Note that sticky buffers are expected to be followed by one or more
:doc:`payload-keywords`.
-dns.answer.name
----------------
-
-``dns.answer.name`` is a sticky buffer that is used to look at the
-name field in DNS answer resource records.
-
-``dns.answer.name`` will look at both requests and responses, so
-``flow`` is recommended to confine to a specific direction.
-
-The buffer being matched on contains the complete re-assembled
-resource name, for example "www.suricata.io".
-
-``dns.answer.name`` supports :doc:`multi-buffer-matching`.
-
-``dns.answer.name`` was introduced in Suricata 8.0.0.
-
dns.opcode
----------
.. note:: **dns.query** will only match on DNS request messages, to
also match on DNS response message, see
- `dns.query.name`_.
+ `dns.queries.rrname`_.
-``dns.query.name`` supports :doc:`multi-buffer-matching`.
+``dns.queries.rrname`` supports :doc:`multi-buffer-matching`.
Normalized Buffer
~~~~~~~~~~~~~~~~~
mail.google.com
-dns.query.name
----------------
+dns.queries.rrname
+------------------
+
+``dns.queries.rrname`` is a sticky buffer that is used to look at the
+name field in DNS query (question) resource records. It is nearly
+identical to ``dns.query`` but supports both DNS requests and
+responses.
+
+``dns.queries.rrname`` will look at both requests and responses, so
+``flow`` is recommended to confine to a specific direction.
+
+The buffer being matched on contains the complete re-assembled
+resource name, for example "www.suricata.io".
+
+``dns.queries.rrname`` supports :doc:`multi-buffer-matching`.
+
+``dns.queries.rrname`` was introduced in Suricata 8.0.0.
-``dns.query.name`` is a sticky buffer that is used to look at the name
-field in DNS query (question) resource records. It is nearly identical
-to ``dns.query`` but supports both DNS requests and responses.
+dns.answers.rrname
+------------------
-``dns.query.name`` will look at both requests and responses, so
+``dns.answers.rrname`` is a sticky buffer that is used to look at the
+name field in DNS answer resource records.
+
+``dns.answers.rrname`` will look at both requests and responses, so
``flow`` is recommended to confine to a specific direction.
The buffer being matched on contains the complete re-assembled
resource name, for example "www.suricata.io".
-``dns.query.name`` supports :doc:`multi-buffer-matching`.
+``dns.answers.rrname`` supports :doc:`multi-buffer-matching`.
+
+``dns.answers.rrname`` was introduced in Suricata 8.0.0.
+
+dns.authorities.rrname
+----------------------
+
+``dns.authorities.rrname`` is a sticky buffer that is used to look at the
+rrname field in DNS authority resource records.
+
+``dns.authorities.rrname`` will look at both requests and responses,
+so ``flow`` is recommended to confine to a specific direction.
+
+The buffer being matched on contains the complete re-assembled
+resource name, for example "www.suricata.io".
+
+``dns.authorities.rrname`` supports :doc:`multi-buffer-matching`.
+
+``dns.authorities.rrname`` was introduced in Suricata 8.0.0.
+
+dns.additionals.rrname
+----------------------
+
+``dns.additionals.rrname`` is a sticky buffer that is used to look at
+the rrname field in DNS additional resource records.
+
+``dns.additionals.rrname`` will look at both requests and responses,
+so ``flow`` is recommended to confine to a specific direction.
+
+The buffer being matched on contains the complete re-assembled
+resource name, for example "www.suricata.io".
+
+``dns.additionals.rrname`` supports :doc:`multi-buffer-matching`.
-``dns.query.name`` was introduced in Suricata 8.0.0.
