use std;
use std::ffi::CString;
-use std::mem::transmute;
use std::collections::HashMap;
use std::collections::VecDeque;
use crate::applayer::*;
-use crate::core::{self, AppProto, ALPROTO_UNKNOWN, IPPROTO_UDP, IPPROTO_TCP};
+use crate::core::{self, *};
use crate::dns::parser;
-use nom::IResult;
-use nom::number::streaming::be_u16;
+use nom7::{Err, IResult};
+use nom7::number::streaming::be_u16;
/// DNS record types.
pub const DNS_RECORD_TYPE_A : u16 = 1;
pub const DNS_RCODE_BADTRUNC: u16 = 22;
-/// The maximum number of transactions to keep in the queue pending
-/// processing before they are aggressively purged. Due to the
-/// stateless nature of this parser this is rarely needed, especially
-/// when one call to parse a request parses and a single request, and
-/// likewise for responses.
-///
-/// Where this matters is when one TCP buffer contains multiple
-/// requests are responses and one call into the parser creates
-/// multiple transactions. In this case we have to hold onto
-/// transactions longer than until handling the next transaction so it
-/// gets logged.
-const MAX_TRANSACTIONS: usize = 32;
-
static mut ALPROTO_DNS: AppProto = ALPROTO_UNKNOWN;
-#[repr(u32)]
+#[derive(Debug, PartialEq, AppLayerEvent)]
pub enum DNSEvent {
- MalformedData = 0,
- NotRequest = 1,
- NotResponse = 2,
- ZFlagSet = 3,
-}
-
-impl DNSEvent {
- pub fn to_cstring(&self) -> &str {
- match *self {
- DNSEvent::MalformedData => "MALFORMED_DATA\0",
- DNSEvent::NotRequest => "NOT_A_REQUEST\0",
- DNSEvent::NotResponse => "NOT_A_RESPONSE\0",
- DNSEvent::ZFlagSet => "Z_FLAG_SET\0",
- }
- }
-
- pub fn from_id(id: u32) -> Option<DNSEvent> {
- match id {
- 0 => Some(DNSEvent::MalformedData),
- 1 => Some(DNSEvent::NotRequest),
- 2 => Some(DNSEvent::NotResponse),
- 4 => Some(DNSEvent::ZFlagSet),
- _ => None,
- }
- }
-
- pub fn from_string(s: &str) -> Option<DNSEvent> {
- match s.to_lowercase().as_ref() {
- "malformed_data" => Some(DNSEvent::MalformedData),
- "not_a_request" => Some(DNSEvent::NotRequest),
- "not_a_response" => Some(DNSEvent::NotRequest),
- "z_flag_set" => Some(DNSEvent::ZFlagSet),
- _ => None
- }
- }
-}
-
-#[no_mangle]
-pub extern "C" fn rs_dns_state_get_event_info_by_id(
- event_id: std::os::raw::c_int,
- event_name: *mut *const std::os::raw::c_char,
- event_type: *mut core::AppLayerEventType,
-) -> i8 {
- if let Some(e) = DNSEvent::from_id(event_id as u32) {
- unsafe {
- *event_name = e.to_cstring().as_ptr() as *const std::os::raw::c_char;
- *event_type = core::APP_LAYER_EVENT_TYPE_TRANSACTION;
- }
- return 0;
- }
- return -1;
-}
-
-#[no_mangle]
-pub extern "C" fn rs_dns_state_get_event_info(
- event_name: *const std::os::raw::c_char,
- event_id: *mut std::os::raw::c_int,
- event_type: *mut core::AppLayerEventType
-) -> std::os::raw::c_int {
- if event_name == std::ptr::null() {
- return -1;
- }
-
- let event_name = unsafe { std::ffi::CStr::from_ptr(event_name) };
- if let Ok(event_name) = event_name.to_str() {
- if let Some(event) = DNSEvent::from_string(event_name) {
- unsafe {
- *event_id = event as std::os::raw::c_int;
- *event_type = core::APP_LAYER_EVENT_TYPE_TRANSACTION;
- }
- } else {
- // Unknown event...
