-engine-uri.h" #include "detect-engine-hmd.h" +#include "detect-engine-dns.h" #include "stream.h" @@ -112,7 +113,8 @@ AppLayerMpms app_mpms[] = { { "http_cookie", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HCDMATCH, SIG_GROUP_HEAD_MPM_HCD, NULL, 15}, { "http_cookie", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HCDMATCH, SIG_GROUP_HEAD_MPM_HCD, NULL, 16}, - { "dns_query", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_DNSQUERYNAME_MATCH, SIG_GROUP_HEAD_MPM_DNSQUERY, NULL, 17}, + { "dns_query", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_DNSQUERYNAME_MATCH, + SIG_GROUP_HEAD_MPM_DNSQUERY, PrefilterTxDnsQueryRegister, 17}, { "tls_sni", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_TLSSNI_MATCH, SIG_GROUP_HEAD_MPM_TLSSNI, NULL, 18}, { "tls_cert_issuer", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_TLSISSUER_MATCH, SIG_GROUP_HEAD_MPM_TLSISSUER, NULL, 19}, diff --git a/src/detect.c b/src/detect.c index 6b5b70b649..57a023791f 100644 --- a/src/detect.c +++ b/src/detect.c @@ -999,30 +999,6 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx, } } } /* for */ - } - /* all dns based mpms */ - else if (alproto == ALPROTO_DNS && has_state) { - if (p->flowflags & FLOW_PKT_TOSERVER) { - if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_DNSQUERY) { - void *alstate = FlowGetAppState(p->flow); - if (alstate == NULL) { - SCLogDebug("no alstate"); - return; - } - - uint64_t idx = AppLayerParserGetTransactionInspectId(p->flow->alparser, flags); - uint64_t total_txs = AppLayerParserGetTxCnt(p->flow->proto, alproto, alstate); - for (; idx < total_txs; idx++) { - void *tx = AppLayerParserGetTx(p->flow->proto, alproto, alstate, idx); - if (tx == NULL) - continue; - - PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_DNSQUERY); - DetectDnsQueryInspectMpm(det_ctx, tx); - PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_DNSQUERY); - } - } - } } else if (alproto == ALPROTO_TLS && has_state) { void *alstate = FlowGetAppState(p->flow); if (alstate == NULL) { @@ -1075,31 +1051,6 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx, } else { SCLogDebug("NOT p->flowflags & FLOW_PKT_ESTABLISHED"); } - /* UDP DNS inspection is independent of est or not */ - if (alproto == ALPROTO_DNS && has_state) { - if (p->flowflags & FLOW_PKT_TOSERVER) { - SCLogDebug("mpm inspection"); - if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_DNSQUERY) { - void *alstate = FlowGetAppState(p->flow); - if (alstate == NULL) { - SCLogDebug("no alstate"); - return; - } - - uint64_t idx = AppLayerParserGetTransactionInspectId(p->flow->alparser, flags); - uint64_t total_txs = AppLayerParserGetTxCnt(p->flow->proto, alproto, alstate); - for (; idx < total_txs; idx++) { - void *tx = AppLayerParserGetTx(p->flow->proto, alproto, alstate, idx); - if (tx == NULL) - continue; - SCLogDebug("tx %p",tx); - PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_DNSQUERY); - DetectDnsQueryInspectMpm(det_ctx, tx); - PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_DNSQUERY); - } - } - } - } /* Sort the rule list to lets look at pmq. * NOTE due to merging of 'stream' pmqs we *MAY* have duplicate entries */