+``dns.additionals.rrname`` was introduced in Suricata 8.0.0.
dns.response.rrname
-------------------
detect-detection-filter.h \
detect-distance.h \
detect-dnp3.h \
- detect-dns-answer-name.h \
+ detect-dns-name.h \
detect-dns-opcode.h \
detect-dns-rcode.h \
detect-dns-response.h \
detect-dns-rrtype.h \
detect-dns-query.h \
- detect-dns-query-name.h \
detect-dsize.h \
detect-engine-address.h \
detect-engine-address-ipv4.h \
detect-detection-filter.c \
detect-distance.c \
detect-dnp3.c \
- detect-dns-answer-name.c \
+ detect-dns-name.c \
detect-dns-opcode.c \
detect-dns-rcode.c \
detect-dns-response.c \
detect-dns-rrtype.c \
detect-dns-query.c \
- detect-dns-query-name.c \
detect-dsize.c \
detect-engine-address.c \
detect-engine-address-ipv4.c \
+++ /dev/null
-/* Copyright (C) 2023 Open Information Security Foundation
- *
- * You can copy, redistribute or modify this Program under the terms of
- * the GNU General Public License version 2 as published by the Free
- * Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
- */
-
-/**
- * \file
- *
- * Detect keyword for DNS answer name: dns.answer.name
- */
-
-#include "detect.h"
-#include "detect-parse.h"
-#include "detect-engine.h"
-#include "detect-engine-prefilter.h"
-#include "detect-engine-content-inspection.h"
-#include "detect-dns-answer-name.h"
-#include "util-profiling.h"
-#include "rust.h"
-
-static int detect_buffer_id = 0;
-
-static int DetectSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
-{
- if (DetectBufferSetActiveList(de_ctx, s, detect_buffer_id) < 0) {
- return -1;
- }
- if (DetectSignatureSetAppProto(s, ALPROTO_DNS) < 0) {
- return -1;
- }
-
- return 0;
-}
-
-static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx,
- const DetectEngineTransforms *transforms, Flow *f, uint8_t flags, void *txv, int list_id,
- uint32_t index)
-{
- InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, index);
- if (buffer == NULL) {
- return NULL;
- }
- if (buffer->initialized) {
- return buffer;
- }
-
- bool to_client = (flags & STREAM_TOSERVER) == 0;
- const uint8_t *data = NULL;
- uint32_t data_len = 0;
-
- if (!SCDnsTxGetAnswerName(txv, to_client, index, &data, &data_len)) {
- InspectionBufferSetupMultiEmpty(buffer);
- return NULL;
- }
- InspectionBufferSetupMulti(buffer, transforms, data, data_len);
- buffer->flags = DETECT_CI_FLAGS_SINGLE;
- return buffer;
-}
-
-void DetectDnsAnswerNameRegister(void)
-{
- static const char *keyword = "dns.answer.name";
- sigmatch_table[DETECT_DNS_ANSWER_NAME].name = keyword;
- sigmatch_table[DETECT_DNS_ANSWER_NAME].desc = "DNS answer name sticky buffer";
- sigmatch_table[DETECT_DNS_ANSWER_NAME].url = "/rules/dns-keywords.html#dns-answer-name";
- sigmatch_table[DETECT_DNS_ANSWER_NAME].Setup = DetectSetup;
- sigmatch_table[DETECT_DNS_ANSWER_NAME].flags |= SIGMATCH_NOOPT;
- sigmatch_table[DETECT_DNS_ANSWER_NAME].flags |= SIGMATCH_INFO_STICKY_BUFFER;
-
- /* Register in the TO_SERVER direction, even though this is not
- normal, it could be provided as part of a request. */
- DetectAppLayerMultiRegister(keyword, ALPROTO_DNS, SIG_FLAG_TOSERVER, 0, GetBuffer, 2, 1);
- /* Register in the TO_CLIENT direction. */
