#include "dns_config.h"
#include "log/messages.h"
#include "profiler/profiler.h"
-#include "protocols/packet.h"
#include "stream/stream.h"
#include "dns_module.h"
{ CountType::SUM, "responses", "total dns responses" },
{ CountType::NOW, "concurrent_sessions", "total concurrent dns sessions" },
{ CountType::MAX, "max_concurrent_sessions", "maximum concurrent dns sessions" },
+ { CountType::SUM, "aborted_sessions", "total dns sessions aborted" },
{ CountType::END, nullptr, nullptr }
};
return &fd->session;
}
-static DNSData* get_dns_session_data(Packet* p, bool from_server, DNSData& udpSessionData)
+bool DNSData::valid_dns(const DNSHdr& dns_header) const
{
- DnsFlowData* fd;
+ // Check QR bit (Query/Response)
+ bool is_query = ((dns_header.flags & 0x8000) == 0);
+
+ // Check Opcode (should be 0 for standard queries)
+ uint16_t opcode = (dns_header.flags & 0x7800) >> 11;
+ if (opcode > 2)
+ return false;
+
+ // Check for reserved bits and RCODE
+ if (dns_header.flags & 0x7800)
+ return false;
+
+ // Validate Recursion bits (RA should not be set in a query)
+ bool ra_bit = (dns_header.flags & 0x0080) != 0;
+ if (is_query && ra_bit)
+ return false;
+
+ return true;
+}
+DNSData* get_dns_session_data(Packet* p, bool from_server, DNSData& udpSessionData)
+{
+ DnsFlowData* fd;
if (p->is_udp())
{
if(p->dsize > MAX_UDP_PAYLOAD)
bool needNextPacket = false;
ParseDNSResponseMessage(p, dnsSessionData, needNextPacket);
+ if (!dnsSessionData->valid_dns(dnsSessionData->hdr))
+ {
+ dnsSessionData->flags |= DNS_FLAG_NOT_DNS;
+ return;
+ }
+
if (!needNextPacket and dnsSessionData->has_events())
DataBus::publish(Dns::get_pub_id(), DnsEventIds::DNS_RESPONSE_DATA, dnsSessionData->dns_events);
#include "flow/flow.h"
+#include "protocols/packet.h"
#include "pub_sub/dns_events.h"
// Implementation header with definitions, datatypes and flowdata class for
bool publish_response() const;
bool has_events() const;
+ bool valid_dns(const DNSHdr&) const;
};
+DNSData* get_dns_session_data(snort::Packet* p, bool from_server, DNSData& udpSessionData);
+
class DnsResponseIp
{
public:
#include <cassert>
+#include "log/messages.h"
+#include "protocols/packet.h"
+
+#include "dns.h"
+#include "dns_module.h"
+
using namespace snort;
StreamSplitter::Status DnsSplitter::scan(
- Packet*, const uint8_t* data, uint32_t len,
+ Packet* p, const uint8_t* data, uint32_t len,
uint32_t, uint32_t* fp)
{
assert(len > 0);
+ DNSData udp_session_data;
+ bool from_server = p->is_from_server();
+ DNSData* dnsSessionData = get_dns_session_data(p, from_server, udp_session_data);
+
+ if ( dnsSessionData and ( dnsSessionData->flags & DNS_FLAG_NOT_DNS ) )
+ {
+ dnsstats.aborted_sessions++;
+ return ABORT;
+ }
+
if ( partial )
{
*fp = size + *data + 1;
projects / thirdparty / snort3.git / commitdiff