- return -1;
- }
- } else {
- // UTF-8 conversion failed. Should not happen.
- return -1;
- }
-
- return 0;
+ MalformedData,
+ NotRequest,
+ NotResponse,
+ ZFlagSet,
}
#[derive(Debug,PartialEq)]
pub fingerprint: Vec<u8>,
}
+#[derive(Debug,PartialEq)]
+pub struct DNSRDataSRV {
+ /// Priority
+ pub priority: u16,
+ /// Weight
+ pub weight: u16,
+ /// Port
+ pub port: u16,
+ /// Target
+ pub target: Vec<u8>,
+}
+
/// Represents RData of various formats
#[derive(Debug,PartialEq)]
pub enum DNSRData {
NULL(Vec<u8>),
// RData has several fields
SOA(DNSRDataSOA),
+ SRV(DNSRDataSRV),
SSHFP(DNSRDataSSHFP),
// RData for remaining types is sometimes ignored
Unknown(Vec<u8>),
pub tx_data: AppLayerTxData,
}
+impl Transaction for DNSTransaction {
+ fn id(&self) -> u64 {
+ self.id
+ }
+}
+
impl DNSTransaction {
- pub fn new() -> DNSTransaction {
- return DNSTransaction{
+ pub fn new() -> Self {
+ return Self {
id: 0,
request: None,
response: None,
}
pub fn free(&mut self) {
- if self.events != std::ptr::null_mut() {
+ if !self.events.is_null() {
core::sc_app_layer_decoder_events_free_events(&mut self.events);
}
match self.de_state {
}
}
+#[derive(Default)]
pub struct DNSState {
// Internal transaction ID.
pub tx_id: u64,
gap: bool,
}
+impl State<DNSTransaction> for DNSState {
+ fn get_transactions(&self) -> &[DNSTransaction] {
+ &self.transactions
+ }
+}
+
impl DNSState {
- pub fn new() -> DNSState {
- return DNSState{
- tx_id: 0,
- transactions: Vec::new(),
- events: 0,
- config: None,
- gap: false,
- };
+ pub fn new() -> Self {
+ Default::default()
}
- pub fn new_tcp() -> DNSState {
- return DNSState{
- tx_id: 0,
- transactions: Vec::new(),
- events: 0,
- config: None,
- gap: false,
- };
+ pub fn new_tcp() -> Self {
+ Default::default()
}
pub fn new_tx(&mut self) -> DNSTransaction {
}
}
- // Purges all transactions except one. This is a stateless parser
- // so we don't need to hang onto old transactions.
- //
- // This is to actually handle an edge case where a DNS flood
- // occurs in a single direction with no response packets. In such
- // a case the functions to free a transaction are never called by
- // the app-layer as they require bidirectional traffic.
- pub fn purge(&mut self, tx_id: u64) {
- while self.transactions.len() > MAX_TRANSACTIONS {
- if self.transactions[0].id == tx_id + 1 {
- return;
- }
- SCLogDebug!("Purging DNS TX with ID {}", self.transactions[0].id);
- self.transactions.remove(0);
- }
- }
-
pub fn get_tx(&mut self, tx_id: u64) -> Option<&DNSTransaction> {
SCLogDebug!("get_tx: tx_id={}", tx_id);
- self.purge(tx_id);
for tx in &mut self.transactions {
if tx.id == tx_id + 1 {
SCLogDebug!("Found DNS TX with ID {}", tx_id);
self.transactions.push(tx);
return true;
}
- Err(nom::Err::Incomplete(_)) => {
+ Err(Err::Incomplete(_)) => {
// Insufficient data.
SCLogDebug!("Insufficient data while parsing DNS request");
self.set_event(DNSEvent::MalformedData);
self.transactions.push(tx);
return true;
}
- Err(nom::Err::Incomplete(_)) => {
+ Err(Err::Incomplete(_)) => {
// Insufficient data.