- DetectAppLayerMultiRegister(keyword, ALPROTO_DNS, SIG_FLAG_TOCLIENT, 0, GetBuffer, 2, 1);
-
- DetectBufferTypeSetDescriptionByName(keyword, "dns answer name");
- DetectBufferTypeSupportsMultiInstance(keyword);
-
- detect_buffer_id = DetectBufferTypeGetByName(keyword);
-}
+++ /dev/null
-/* Copyright (C) 2023 Open Information Security Foundation
- *
- * You can copy, redistribute or modify this Program under the terms of
- * the GNU General Public License version 2 as published by the Free
- * Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
- */
-
-#ifndef SURICATA_DETECT_DNS_ANSWER_NAME_H
-#define SURICATA_DETECT_DNS_ANSWER_NAME_H
-
-void DetectDnsAnswerNameRegister(void);
-
-#endif /* SURICATA_DETECT_DNS_ANSWER_NAME_H */
--- /dev/null
+/* Copyright (C) 2025 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * Detect keyword for DNS rrnames:
+ * - dns.queries.rrname
+ * - dns.answers.rrname
+ * - dns.authorities.name
+ * - dns.additionals.name
+ */
+
+#include "detect.h"
+#include "detect-parse.h"
+#include "detect-engine.h"
+#include "detect-engine-content-inspection.h"
+#include "detect-engine-helper.h"
+#include "detect-dns-name.h"
+#include "rust.h"
+
+enum DnsSection {
+ DNS_QUERY = 0,
+ DNS_ANSWER,
+ DNS_AUTHORITY,
+ DNS_ADDITIONAL,
+};
+
+static int query_buffer_id = 0;
+static int answer_buffer_id = 0;
+static int authority_buffer_id = 0;
+static int additional_buffer_id = 0;
+
+static int DetectSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str, int id)
+{
+ if (DetectBufferSetActiveList(de_ctx, s, id) < 0) {
+ return -1;
+ }
+ if (DetectSignatureSetAppProto(s, ALPROTO_DNS) < 0) {
+ return -1;
+ }
+
+ return 0;
+}
+
+static int SetupQueryBuffer(DetectEngineCtx *de_ctx, Signature *s, const char *str)
+{
+ return DetectSetup(de_ctx, s, str, query_buffer_id);
+}
+
+static int SetupAnswerBuffer(DetectEngineCtx *de_ctx, Signature *s, const char *str)
+{
+ return DetectSetup(de_ctx, s, str, answer_buffer_id);
+}
+
+static int SetupAdditionalsBuffer(DetectEngineCtx *de_ctx, Signature *s, const char *str)
+{
+ return DetectSetup(de_ctx, s, str, additional_buffer_id);
+}
+
+static int SetupAuthoritiesBuffer(DetectEngineCtx *de_ctx, Signature *s, const char *str)
+{
+ return DetectSetup(de_ctx, s, str, authority_buffer_id);
+}
+
+static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx,
+ const DetectEngineTransforms *transforms, Flow *f, uint8_t flags, void *txv, int list_id,
+ uint32_t index, enum DnsSection what)
+{
+ InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, index);
+ if (buffer == NULL) {
+ return NULL;
+ }
+ if (buffer->initialized) {
+ return buffer;
+ }
+
+ bool to_client = (flags & STREAM_TOSERVER) == 0;
+ const uint8_t *data = NULL;
+ uint32_t data_len = 0;
+
+ bool ok = false;
+ switch (what) {
+ case DNS_QUERY:
+ ok = SCDnsTxGetQueryName(txv, to_client, index, &data, &data_len);
+ break;
+ case DNS_ANSWER:
+ ok = SCDnsTxGetAnswerName(txv, to_client, index, &data, &data_len);
+ break;
+ case DNS_AUTHORITY:
+ ok = SCDnsTxGetAuthorityName(txv, index, &data, &data_len);
+ break;
+ case DNS_ADDITIONAL:
+ ok = SCDnsTxGetAdditionalName(txv, index, &data, &data_len);
