}
return false;
}
-
-// Version 1 logging support.
-
-fn dns_log_json_answer_v1(header: &DNSHeader, answer: &DNSAnswerEntry)
- -> Result<JsonBuilder, JsonError>
-{
- let mut js = JsonBuilder::new_object();
-
- js.set_string("type", "answer")?;
- js.set_uint("id", header.tx_id as u64)?;
- js.set_string("flags", format!("{:x}", header.flags).as_str())?;
- if header.flags & 0x8000 != 0 {
- js.set_bool("qr", true)?;
- }
- if header.flags & 0x0400 != 0 {
- js.set_bool("aa", true)?;
- }
- if header.flags & 0x0200 != 0 {
- js.set_bool("tc", true)?;
- }
- if header.flags & 0x0100 != 0 {
- js.set_bool("rd", true)?;
- }
- if header.flags & 0x0080 != 0 {
- js.set_bool("ra", true)?;
- }
- if header.flags & 0x0040 != 0 {
- js.set_bool("z", true)?;
- }
- js.set_string("rcode", &dns_rcode_string(header.flags))?;
- js.set_string_from_bytes("rrname", &answer.name)?;
- js.set_string("rrtype", &dns_rrtype_string(answer.rrtype))?;
- js.set_uint("ttl", answer.ttl as u64)?;
-
- match &answer.data {
- DNSRData::A(addr) | DNSRData::AAAA(addr) => {
- js.set_string("rdata", &dns_print_addr(addr))?;
- }
- DNSRData::CNAME(bytes) |
- DNSRData::MX(bytes) |
- DNSRData::NS(bytes) |
- DNSRData::TXT(bytes) |
- DNSRData::NULL(bytes) |
- DNSRData::PTR(bytes) => {
- js.set_string_from_bytes("rdata", bytes)?;
- }
- DNSRData::SOA(soa) => {
- js.set_object("soa", &dns_log_soa(soa)?)?;
- }
- DNSRData::SSHFP(sshfp) => {
- js.set_object("sshfp", &dns_log_sshfp(sshfp)?)?;
- }
- _ => {}
- }
-
- js.close()?;
-
- return Ok(js);
-}
-
-fn dns_log_json_failure_v1(r: &DNSResponse, index: usize, flags: u64)
- -> Result<Option<JsonBuilder>, JsonError> {
- if index >= r.queries.len() {
- return Ok(None);
- }
-
- let query = &r.queries[index];
-
- if !dns_log_rrtype_enabled(query.rrtype, flags) {
- return Ok(None);
- }
-
- let mut js = JsonBuilder::new_object();
-
- js.set_string("type", "answer")?;
- js.set_uint("id", r.header.tx_id as u64)?;
- js.set_string("rcode", &dns_rcode_string(r.header.flags))?;
- js.set_string_from_bytes("rrname", &query.name)?;
-
- js.close()?;
-
- return Ok(Some(js));
-}
-
-#[no_mangle]
-pub extern "C" fn rs_dns_log_json_answer_v1(tx: &mut DNSTransaction,
- i: u16,
- flags: u64)
- -> *mut JsonBuilder
-{
- let index = i as usize;
- // Note for loop over Option for easier break out to default
- // return value.
