}
return r;
}
+
+
+/** \brief Do the content inspection & validation for a signature
+ *
+ * \param de_ctx Detection engine context
+ * \param det_ctx Detection engine thread context
+ * \param s Signature to inspect
+ * \param sm SigMatch to inspect
+ * \param f Flow
+ * \param flags app layer flags
+ * \param state App layer state
+ *
+ * \retval 0 no match
+ * \retval 1 match
+ */
+int DetectEngineInspectGenericList(ThreadVars *tv,
+ const DetectEngineCtx *de_ctx,
+ DetectEngineThreadCtx *det_ctx,
+ const Signature *s, Flow *f, const uint8_t flags,
+ void *alstate, void *txv, uint64_t tx_id, const int list)
+{
+ KEYWORD_PROFILING_SET_LIST(det_ctx, list);
+
+ SigMatchData *smd = s->sm_arrays[list];
+ SCLogDebug("running match functions, sm %p", smd);
+ if (smd != NULL) {
+ while (1) {
+ int match = 0;
+ KEYWORD_PROFILING_START;
+ match = sigmatch_table[smd->type].
+ AppLayerTxMatch(tv, det_ctx, f, flags, alstate, txv, s, smd->ctx);
+ KEYWORD_PROFILING_END(det_ctx, smd->type, (match == 1));
+
+ if (match == 0)
+ return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
+ if (match == 2) {
+ return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
+ }
+
+ if (smd->is_last)
+ break;
+ smd++;
+ }
+ }
+
+ return DETECT_ENGINE_INSPECT_SIG_MATCH;
+}
+
+int DetectEngineInspectDnsRequest(ThreadVars *tv,
+ DetectEngineCtx *de_ctx,
+ DetectEngineThreadCtx *det_ctx,
+ Signature *s, Flow *f, uint8_t flags,
+ void *alstate, void *txv, uint64_t tx_id)
+{
+ return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, f, flags,
+ alstate, txv, tx_id,
+ DETECT_SM_LIST_DNSREQUEST_MATCH);
+}
+
+int DetectEngineInspectDnsResponse(ThreadVars *tv,
+ DetectEngineCtx *de_ctx,
+ DetectEngineThreadCtx *det_ctx,
+ Signature *s, Flow *f, uint8_t flags,
+ void *alstate, void *txv, uint64_t tx_id)
+{
+ return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, f, flags,
+ alstate, txv, tx_id,
+ DETECT_SM_LIST_DNSRESPONSE_MATCH);
+}
int DetectEngineInspectDnsQueryName(ThreadVars *, DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *, Signature *,
Flow *, uint8_t, void *, void *, uint64_t);
+int DetectEngineInspectDnsRequest(ThreadVars *tv,
+ DetectEngineCtx *de_ctx,
+ DetectEngineThreadCtx *det_ctx,
+ Signature *s, Flow *f, uint8_t flags,
+ void *alstate, void *txv, uint64_t tx_id);
+int DetectEngineInspectDnsResponse(ThreadVars *tv,
+ DetectEngineCtx *de_ctx,
+ DetectEngineThreadCtx *det_ctx,
+ Signature *s, Flow *f, uint8_t flags,
+ void *alstate, void *txv, uint64_t tx_id);
#endif /* __DETECT_ENGINE_DNS_H__ */
#define DE_STATE_FLAG_MODBUS_INSPECT (1 << 19)
#define DE_STATE_FLAG_HRL_INSPECT (1 << 20)
#define DE_STATE_FLAG_FD_SMTP_INSPECT (1 << 21)
+#define DE_STATE_FLAG_DNSREQUEST_INSPECT (1 << 22)
+#define DE_STATE_FLAG_DNSRESPONSE_INSPECT (1 << 23)
/* state flags */
#define DETECT_ENGINE_STATE_FLAG_FILE_STORE_DISABLED 0x0001
DE_STATE_FLAG_DNSQUERYNAME_INSPECT,
0,
DetectEngineInspectDnsQueryName },
+ { IPPROTO_TCP,
+ ALPROTO_DNS,
+ DETECT_SM_LIST_DNSREQUEST_MATCH,
+ DE_STATE_FLAG_DNSREQUEST_INSPECT,
+ 0,
+ DetectEngineInspectDnsRequest },
+ /* specifically for UDP, register again
+ * allows us to use the alproto w/o translation
+ * in the detection engine */
+ { IPPROTO_UDP,
+ ALPROTO_DNS,
+ DETECT_SM_LIST_DNSREQUEST_MATCH,
+ DE_STATE_FLAG_DNSREQUEST_INSPECT,
+ 0,
+ DetectEngineInspectDnsRequest },
+ /* SMTP */
{ IPPROTO_TCP,
ALPROTO_SMTP,
DETECT_SM_LIST_FILEMATCH,
DETECT_SM_LIST_MODBUS_MATCH,
DE_STATE_FLAG_MODBUS_INSPECT,
0,
- DetectEngineInspectModbus }
+ DetectEngineInspectModbus },
+ { IPPROTO_TCP,
+ ALPROTO_DNS,
+ DETECT_SM_LIST_DNSRESPONSE_MATCH,
+ DE_STATE_FLAG_DNSRESPONSE_INSPECT,
+ 1,
+ DetectEngineInspectDnsResponse },
+ /* specifically for UDP, register again
+ * allows us to use the alproto w/o translation
+ * in the detection engine */
+ { IPPROTO_UDP,
+ ALPROTO_DNS,
+ DETECT_SM_LIST_DNSRESPONSE_MATCH,
+ DE_STATE_FLAG_DNSRESPONSE_INSPECT,
+ 1,
+ DetectEngineInspectDnsResponse },
};
size_t i;
sig->flags |= SIG_FLAG_STATE_MATCH;
if (sig->sm_lists[DETECT_SM_LIST_HRHHDMATCH])
sig->flags |= SIG_FLAG_STATE_MATCH;
+
+ /* DNS */
if (sig->sm_lists[DETECT_SM_LIST_DNSQUERYNAME_MATCH])
sig->flags |= SIG_FLAG_STATE_MATCH;
+ if (sig->sm_lists[DETECT_SM_LIST_DNSREQUEST_MATCH]) {
+ sig->flags |= SIG_FLAG_STATE_MATCH;
+ }
+ if (sig->sm_lists[DETECT_SM_LIST_DNSRESPONSE_MATCH]) {
+ sig->flags |= SIG_FLAG_STATE_MATCH;
+ }
+
if (sig->sm_lists[DETECT_SM_LIST_MODBUS_MATCH])
sig->flags |= SIG_FLAG_STATE_MATCH;
if (sig->sm_lists[DETECT_SM_LIST_APP_EVENT])
projects / thirdparty / suricata.git / commitdiff