SCLogDebug!("Insufficient data while parsing DNS response");
self.set_event(DNSEvent::MalformedData);
if cur_i.len() == 1 {
return AppLayerResult::incomplete(consumed as u32, 2 as u32);
}
- let size = match be_u16(&cur_i) as IResult<&[u8],u16> {
+ let size = match be_u16(cur_i) as IResult<&[u8],u16> {
Ok((_, len)) => len,
_ => 0
} as usize;
if cur_i.len() == 1 {
return AppLayerResult::incomplete(consumed as u32, 2 as u32);
}
- let size = match be_u16(&cur_i) as IResult<&[u8],u16> {
+ let size = match be_u16(cur_i) as IResult<&[u8],u16> {
Ok((_, len)) => len,
_ => 0
} as usize;
}
}
+const DNS_HEADER_SIZE: usize = 12;
+
+fn probe_header_validity(header: DNSHeader, rlen: usize) -> (bool, bool, bool) {
+ let opcode = ((header.flags >> 11) & 0xf) as u8;
+ if opcode >= 7 {
+ //unassigned opcode
+ return (false, false, false);
+ }
+ if 2 * (header.additional_rr as usize
+ + header.answer_rr as usize
+ + header.authority_rr as usize
+ + header.questions as usize)
+ + DNS_HEADER_SIZE
+ > rlen
+ {
+ //not enough data for such a DNS record
+ return (false, false, false);
+ }
+ let is_request = header.flags & 0x8000 == 0;
+ return (true, is_request, false);
+}
+
/// Probe input to see if it looks like DNS.
-fn probe(input: &[u8]) -> (bool, bool) {
- match parser::dns_parse_request(input) {
+fn probe(input: &[u8], dlen: usize) -> (bool, bool, bool) {
+ let i2 = if input.len() <= dlen { input } else { &input[..dlen] };
+ match parser::dns_parse_request(i2) {
Ok((_, request)) => {
- let is_request = request.header.flags & 0x8000 == 0;
- return (true, is_request);
+ return probe_header_validity(request.header, dlen);
},
- Err(_) => (false, false),
+ Err(Err::Incomplete(_)) => {
+ match parser::dns_parse_header(input) {
+ Ok((_, header)) => {
+ return probe_header_validity(header, dlen);
+ }
+ Err(Err::Incomplete(_)) => (false, false, true),
+ Err(_) => (false, false, false),
+ }
+ }
+ Err(_) => (false, false, false),
}
}
/// Probe TCP input to see if it looks like DNS.
pub fn probe_tcp(input: &[u8]) -> (bool, bool, bool) {
- match be_u16(input) as IResult<&[u8],_> {
- Ok((rem, _)) => {
- let r = probe(rem);
- return (r.0, r.1, false);
+ match be_u16(input) as IResult<&[u8],u16> {
+ Ok((rem, dlen)) => {
+ return probe(rem, dlen as usize);
},
- Err(nom::Err::Incomplete(_)) => {
+ Err(Err::Incomplete(_)) => {
return (false, false, true);
}
_ => {}
pub extern "C" fn rs_dns_state_new(_orig_state: *mut std::os::raw::c_void, _orig_proto: AppProto) -> *mut std::os::raw::c_void {
let state = DNSState::new();
let boxed = Box::new(state);
- return unsafe{transmute(boxed)};
+ return Box::into_raw(boxed) as *mut _;
}
/// Returns *mut DNSState
pub extern "C" fn rs_dns_state_tcp_new() -> *mut std::os::raw::c_void {
let state = DNSState::new_tcp();
let boxed = Box::new(state);
- return unsafe{transmute(boxed)};
+ return Box::into_raw(boxed) as *mut _;
}
/// Params:
#[no_mangle]
pub extern "C" fn rs_dns_state_free(state: *mut std::os::raw::c_void) {
// Just unbox...
- let _drop: Box<DNSState> = unsafe{transmute(state)};
+ std::mem::drop(unsafe { Box::from_raw(state as *mut DNSState) });
}
#[no_mangle]
-pub extern "C" fn rs_dns_state_tx_free(state: *mut std::os::raw::c_void,
+pub unsafe extern "C" fn rs_dns_state_tx_free(state: *mut std::os::raw::c_void,
tx_id: u64)
{
let state = cast_pointer!(state, DNSState);
/// C binding parse a DNS request. Returns 1 on success, -1 on failure.
