Pull request #4427: appid: dns sinkhole support for edns

Merge in SNORT/snort3 from ~RISHACHO/snort3:dns_sinkhole to master

Squashed commit of the following:

commit a63ed896fa9b21e1267b9c397c2104d7111c40e3
Author: Rishabh Choudhary <rishacho@cisco.com>
Date:   Tue Aug 27 00:28:11 2024 +0530

    appid: dns sinkhole support for edns

diff --git a/src/network_inspectors/appid/appid_dns_session.h b/src/network_inspectors/appid/appid_dns_session.h
index c54dadcd75c004176a273bd7e2a925bbaa59f82b..d2ea64ef366adea93cffe31ef36374aca689caa8 100644 (file)
--- a/src/network_inspectors/appid/appid_dns_session.h
+++ b/src/network_inspectors/appid/appid_dns_session.h
@@ -43,6 +43,7 @@ public:
         host_offset = 0;
         record_type = 0;
         ttl = 0;
+        options_offset = 0;
     }
 
     uint8_t get_state() const
@@ -93,6 +94,12 @@ public:
     void set_host_offset(uint16_t hostOffset)
     { host_offset = hostOffset; }
 
+    uint16_t get_options_offset() const
+    { return options_offset; }
+
+    void set_options_offset(uint16_t optionsOffset)
+    { options_offset = optionsOffset; }
+
 protected:
     uint8_t state = 0;
     uint8_t response_type = 0;
@@ -101,5 +108,6 @@ protected:
     uint32_t ttl = 0;
     std::string host;
     uint16_t host_offset = 0;
+    uint16_t options_offset = 0;
 };
 #endif

diff --git a/src/network_inspectors/appid/detector_plugins/detector_dns.cc b/src/network_inspectors/appid/detector_plugins/detector_dns.cc
index 9170454a48197dc25f83fb8617d168e8fe438390..b891e803a7cf54db76788afa7ff3dd80190ea9f5 100644 (file)
--- a/src/network_inspectors/appid/detector_plugins/detector_dns.cc
+++ b/src/network_inspectors/appid/detector_plugins/detector_dns.cc
@@ -187,7 +187,7 @@ DnsUdpServiceDetector::DnsUdpServiceDetector(ServiceDiscovery* sd)
 
 APPID_STATUS_CODE DnsValidator::add_dns_query_info(AppIdSession& asd, uint16_t id,
     const uint8_t* host, uint8_t host_len, uint16_t host_offset, uint16_t record_type,
-    AppidChangeBits& change_bits)
+    uint16_t options_offset, AppidChangeBits& change_bits)
 {
     AppIdDnsSession* dsession = asd.get_dns_session();
     if (!dsession)
@@ -211,6 +211,7 @@ APPID_STATUS_CODE DnsValidator::add_dns_query_info(AppIdSession& asd, uint16_t i
                 return APPID_NOMATCH;
             dsession->set_host(new_host, change_bits);
             dsession->set_host_offset(host_offset);
+            dsession->set_options_offset(options_offset);
             snort_free(new_host);
        }
     }
@@ -357,10 +358,10 @@ int DnsValidator::dns_validate_query(const uint8_t* data, uint16_t* offset, uint
             case PATTERN_SOA_REC:
             case PATTERN_NS_REC:
             case PATTERN_ANY_REC:
-                ret = add_dns_query_info(asd, id, host, host_len, host_offset, record_type, change_bits);
+                ret = add_dns_query_info(asd, id, host, host_len, host_offset, record_type, *offset, change_bits);
                 break;
             case PATTERN_PTR_REC:
-                ret = add_dns_query_info(asd, id, nullptr, 0, 0, record_type, change_bits);
+                ret = add_dns_query_info(asd, id, nullptr, 0, 0, record_type, *offset, change_bits);
                 break;
             default:
                 break;

diff --git a/src/network_inspectors/appid/detector_plugins/detector_dns.h b/src/network_inspectors/appid/detector_plugins/detector_dns.h
index 7d01e0cb9ea49d8ee0f4322b940e20c4d9c6e6e0..fd867bc31a6bf7c8823532efe27dd885132ba44f 100644 (file)
--- a/src/network_inspectors/appid/detector_plugins/detector_dns.h
+++ b/src/network_inspectors/appid/detector_plugins/detector_dns.h
@@ -32,7 +32,7 @@ class DnsValidator
 {
 protected:
     APPID_STATUS_CODE add_dns_query_info(AppIdSession&, uint16_t, const uint8_t*,
-        uint8_t, uint16_t, uint16_t, AppidChangeBits&);
+        uint8_t, uint16_t, uint16_t, uint16_t, AppidChangeBits&);
     APPID_STATUS_CODE add_dns_response_info(AppIdSession&, uint16_t, const uint8_t*,
         uint8_t, uint16_t, uint8_t, uint32_t, AppidChangeBits&);
     APPID_STATUS_CODE dns_validate_label(const uint8_t*, uint16_t&, uint16_t, uint8_t&, bool&);

diff --git a/src/network_inspectors/appid/test/appid_mock_session.h b/src/network_inspectors/appid/test/appid_mock_session.h
index 8ed886671391443de42767bec72edccae235e82c..6dd9905d973fe4716529f56f194d2dbbc9716c59 100644 (file)
--- a/src/network_inspectors/appid/test/appid_mock_session.h
+++ b/src/network_inspectors/appid/test/appid_mock_session.h
@@ -39,6 +39,7 @@ char const* APPID_UT_SERVICE_IP_ADDR = "192.168.0.2";
 char const* APPID_UT_INITIATOR_IP_ADDR = "192.168.0.3";
 
 char const* APPID_ID_UT_DNS_HOST = "delphi.opendns.com";
+#define APPID_UT_DNS_OPTIONS_OFFSET 28
 #define APPID_UT_DNS_HOST_OFFSET 22
 #define APPID_UT_DNS_PATTERN_CNAME_REC  5
 #define APPID_UT_DNS_NOERROR 0
@@ -69,6 +70,7 @@ public:
     {
         host = (const char*) APPID_ID_UT_DNS_HOST;
         host_offset = APPID_UT_DNS_HOST_OFFSET;
+        options_offset = APPID_UT_DNS_OPTIONS_OFFSET;
         record_type = APPID_UT_DNS_PATTERN_CNAME_REC;
         response_type = APPID_UT_DNS_NOERROR;
         ttl = APPID_UT_DNS_TTL;

diff --git a/src/network_inspectors/appid/test/appid_session_api_test.cc b/src/network_inspectors/appid/test/appid_session_api_test.cc
index 2a54ff1c1a4f227708d7852e1e617b391833fcc0..cb1bf8c4a4f2c3b7dddd8644c643d80d3f7a105e 100644 (file)
--- a/src/network_inspectors/appid/test/appid_session_api_test.cc
+++ b/src/network_inspectors/appid/test/appid_session_api_test.cc
@@ -539,6 +539,10 @@ TEST(appid_session_api, appid_dns_api)
     qoff = dsession->get_host_offset();
     CHECK_TRUE(qoff == APPID_UT_DNS_HOST_OFFSET);
 
+    uint16_t opoff;
+    opoff = dsession->get_options_offset();
+    CHECK_TRUE(opoff == APPID_UT_DNS_OPTIONS_OFFSET);
+
     uint16_t rt;
     rt = dsession->get_record_type();
     CHECK_TRUE(rt == APPID_UT_DNS_PATTERN_CNAME_REC);