dns_query: mpm prefilter engine

9 years ago · 746a169127
parent 9ff5703c49
commit 746a169127
5 changed files with 34 additions and 96 deletions
--- a/src/detect-dns-query.h
+++ b/src/detect-dns-query.h
@ -28,6 +28,4 @@

 void DetectDnsQueryRegister (void);

-uint32_t DetectDnsQueryInspectMpm(DetectEngineThreadCtx *det_ctx, void *txv);
-
 #endif /* __DETECT_DNS_QUERY_H__ */
--- a/src/detect-engine-dns.c
+++ b/src/detect-engine-dns.c
@ -1,4 +1,4 @@
-/* Copyright (C) 2013 Open Information Security Foundation
+/* Copyright (C) 2013-2016 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
@ -31,6 +31,7 @@
 #include "detect-parse.h"
 #include "detect-engine-state.h"
 #include "detect-engine-content-inspection.h"
+#include "detect-engine-prefilter.h"

 #include "flow-util.h"
 #include "util-debug.h"
@ -94,63 +95,47 @@ int DetectEngineInspectDnsQueryName(ThreadVars *tv,
    return r;
 }

-/**
- * \brief DNS query match -- searches for one pattern per signature.
+/** \brief DNS Query Mpm prefilter callback
 *
- * \param det_ctx   Detection engine thread ctx.
- * \param hrh       Buffer to inspect.
- * \param hrh_len   buffer length.
- * \param flags     Flags
- *
- *  \retval ret Number of matches.
+ *  \param det_ctx detection engine thread ctx
+ *  \param p packet to inspect
+ *  \param f flow to inspect
+ *  \param txv tx to inspect
+ *  \param pectx inspection context
 */
-static inline uint32_t DnsQueryPatternSearch(DetectEngineThreadCtx *det_ctx,
-        const uint8_t *buffer, const uint32_t buffer_len)
-{
-    SCEnter();
-
-    uint32_t ret = 0;
-
-    DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_dnsquery_ctx_ts == NULL);
-
-    if (buffer_len >= det_ctx->sgh->mpm_dnsquery_ctx_ts->minlen) {
-        ret = mpm_table[det_ctx->sgh->mpm_dnsquery_ctx_ts->mpm_type].
-            Search(det_ctx->sgh->mpm_dnsquery_ctx_ts, &det_ctx->mtcu,
-                    &det_ctx->pmq, buffer, buffer_len);
-    }
-
-    SCReturnUInt(ret);
-}
-
-/**
- *  \brief Run the pattern matcher against the queries
- *
- *  \param f locked flow
- *  \param dns_state initialized dns state
- *
- *  \todo what should we return? Just the fact that we matched?
- */
-uint32_t DetectDnsQueryInspectMpm(DetectEngineThreadCtx *det_ctx, void *txv)
+static void PrefilterTxDnsQuery(DetectEngineThreadCtx *det_ctx,
+        const void *pectx,
+        Packet *p, Flow *f, void *txv,
+        const uint64_t idx, const uint8_t flags)
 {
    SCEnter();

+    const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
    DNSTransaction *tx = (DNSTransaction *)txv;
    DNSQueryEntry *query = NULL;
-    uint8_t *buffer;
-    uint16_t buffer_len;
-    uint32_t cnt = 0;

    TAILQ_FOREACH(query, &tx->query_list, next) {
        SCLogDebug("tx %p query %p", tx, query);

-        buffer = (uint8_t *)((uint8_t *)query + sizeof(DNSQueryEntry));
-        buffer_len = query->len;
+        const uint8_t *buffer =
+            (const uint8_t *)((uint8_t *)query + sizeof(DNSQueryEntry));
+        const uint32_t buffer_len = query->len;

-        cnt += DnsQueryPatternSearch(det_ctx,
-                buffer, buffer_len);
+        if (buffer_len >= mpm_ctx->minlen) {
+            (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
+                    &det_ctx->mtcu, &det_ctx->pmq,
+                    buffer, buffer_len);
+        }
    }
+}
+
+int PrefilterTxDnsQueryRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx)
+{
+    SCEnter();

-    SCReturnUInt(cnt);
+    return PrefilterAppendTxEngine(sgh, PrefilterTxDnsQuery,
+        ALPROTO_DNS, 1,
+        mpm_ctx, NULL);
 }

 int DetectEngineInspectDnsRequest(ThreadVars *tv,
--- a/src/detect-engine-dns.h
+++ b/src/detect-engine-dns.h
@ -23,6 +23,8 @@
 #ifndef __DETECT_ENGINE_DNS_H__
 #define __DETECT_ENGINE_DNS_H__