#[no_mangle]
-pub extern "C" fn rs_dns_parse_request(_flow: *const core::Flow,
+pub unsafe extern "C" fn rs_dns_parse_request(_flow: *const core::Flow,
state: *mut std::os::raw::c_void,
_pstate: *mut std::os::raw::c_void,
input: *const u8,
_flags: u8)
-> AppLayerResult {
let state = cast_pointer!(state, DNSState);
- let buf = unsafe{std::slice::from_raw_parts(input, input_len as usize)};
+ let buf = std::slice::from_raw_parts(input, input_len as usize);
if state.parse_request(buf) {
AppLayerResult::ok()
} else {
}
#[no_mangle]
-pub extern "C" fn rs_dns_parse_response(_flow: *const core::Flow,
+pub unsafe extern "C" fn rs_dns_parse_response(_flow: *const core::Flow,
state: *mut std::os::raw::c_void,
_pstate: *mut std::os::raw::c_void,
input: *const u8,
_flags: u8)
-> AppLayerResult {
let state = cast_pointer!(state, DNSState);
- let buf = unsafe{std::slice::from_raw_parts(input, input_len as usize)};
+ let buf = std::slice::from_raw_parts(input, input_len as usize);
if state.parse_response(buf) {
AppLayerResult::ok()
} else {
/// C binding parse a DNS request. Returns 1 on success, -1 on failure.
#[no_mangle]
-pub extern "C" fn rs_dns_parse_request_tcp(_flow: *const core::Flow,
+pub unsafe extern "C" fn rs_dns_parse_request_tcp(_flow: *const core::Flow,
state: *mut std::os::raw::c_void,
_pstate: *mut std::os::raw::c_void,
input: *const u8,
-> AppLayerResult {
let state = cast_pointer!(state, DNSState);
if input_len > 0 {
- if input != std::ptr::null_mut() {
- let buf = unsafe{
- std::slice::from_raw_parts(input, input_len as usize)};
+ if !input.is_null() {
+ let buf = std::slice::from_raw_parts(input, input_len as usize);
return state.parse_request_tcp(buf);
}
state.request_gap(input_len);
}
#[no_mangle]
-pub extern "C" fn rs_dns_parse_response_tcp(_flow: *const core::Flow,
+pub unsafe extern "C" fn rs_dns_parse_response_tcp(_flow: *const core::Flow,
state: *mut std::os::raw::c_void,
_pstate: *mut std::os::raw::c_void,
input: *const u8,
-> AppLayerResult {
let state = cast_pointer!(state, DNSState);
if input_len > 0 {
- if input != std::ptr::null_mut() {
- let buf = unsafe{
- std::slice::from_raw_parts(input, input_len as usize)};
+ if !input.is_null() {
+ let buf = std::slice::from_raw_parts(input, input_len as usize);
return state.parse_response_tcp(buf);
}
state.response_gap(input_len);
}
#[no_mangle]
-pub extern "C" fn rs_dns_state_get_tx_count(state: *mut std::os::raw::c_void)
+pub unsafe extern "C" fn rs_dns_state_get_tx_count(state: *mut std::os::raw::c_void)
-> u64
{
let state = cast_pointer!(state, DNSState);
}
#[no_mangle]
-pub extern "C" fn rs_dns_state_get_tx(state: *mut std::os::raw::c_void,
+pub unsafe extern "C" fn rs_dns_state_get_tx(state: *mut std::os::raw::c_void,
tx_id: u64)
-> *mut std::os::raw::c_void
{
let state = cast_pointer!(state, DNSState);
match state.get_tx(tx_id) {
Some(tx) => {
- return unsafe{transmute(tx)};
+ return tx as *const _ as *mut _;
}
None => {
return std::ptr::null_mut();
}
#[no_mangle]