+ break;
+ default:
+ DEBUG_VALIDATE_BUG_ON("unhandled dns rrname type");
+ InspectionBufferSetupMultiEmpty(buffer);
+ return NULL;
+ }
+
+ if (ok) {
+ InspectionBufferSetupMulti(buffer, transforms, data, data_len);
+ buffer->flags = DETECT_CI_FLAGS_SINGLE;
+ return buffer;
+ }
+
+ InspectionBufferSetupMultiEmpty(buffer);
+ return NULL;
+}
+
+static InspectionBuffer *GetQueryBuffer(DetectEngineThreadCtx *det_ctx,
+ const DetectEngineTransforms *transforms, Flow *f, uint8_t flags, void *txv, int list_id,
+ uint32_t index)
+{
+ return GetBuffer(det_ctx, transforms, f, flags, txv, list_id, index, DNS_QUERY);
+}
+
+static InspectionBuffer *GetAnswerBuffer(DetectEngineThreadCtx *det_ctx,
+ const DetectEngineTransforms *transforms, Flow *f, uint8_t flags, void *txv, int list_id,
+ uint32_t index)
+{
+ return GetBuffer(det_ctx, transforms, f, flags, txv, list_id, index, DNS_ANSWER);
+}
+
+static InspectionBuffer *GetAuthorityBuffer(DetectEngineThreadCtx *det_ctx,
+ const DetectEngineTransforms *transforms, Flow *f, uint8_t flags, void *txv, int list_id,
+ uint32_t index)
+{
+ return GetBuffer(det_ctx, transforms, f, flags, txv, list_id, index, DNS_AUTHORITY);
+}
+
+static InspectionBuffer *GetAdditionalBuffer(DetectEngineThreadCtx *det_ctx,
+ const DetectEngineTransforms *transforms, Flow *f, uint8_t flags, void *txv, int list_id,
+ uint32_t index)
+{
+ return GetBuffer(det_ctx, transforms, f, flags, txv, list_id, index, DNS_ADDITIONAL);
+}
+
+static int Register(const char *keyword, const char *desc, const char *doc,
+ int (*Setup)(DetectEngineCtx *, Signature *, const char *),
+ InspectionMultiBufferGetDataPtr GetBufferFn)
+{
+ int keyword_id = SCDetectHelperNewKeywordId();
+ sigmatch_table[keyword_id].name = keyword;
+ sigmatch_table[keyword_id].desc = desc;
+ sigmatch_table[keyword_id].url = doc;
+ sigmatch_table[keyword_id].Setup = Setup;
+ sigmatch_table[keyword_id].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[keyword_id].flags |= SIGMATCH_INFO_STICKY_BUFFER;
+
+ DetectAppLayerMultiRegister(keyword, ALPROTO_DNS, SIG_FLAG_TOSERVER, 0, GetBufferFn, 2, 1);
+ DetectAppLayerMultiRegister(keyword, ALPROTO_DNS, SIG_FLAG_TOCLIENT, 0, GetBufferFn, 2, 1);
+
+ DetectBufferTypeSetDescriptionByName(keyword, keyword);
+ DetectBufferTypeSupportsMultiInstance(keyword);
+
+ return DetectBufferTypeGetByName(keyword);
+}
+
+void DetectDnsNameRegister(void)
+{
+ query_buffer_id = Register("dns.queries.rrname", "DNS query rrname sticky buffer",
+ "/rules/dns-keywords.html#dns.queries.rrname", SetupQueryBuffer, GetQueryBuffer);
+ answer_buffer_id = Register("dns.answers.rrname", "DNS answer rrname sticky buffer",
+ "/rules/dns-keywords.html#dns.answers.rrname", SetupAnswerBuffer, GetAnswerBuffer);
+ additional_buffer_id =
+ Register("dns.additionals.rrname", "DNS additionals rrname sticky buffer",
+ "/rules/dns-keywords.html#dns-additionals-rrname", SetupAdditionalsBuffer,
+ GetAdditionalBuffer);
+ authority_buffer_id = Register("dns.authorities.rrname", "DNS authorities rrname sticky buffer",
+ "/rules/dns-keywords.html#dns-authorities-rrname", SetupAuthoritiesBuffer,
+ GetAuthorityBuffer);
+}
* 02110-1301, USA.