+int PrefilterTxDnsQueryRegister(SigGroupHead *sgh, MpmCtx *mpm_ctx);
+
 int DetectEngineInspectDnsQueryName(ThreadVars *, DetectEngineCtx *de_ctx,
                                    DetectEngineThreadCtx *, Signature *,
                                    Flow *, uint8_t, void *, void *, uint64_t);
--- a/src/detect-engine-mpm.c
+++ b/src/detect-engine-mpm.c
@ -51,6 +51,7 @@
 #include "detect-engine-payload.h"
 #include "detect-engine-uri.h"
 #include "detect-engine-hmd.h"
+#include "detect-engine-dns.h"

 #include "stream.h"

@ -112,7 +113,8 @@ AppLayerMpms app_mpms[] = {
    { "http_cookie", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HCDMATCH, SIG_GROUP_HEAD_MPM_HCD, NULL, 15},
    { "http_cookie", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HCDMATCH, SIG_GROUP_HEAD_MPM_HCD, NULL, 16},

-    { "dns_query", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_DNSQUERYNAME_MATCH, SIG_GROUP_HEAD_MPM_DNSQUERY, NULL, 17},
+    { "dns_query", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_DNSQUERYNAME_MATCH,
+        SIG_GROUP_HEAD_MPM_DNSQUERY, PrefilterTxDnsQueryRegister, 17},

    { "tls_sni", 0, SIG_FLAG_TOSERVER, DETECT_SM_LIST_TLSSNI_MATCH, SIG_GROUP_HEAD_MPM_TLSSNI, NULL, 18},
    { "tls_cert_issuer", 0, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_TLSISSUER_MATCH, SIG_GROUP_HEAD_MPM_TLSISSUER, NULL, 19},
--- a/src/detect.c
+++ b/src/detect.c
@ -999,30 +999,6 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
                    }
                }
            } /* for */
-        }
-        /* all dns based mpms */
-        else if (alproto == ALPROTO_DNS && has_state) {
-            if (p->flowflags & FLOW_PKT_TOSERVER) {
-                if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_DNSQUERY) {
-                    void *alstate = FlowGetAppState(p->flow);
-                    if (alstate == NULL) {
-                        SCLogDebug("no alstate");
-                        return;
-                    }
-
-                    uint64_t idx = AppLayerParserGetTransactionInspectId(p->flow->alparser, flags);
-                    uint64_t total_txs = AppLayerParserGetTxCnt(p->flow->proto, alproto, alstate);
-                    for (; idx < total_txs; idx++) {
-                        void *tx = AppLayerParserGetTx(p->flow->proto, alproto, alstate, idx);
-                        if (tx == NULL)
-                            continue;
-
-                        PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_DNSQUERY);
-                        DetectDnsQueryInspectMpm(det_ctx, tx);
-                        PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_DNSQUERY);
-                    }
-                }
-            }
        } else if (alproto == ALPROTO_TLS && has_state) {
            void *alstate = FlowGetAppState(p->flow);
            if (alstate == NULL) {
@ -1075,31 +1051,6 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
    } else {
        SCLogDebug("NOT p->flowflags & FLOW_PKT_ESTABLISHED");
    }
-    /* UDP DNS inspection is independent of est or not */
-    if (alproto == ALPROTO_DNS && has_state) {
-        if (p->flowflags & FLOW_PKT_TOSERVER) {
-            SCLogDebug("mpm inspection");
-            if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_DNSQUERY) {
-                void *alstate = FlowGetAppState(p->flow);
-                if (alstate == NULL) {
-                    SCLogDebug("no alstate");
-                    return;
-                }
-
-                uint64_t idx = AppLayerParserGetTransactionInspectId(p->flow->alparser, flags);
-                uint64_t total_txs = AppLayerParserGetTxCnt(p->flow->proto, alproto, alstate);
-                for (; idx < total_txs; idx++) {
-                    void *tx = AppLayerParserGetTx(p->flow->proto, alproto, alstate, idx);
-                    if (tx == NULL)
-                        continue;
-                    SCLogDebug("tx %p",tx);
-                    PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_DNSQUERY);
-                    DetectDnsQueryInspectMpm(det_ctx, tx);
-                    PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_DNSQUERY);
-                }
-            }
-        }
-    }

    /* Sort the rule list to lets look at pmq.
     * NOTE due to merging of 'stream' pmqs we *MAY* have duplicate entries */