-pub extern "C" fn rs_dns_state_set_tx_detect_state(
+pub extern "C" fn rs_dns_tx_is_request(tx: &mut DNSTransaction) -> bool {
+ tx.request.is_some()
+}
+
+#[no_mangle]
+pub extern "C" fn rs_dns_tx_is_response(tx: &mut DNSTransaction) -> bool {
+ tx.response.is_some()
+}
+
+#[no_mangle]
+pub unsafe extern "C" fn rs_dns_state_set_tx_detect_state(
tx: *mut std::os::raw::c_void,
de_state: &mut core::DetectEngineState) -> std::os::raw::c_int
{
}
#[no_mangle]
-pub extern "C" fn rs_dns_state_get_tx_detect_state(
+pub unsafe extern "C" fn rs_dns_state_get_tx_detect_state(
tx: *mut std::os::raw::c_void)
-> *mut core::DetectEngineState
{
}
#[no_mangle]
-pub extern "C" fn rs_dns_state_get_events(tx: *mut std::os::raw::c_void)
+pub unsafe extern "C" fn rs_dns_state_get_events(tx: *mut std::os::raw::c_void)
-> *mut core::AppLayerDecoderEvents
{
let tx = cast_pointer!(tx, DNSTransaction);
}
#[no_mangle]
-pub extern "C" fn rs_dns_state_get_tx_data(
+pub unsafe extern "C" fn rs_dns_state_get_tx_data(
tx: *mut std::os::raw::c_void)
-> *mut AppLayerTxData
{
}
#[no_mangle]
-pub extern "C" fn rs_dns_tx_get_query_name(tx: &mut DNSTransaction,
- i: u16,
+pub unsafe extern "C" fn rs_dns_tx_get_query_name(tx: &mut DNSTransaction,
+ i: u32,
buf: *mut *const u8,
len: *mut u32)
-> u8
if (i as usize) < request.queries.len() {
let query = &request.queries[i as usize];
if query.name.len() > 0 {
- unsafe {
- *len = query.name.len() as u32;
- *buf = query.name.as_ptr();
- }
+ *len = query.name.len() as u32;
+ *buf = query.name.as_ptr();
return 1;
}
}
}
#[no_mangle]
-pub extern "C" fn rs_dns_tx_get_query_rrtype(tx: &mut DNSTransaction,
+pub unsafe extern "C" fn rs_dns_tx_get_query_rrtype(tx: &mut DNSTransaction,
i: u16,
rrtype: *mut u16)
-> u8
if (i as usize) < request.queries.len() {
let query = &request.queries[i as usize];
if query.name.len() > 0 {
- unsafe {
- *rrtype = query.rrtype;
- }
+ *rrtype = query.rrtype;
return 1;
}
}
}
#[no_mangle]
-pub extern "C" fn rs_dns_probe(
+pub unsafe extern "C" fn rs_dns_probe(
_flow: *const core::Flow,
_dir: u8,
input: *const u8,
if len == 0 || len < std::mem::size_of::<DNSHeader>() as u32 {
return core::ALPROTO_UNKNOWN;
}
- let slice: &[u8] = unsafe {
- std::slice::from_raw_parts(input as *mut u8, len as usize)
- };
- let (is_dns, is_request) = probe(slice);
+ let slice: &[u8] = std::slice::from_raw_parts(input as *mut u8, len as usize);
+ let (is_dns, is_request, _) = probe(slice, slice.len());
if is_dns {
let dir = if is_request {
- core::STREAM_TOSERVER
+ Direction::ToServer
} else {
- core::STREAM_TOCLIENT
+ Direction::ToClient
};
- unsafe {
- *rdir = dir;
- return ALPROTO_DNS;
- }
+ *rdir = dir as u8;
+ return ALPROTO_DNS;
}
return 0;
}
#[no_mangle]
-pub extern "C" fn rs_dns_probe_tcp(
+pub unsafe extern "C" fn rs_dns_probe_tcp(
_flow: *const core::Flow,
direction: u8,
input: *const u8,
if len == 0 || len < std::mem::size_of::<DNSHeader>() as u32 + 2 {
return core::ALPROTO_UNKNOWN;
}
- let slice: &[u8] = unsafe {