*/
-#ifndef SURICATA_DETECT_DNS_QUERY_NAME_H
-#define SURICATA_DETECT_DNS_QUERY_NAME_H
+#ifndef SURICATA_DETECT_DNS_NAME_H
+#define SURICATA_DETECT_DNS_NAME_H
-void DetectDnsQueryNameRegister(void);
+void DetectDnsNameRegister(void);
-#endif /* SURICATA_DETECT_DNS_QUERY_NAME_H */
+#endif /* SURICATA_DETECT_DNS_NAME_H */
+++ /dev/null
-/* Copyright (C) 2023 Open Information Security Foundation
- *
- * You can copy, redistribute or modify this Program under the terms of
- * the GNU General Public License version 2 as published by the Free
- * Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
- */
-
-/**
- * \file
- *
- * Detect keyword for DNS query names: dns.query.name
- */
-
-#include "detect.h"
-#include "detect-parse.h"
-#include "detect-engine.h"
-#include "detect-engine-prefilter.h"
-#include "detect-engine-content-inspection.h"
-#include "detect-dns-query-name.h"
-#include "util-profiling.h"
-#include "rust.h"
-
-static int detect_buffer_id = 0;
-
-static int DetectSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
-{
- if (DetectBufferSetActiveList(de_ctx, s, detect_buffer_id) < 0) {
- return -1;
- }
- if (DetectSignatureSetAppProto(s, ALPROTO_DNS) < 0) {
- return -1;
- }
-
- return 0;
-}
-
-static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx,
- const DetectEngineTransforms *transforms, Flow *f, const uint8_t flags, void *txv,
- int list_id, uint32_t index)
-{
- InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, index);
- if (buffer == NULL) {
- return NULL;
- }
- if (buffer->initialized) {
- return buffer;
- }
-
- bool to_client = (flags & STREAM_TOSERVER) == 0;
- const uint8_t *data = NULL;
- uint32_t data_len = 0;
-
- if (!SCDnsTxGetQueryName(txv, to_client, index, &data, &data_len)) {
- InspectionBufferSetupMultiEmpty(buffer);
- return NULL;
- }
- InspectionBufferSetupMulti(buffer, transforms, data, data_len);
- buffer->flags = DETECT_CI_FLAGS_SINGLE;
- return buffer;
-}
-
-void DetectDnsQueryNameRegister(void)
-{
- static const char *keyword = "dns.query.name";
- sigmatch_table[DETECT_DNS_QUERY_NAME].name = keyword;
- sigmatch_table[DETECT_DNS_QUERY_NAME].desc = "DNS query name sticky buffer";
- sigmatch_table[DETECT_DNS_QUERY_NAME].url = "/rules/dns-keywords.html#dns-query-name";
- sigmatch_table[DETECT_DNS_QUERY_NAME].Setup = DetectSetup;
- sigmatch_table[DETECT_DNS_QUERY_NAME].flags |= SIGMATCH_NOOPT;
- sigmatch_table[DETECT_DNS_QUERY_NAME].flags |= SIGMATCH_INFO_STICKY_BUFFER;
-
- /* Register in both directions as the query is usually echoed back
- in the response. */
- DetectAppLayerMultiRegister(keyword, ALPROTO_DNS, SIG_FLAG_TOSERVER, 0, GetBuffer, 2, 1);
- DetectAppLayerMultiRegister(keyword, ALPROTO_DNS, SIG_FLAG_TOCLIENT, 0, GetBuffer, 2, 1);
-
- DetectBufferTypeSetDescriptionByName(keyword, "dns query name");
- DetectBufferTypeSupportsMultiInstance(keyword);
-
- detect_buffer_id = DetectBufferTypeGetByName(keyword);
-}
#include "detect-dns-rcode.h"
#include "detect-dns-rrtype.h"
#include "detect-dns-query.h"
-#include "detect-dns-answer-name.h"
-#include "detect-dns-query-name.h"
+#include "detect-dns-name.h"
#include "detect-dns-response.h"
#include "detect-tls-sni.h"
#include "detect-tls-certs.h"
DetectDnsOpcodeRegister();
DetectDnsRcodeRegister();
DetectDnsRrtypeRegister();
- DetectDnsAnswerNameRegister();
- DetectDnsQueryNameRegister();
+ DetectDnsNameRegister();
DetectDnsResponseRegister();
DetectModbusRegister();
DetectDNP3Register();
DETECT_DNS_RCODE,
DETECT_DNS_RESPONSE,
DETECT_DNS_RRTYPE,
- DETECT_DNS_ANSWER_NAME,
- DETECT_DNS_QUERY_NAME,
DETECT_TLS_SNI,
DETECT_TLS_CERTS,
DETECT_TLS_CERT_ISSUER,
projects / thirdparty / suricata.git / commitdiff