- for response in &tx.response {
- if response.header.flags & 0x000f > 0 {
- if index == 0 {
- if let Ok(Some(js)) = dns_log_json_failure_v1(response, index, flags) {
- return Box::into_raw(Box::new(js));
- }
- }
- break;
- }
- if index >= response.answers.len() {
- break;
- }
- let answer = &response.answers[index];
- if dns_log_rrtype_enabled(answer.rrtype, flags) {
- if let Ok(js) = dns_log_json_answer_v1(&response.header, answer) {
- return Box::into_raw(Box::new(js));
- }
- break;
- }
- }
- return std::ptr::null_mut();
-}
-
-#[no_mangle]
-pub extern "C" fn rs_dns_log_json_authority_v1(tx: &mut DNSTransaction,
- i: u16,
- flags: u64)
- -> *mut JsonBuilder
-{
- let index = i as usize;
- if let &Some(ref response) = &tx.response {
- if index < response.authorities.len() {
- let answer = &response.authorities[index];
- if dns_log_rrtype_enabled(answer.rrtype, flags) {
- if let Ok(js) = dns_log_json_answer_v1(&response.header, answer) {
- return Box::into_raw(Box::new(js));
- }
- }
- }
- }
- return std::ptr::null_mut();
-}
-/* Copyright (C) 2007-2021 Open Information Security Foundation
+/* Copyright (C) 2007-2022 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
DNS_RRTYPE_MAX,
} DnsRRTypes;
-typedef enum {
- DNS_VERSION_1 = 1,
- DNS_VERSION_2
-} DnsVersion;
-
-#define DNS_VERSION_DEFAULT DNS_VERSION_2
-
static struct {
const char *config_rrtype;
uint64_t flags;
typedef struct LogDnsFileCtx_ {
uint64_t flags; /** Store mode */
- DnsVersion version;
OutputJsonCtx *eve_ctx;
} LogDnsFileCtx;
OutputJsonThreadCtx *ctx;
} LogDnsLogThread;
-static bool v1_deprecation_warned = false;
-
JsonBuilder *JsonDNSLogQuery(void *txptr, uint64_t tx_id)
{
JsonBuilder *queryjb = jb_new_array();
return TM_ECODE_OK;
}
- if (td->dnslog_ctx->version == DNS_VERSION_2) {
- if (rs_dns_do_log_answer(txptr, td->dnslog_ctx->flags)) {
- JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_FLOW, "dns", NULL, dnslog_ctx->eve_ctx);
- if (unlikely(jb == NULL)) {
- return TM_ECODE_OK;
- }
-
- jb_open_object(jb, "dns");
- rs_dns_log_json_answer(txptr, td->dnslog_ctx->flags, jb);
- jb_close(jb);
- OutputJsonBuilderBuffer(jb, td->ctx);
- jb_free(jb);
- }
- } else {
- /* Log answers. */
- for (uint16_t i = 0; i < UINT16_MAX; i++) {
- JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_FLOW, "dns", NULL, dnslog_ctx->eve_ctx);
- if (unlikely(jb == NULL)) {
- return TM_ECODE_OK;
- }
-
- JsonBuilder *answer = rs_dns_log_json_answer_v1(txptr, i,
- td->dnslog_ctx->flags);
- if (answer == NULL) {
- jb_free(jb);
- break;
- }
- jb_set_object(jb, "dns", answer);
- jb_free(answer);
-
- OutputJsonBuilderBuffer(jb, td->ctx);
- jb_free(jb);
+ if (rs_dns_do_log_answer(txptr, td->dnslog_ctx->flags)) {
+ JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_FLOW, "dns", NULL, dnslog_ctx->eve_ctx);
+ if (unlikely(jb == NULL)) {
+ return TM_ECODE_OK;
}
- /* Log authorities. */
- for (uint16_t i = 0; i < UINT16_MAX; i++) {
- JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_FLOW, "dns", NULL, dnslog_ctx->eve_ctx);
- if (unlikely(jb == NULL)) {
- return TM_ECODE_OK;
- }
- JsonBuilder *answer = rs_dns_log_json_authority_v1(txptr, i,
- td->dnslog_ctx->flags);
- if (answer == NULL) {
- jb_free(jb);
- break;
- }
- jb_set_object(jb, "dns", answer);
- jb_free(answer);
-
- OutputJsonBuilderBuffer(jb, td->ctx);
- jb_free(jb);
- }
+ jb_open_object(jb, "dns");
+ rs_dns_log_json_answer(txptr, td->dnslog_ctx->flags, jb);
+ jb_close(jb);
+ OutputJsonBuilderBuffer(jb, td->ctx);
+ jb_free(jb);
}
SCReturnInt(TM_ECODE_OK);
dnslog_ctx->flags &= ~LOG_QUERIES;
}
} else {
- if (dnslog_ctx->version == DNS_VERSION_2) {
- dnslog_ctx->flags |= LOG_QUERIES;
- }
+ dnslog_ctx->flags |= LOG_QUERIES;
