|  |  | @ -1,4 +1,4 @@ | 
			
		
	
		
		
			
				
					
					|  |  |  | /* Copyright (C) 2013 Open Information Security Foundation
 |  |  |  | /* Copyright (C) 2013-2016 Open Information Security Foundation
 | 
			
				
				
			
		
	
		
		
	
		
		
			
				
					
					|  |  |  |  * |  |  |  |  * | 
			
		
	
		
		
			
				
					
					|  |  |  |  * You can copy, redistribute or modify this Program under the terms of |  |  |  |  * You can copy, redistribute or modify this Program under the terms of | 
			
		
	
		
		
			
				
					
					|  |  |  |  * the GNU General Public License version 2 as published by the Free |  |  |  |  * the GNU General Public License version 2 as published by the Free | 
			
		
	
	
		
		
			
				
					|  |  | @ -31,6 +31,7 @@ | 
			
		
	
		
		
			
				
					
					|  |  |  | #include "detect-parse.h" |  |  |  | #include "detect-parse.h" | 
			
		
	
		
		
			
				
					
					|  |  |  | #include "detect-engine-state.h" |  |  |  | #include "detect-engine-state.h" | 
			
		
	
		
		
			
				
					
					|  |  |  | #include "detect-engine-content-inspection.h" |  |  |  | #include "detect-engine-content-inspection.h" | 
			
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  | #include "detect-engine-prefilter.h" | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  | #include "flow-util.h" |  |  |  | #include "flow-util.h" | 
			
		
	
		
		
			
				
					
					|  |  |  | #include "util-debug.h" |  |  |  | #include "util-debug.h" | 
			
		
	
	
		
		
			
				
					|  |  | @ -94,63 +95,47 @@ int DetectEngineInspectDnsQueryName(ThreadVars *tv, | 
			
		
	
		
		
			
				
					
					|  |  |  |     return r; |  |  |  |     return r; | 
			
		
	
		
		
			
				
					
					|  |  |  | } |  |  |  | } | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  | /**
 |  |  |  | /** \brief DNS Query Mpm prefilter callback
 | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |  * \brief DNS query match -- searches for one pattern per signature. |  |  |  |  | 
			
		
	
		
		
	
		
		
			
				
					
					|  |  |  |  * |  |  |  |  * | 
			
		
	
		
		
			
				
					
					|  |  |  |  * \param det_ctx   Detection engine thread ctx. |  |  |  |  *  \param det_ctx detection engine thread ctx | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |  * \param hrh       Buffer to inspect. |  |  |  |  *  \param p packet to inspect | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |  * \param hrh_len   buffer length. |  |  |  |  *  \param f flow to inspect | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |  * \param flags     Flags |  |  |  |  *  \param txv tx to inspect | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |  * |  |  |  |  *  \param pectx inspection context | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |  *  \retval ret Number of matches. |  |  |  |  | 
			
		
	
		
		
	
		
		
	
		
		
	
		
		
	
		
		
	
		
		
			
				
					
					|  |  |  |  */ |  |  |  |  */ | 
			
		
	
		
		
			
				
					
					|  |  |  | static inline uint32_t DnsQueryPatternSearch(DetectEngineThreadCtx *det_ctx, |  |  |  | static void PrefilterTxDnsQuery(DetectEngineThreadCtx *det_ctx, | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |         const uint8_t *buffer, const uint32_t buffer_len) |  |  |  |         const void *pectx, | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  | { |  |  |  |         Packet *p, Flow *f, void *txv, | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |     SCEnter(); |  |  |  |         const uint64_t idx, const uint8_t flags) | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     uint32_t ret = 0; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_dnsquery_ctx_ts == NULL); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     if (buffer_len >= det_ctx->sgh->mpm_dnsquery_ctx_ts->minlen) { |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |         ret = mpm_table[det_ctx->sgh->mpm_dnsquery_ctx_ts->mpm_type]. |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |             Search(det_ctx->sgh->mpm_dnsquery_ctx_ts, &det_ctx->mtcu, |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |                     &det_ctx->pmq, buffer, buffer_len); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     SCReturnUInt(ret); |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | } |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | /**
 |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |  *  \brief Run the pattern matcher against the queries |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |  * |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |  *  \param f locked flow |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |  *  \param dns_state initialized dns state |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |  * |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |  *  \todo what should we return? Just the fact that we matched? |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |  */ |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | uint32_t DetectDnsQueryInspectMpm(DetectEngineThreadCtx *det_ctx, void *txv) |  |  |  |  | 
			
		
	
		
		
	
		
		
	
		
		
	
		
		
	
		
		
			
				
					
					|  |  |  | { |  |  |  | { | 
			
		
	
		
		
			
				
					
					|  |  |  |     SCEnter(); |  |  |  |     SCEnter(); | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  |     const MpmCtx *mpm_ctx = (MpmCtx *)pectx; | 
			
		
	
		
		
			
				
					
					|  |  |  |     DNSTransaction *tx = (DNSTransaction *)txv; |  |  |  |     DNSTransaction *tx = (DNSTransaction *)txv; | 
			
		
	
		
		
			
				
					
					|  |  |  |     DNSQueryEntry *query = NULL; |  |  |  |     DNSQueryEntry *query = NULL; | 
			
		
	
		
		
			
				
					
					|  |  |  |     uint8_t *buffer; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     uint16_t buffer_len; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  |     uint32_t cnt = 0; |  |  |  |  | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     TAILQ_FOREACH(query, &tx->query_list, next) { |  |  |  |     TAILQ_FOREACH(query, &tx->query_list, next) { | 
			
		
	
		
		
			
				
					
					|  |  |  |         SCLogDebug("tx %p query %p", tx, query); |  |  |  |         SCLogDebug("tx %p query %p", tx, query); | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |         buffer = (uint8_t *)((uint8_t *)query + sizeof(DNSQueryEntry)); |  |  |  |         const uint8_t *buffer = | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |         buffer_len = query->len; |  |  |  |             (const uint8_t *)((uint8_t *)query + sizeof(DNSQueryEntry)); | 
			
				
				
			
		
	
		
		
	
		
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  |         const uint32_t buffer_len = query->len; | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |         cnt += DnsQueryPatternSearch(det_ctx, |  |  |  |         if (buffer_len >= mpm_ctx->minlen) { | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |  |                 buffer, buffer_len); |  |  |  |             (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx, | 
			
				
				
			
		
	
		
		
	
		
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  |                     &det_ctx->mtcu, &det_ctx->pmq, | 
			
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  |                     buffer, buffer_len); | 
			
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  |         } | 
			
		
	
		
		
			
				
					
					|  |  |  |     } |  |  |  |     } | 
			
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  | } | 
			
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  | int PrefilterTxDnsQueryRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx) | 
			
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  | { | 
			
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  |     SCEnter(); | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  |     SCReturnUInt(cnt); |  |  |  |     return PrefilterAppendTxEngine(sgh, PrefilterTxDnsQuery, | 
			
				
				
			
		
	
		
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  |         ALPROTO_DNS, 1, | 
			
		
	
		
		
			
				
					
					|  |  |  |  |  |  |  |         mpm_ctx, NULL); | 
			
		
	
		
		
			
				
					
					|  |  |  | } |  |  |  | } | 
			
		
	
		
		
			
				
					
					|  |  |  | 
 |  |  |  | 
 | 
			
		
	
		
		
			
				
					
					|  |  |  | int DetectEngineInspectDnsRequest(ThreadVars *tv, |  |  |  | int DetectEngineInspectDnsRequest(ThreadVars *tv, | 
			
		
	
	
		
		
			
				
					|  |  | 
 |