- std::slice::from_raw_parts(input as *mut u8, len as usize)
- };
+ let slice: &[u8] = std::slice::from_raw_parts(input as *mut u8, len as usize);
//is_incomplete is checked by caller
let (is_dns, is_request, _) = probe_tcp(slice);
if is_dns {
let dir = if is_request {
- core::STREAM_TOSERVER
+ Direction::ToServer
} else {
- core::STREAM_TOCLIENT
+ Direction::ToClient
};
- if direction & (core::STREAM_TOSERVER|core::STREAM_TOCLIENT) != dir {
- unsafe { *rdir = dir };
+ if (direction & DIR_BOTH) != dir.into() {
+ *rdir = dir as u8;
}
- return unsafe { ALPROTO_DNS };
+ return ALPROTO_DNS;
}
return 0;
}
#[no_mangle]
-pub extern "C" fn rs_dns_apply_tx_config(
+pub unsafe extern "C" fn rs_dns_apply_tx_config(
_state: *mut std::os::raw::c_void, _tx: *mut std::os::raw::c_void,
_mode: std::os::raw::c_int, config: AppLayerTxConfig
) {
}
}
-#[no_mangle]
-pub unsafe extern "C" fn rs_dns_init(proto: AppProto) {
- ALPROTO_DNS = proto;
-}
-
#[no_mangle]
pub unsafe extern "C" fn rs_dns_udp_register_parser() {
let default_port = std::ffi::CString::new("[53]").unwrap();
tx_comp_st_tc: 1,
tx_get_progress: rs_dns_tx_get_alstate_progress,
get_events: Some(rs_dns_state_get_events),
- get_eventinfo: Some(rs_dns_state_get_event_info),
- get_eventinfo_byid: Some(rs_dns_state_get_event_info_by_id),
+ get_eventinfo: Some(DNSEvent::get_event_info),
+ get_eventinfo_byid: Some(DNSEvent::get_event_info_by_id),
localstorage_new: None,
localstorage_free: None,
get_files: None,
- get_tx_iterator: None,
+ get_tx_iterator: Some(crate::applayer::state_get_tx_iterator::<DNSState, DNSTransaction>),
get_de_state: rs_dns_state_get_tx_detect_state,
set_de_state: rs_dns_state_set_tx_detect_state,
get_tx_data: rs_dns_state_get_tx_data,
tx_comp_st_tc: 1,
tx_get_progress: rs_dns_tx_get_alstate_progress,
get_events: Some(rs_dns_state_get_events),
- get_eventinfo: Some(rs_dns_state_get_event_info),
- get_eventinfo_byid: Some(rs_dns_state_get_event_info_by_id),
+ get_eventinfo: Some(DNSEvent::get_event_info),
+ get_eventinfo_byid: Some(DNSEvent::get_event_info_by_id),
localstorage_new: None,
localstorage_free: None,
get_files: None,
- get_tx_iterator: None,
+ get_tx_iterator: Some(crate::applayer::state_get_tx_iterator::<DNSState, DNSTransaction>),
get_de_state: rs_dns_state_get_tx_detect_state,
set_de_state: rs_dns_state_set_tx_detect_state,
get_tx_data: rs_dns_state_get_tx_data,
state.parse_request_tcp(buf3)
);
}
+
+ #[test]
+ fn test_dns_event_from_id() {
+ assert_eq!(DNSEvent::from_id(0), Some(DNSEvent::MalformedData));
+ assert_eq!(DNSEvent::from_id(3), Some(DNSEvent::ZFlagSet));
+ assert_eq!(DNSEvent::from_id(9), None);
+ }
+
+ #[test]
+ fn test_dns_event_to_cstring() {
+ assert_eq!(DNSEvent::MalformedData.to_cstring(), "malformed_data\0");
+ }
+
+ #[test]
+ fn test_dns_event_from_string() {
+ let name = "malformed_data";
+ let event = DNSEvent::from_string(&name).unwrap();
+ assert_eq!(event, DNSEvent::MalformedData);
+ assert_eq!(event.to_cstring(), format!("{}\0", name));
+ }
}