}
const char *response = ConfNodeLookupChildValue(conf, answer_key);
dnslog_ctx->flags &= ~LOG_ANSWERS;
}
} else {
- if (dnslog_ctx->version == DNS_VERSION_2) {
- dnslog_ctx->flags |= LOG_ANSWERS;
- }
+ dnslog_ctx->flags |= LOG_ANSWERS;
}
ConfNode *custom;
}
}
} else {
- if (dnslog_ctx->version == DNS_VERSION_2) {
- dnslog_ctx->flags |= LOG_ALL_RRTYPES;
- }
+ dnslog_ctx->flags |= LOG_ALL_RRTYPES;
}
}
-static DnsVersion JsonDnsParseVersion(ConfNode *conf)
+static void JsonDnsCheckVersion(ConfNode *conf)
{
if (conf == NULL) {
- return DNS_VERSION_DEFAULT;
+ return;
}
- DnsVersion version = DNS_VERSION_DEFAULT;
- intmax_t config_version;
+ static bool v1_deprecation_warned = false;
const ConfNode *has_version = ConfNodeLookupChild(conf, "version");
-
if (has_version != NULL) {
bool invalid = false;
+ intmax_t config_version;
if (ConfGetChildValueInt(conf, "version", &config_version)) {
switch(config_version) {
- case 1:
- version = DNS_VERSION_1;
- break;
case 2:
- version = DNS_VERSION_2;
+ break;
+ case 1:
+ if (!v1_deprecation_warned) {
+ SCLogError(SC_WARN_DEPRECATED,
+ "DNS EVE v1 logging has been removed, will use v2");
+ v1_deprecation_warned = true;
+ }
break;
default:
invalid = true;
invalid = true;
}
if (invalid) {
- SCLogWarning(SC_ERR_INVALID_ARGUMENT,
- "invalid eve-log dns version option: %s, "
- "defaulting to version %u",
- has_version->val, version);
+ SCLogWarning(SC_ERR_INVALID_ARGUMENT, "Invalid EVE DNS version \"%s\", will use v2",
+ has_version->val);
}
- } else {
- SCLogConfig("eve-log dns version not set, defaulting to version %u",
- version);
- }
-
- if (!v1_deprecation_warned && version == DNS_VERSION_1) {
- SCLogWarning(SC_WARN_DEPRECATED, "DNS EVE v1 style logs have been "
- "deprecated and will be removed by May 2022");
- v1_deprecation_warned = true;
}
-
- return version;
}
static void JsonDnsLogInitFilters(LogDnsFileCtx *dnslog_ctx, ConfNode *conf)
dnslog_ctx->flags = ~0ULL;
if (conf) {
- if (dnslog_ctx->version == DNS_VERSION_1) {
- JsonDnsLogParseConfig(dnslog_ctx, conf, "query", "answer", "custom");
- } else {
- JsonDnsLogParseConfig(dnslog_ctx, conf, "requests", "responses", "types");
-
- if (dnslog_ctx->flags & LOG_ANSWERS) {
- ConfNode *format;
- if ((format = ConfNodeLookupChild(conf, "formats")) != NULL) {
- dnslog_ctx->flags &= ~LOG_FORMAT_ALL;
- ConfNode *field;
- TAILQ_FOREACH(field, &format->head, next) {
- if (strcasecmp(field->val, "detailed") == 0) {
- dnslog_ctx->flags |= LOG_FORMAT_DETAILED;
- } else if (strcasecmp(field->val, "grouped") == 0) {
- dnslog_ctx->flags |= LOG_FORMAT_GROUPED;
- }
+ JsonDnsLogParseConfig(dnslog_ctx, conf, "requests", "responses", "types");
+ if (dnslog_ctx->flags & LOG_ANSWERS) {
+ ConfNode *format;
+ if ((format = ConfNodeLookupChild(conf, "formats")) != NULL) {
+ dnslog_ctx->flags &= ~LOG_FORMAT_ALL;
+ ConfNode *field;
+ TAILQ_FOREACH (field, &format->head, next) {
+ if (strcasecmp(field->val, "detailed") == 0) {
+ dnslog_ctx->flags |= LOG_FORMAT_DETAILED;
+ } else if (strcasecmp(field->val, "grouped") == 0) {
+ dnslog_ctx->flags |= LOG_FORMAT_GROUPED;
}
- } else {
- dnslog_ctx->flags |= LOG_FORMAT_ALL;
}
+ } else {
+ dnslog_ctx->flags |= LOG_FORMAT_ALL;
}
}
}
return result;
}
- DnsVersion version = JsonDnsParseVersion(conf);
+ /* As only a single version of logging is supported, this exists to warn about
+ * unsupported versions. */
+ JsonDnsCheckVersion(conf);
OutputJsonCtx *ojc = parent_ctx->data;
output_ctx->data = dnslog_ctx;
output_ctx->DeInit = LogDnsLogDeInitCtxSub;
- dnslog_ctx->version = version;
JsonDnsLogInitFilters(dnslog_ctx, conf);
SCLogDebug("DNS log sub-module initialized");
projects / thirdparty / suricata.git / commitdiff
