static int DetectDnsQuerySetup (DetectEngineCtx *, Signature *, char *);
static void DetectDnsQueryRegisterTests(void);
+static int g_dns_query_buffer_id = 0;
/**
* \brief Registration function for keyword: dns_query
sigmatch_table[DETECT_AL_DNS_QUERY].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_DNS_QUERY].flags |= SIGMATCH_PAYLOAD;
- DetectMpmAppLayerRegister("dns_query", SIG_FLAG_TOSERVER,
- DETECT_SM_LIST_DNSQUERYNAME_MATCH, 2,
+ DetectAppLayerMpmRegister("dns_query", SIG_FLAG_TOSERVER, 2,
PrefilterTxDnsQueryRegister);
- DetectAppLayerInspectEngineRegister(ALPROTO_DNS, SIG_FLAG_TOSERVER,
- DETECT_SM_LIST_DNSQUERYNAME_MATCH,
+ DetectAppLayerInspectEngineRegister2("dns_query",
+ ALPROTO_DNS, SIG_FLAG_TOSERVER,
DetectEngineInspectDnsQueryName);
+ DetectBufferTypeSetDescriptionByName("dns_query",
+ "dns request query");
+
+ g_dns_query_buffer_id = DetectBufferTypeGetByName("dns_query");
+
/* register these generic engines from here for now */
- DetectAppLayerInspectEngineRegister(ALPROTO_DNS, SIG_FLAG_TOSERVER,
- DETECT_SM_LIST_DNSREQUEST_MATCH,
+ DetectAppLayerInspectEngineRegister2("dns_request",
+ ALPROTO_DNS, SIG_FLAG_TOSERVER,
DetectEngineInspectDnsRequest);
- DetectAppLayerInspectEngineRegister(ALPROTO_DNS, SIG_FLAG_TOCLIENT,
- DETECT_SM_LIST_DNSRESPONSE_MATCH,
+ DetectAppLayerInspectEngineRegister2("dns_response",
+ ALPROTO_DNS, SIG_FLAG_TOCLIENT,
DetectEngineInspectDnsResponse);
+
+ DetectBufferTypeSetDescriptionByName("dns_request",
+ "dns requests");
+ DetectBufferTypeSetDescriptionByName("dns_response",
+ "dns responses");
}
static int DetectDnsQuerySetup(DetectEngineCtx *de_ctx, Signature *s, char *str)
{
- s->init_data->list = DETECT_SM_LIST_DNSQUERYNAME_MATCH;
+ s->init_data->list = g_dns_query_buffer_id;
s->alproto = ALPROTO_DNS;
return 0;
}
#ifdef UNITTESTS
+#include "detect-isdataat.h"
+
/** \test simple google.com query matching */
static int DetectDnsQueryTest01(void)
{
return result;
}
+static int DetectDnsQueryIsdataatParseTest(void)
+{
+ DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+ FAIL_IF_NULL(de_ctx);
+ de_ctx->flags |= DE_QUIET;
+
+ Signature *s = DetectEngineAppendSig(de_ctx,
+ "alert dns any any -> any any ("
+ "dns_query; content:\"one\"; "
+ "isdataat:!4,relative; sid:1;)");
+ FAIL_IF_NULL(s);
+
+ SigMatch *sm = s->init_data->smlists_tail[g_dns_query_buffer_id];
+ FAIL_IF_NULL(sm);
+ FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
+
+ DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
+ FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
+ FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
+ FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
+
+ DetectEngineCtxFree(de_ctx);
+ PASS;
+}
+
#endif
static void DetectDnsQueryRegisterTests(void)
UtRegisterTest("DetectDnsQueryTest06 -- pcre", DetectDnsQueryTest06);
UtRegisterTest("DetectDnsQueryTest07 -- app layer event",
DetectDnsQueryTest07);
+
+ UtRegisterTest("DetectDnsQueryIsdataatParseTest",
+ DetectDnsQueryIsdataatParseTest);
#endif
}
fprintf(rule_engine_analysis_FD, "%s",
payload ? (stream ? "payload and reassembled stream" : "payload") : "reassembled stream");
}
- else if (list_type == DETECT_SM_LIST_DNSQUERYNAME_MATCH)
- fprintf(rule_engine_analysis_FD, "dns query name content");
else if (list_type == DETECT_SM_LIST_TLSSNI_MATCH)
fprintf(rule_engine_analysis_FD, "tls sni extension content");
else if (list_type == DETECT_SM_LIST_TLSISSUER_MATCH)
case DETECT_SM_LIST_FILEMATCH:
return "file";
- case DETECT_SM_LIST_DNSQUERYNAME_MATCH:
- return "dns query name";
- case DETECT_SM_LIST_DNSREQUEST_MATCH:
- return "dns request";
- case DETECT_SM_LIST_DNSRESPONSE_MATCH:
- return "dns response";
-
case DETECT_SM_LIST_TLSSNI_MATCH:
return "tls sni extension";
case DETECT_SM_LIST_TLSISSUER_MATCH:
return result;
}
-/**
- * \test dns_query with isdataat relative to it
- */
-static int DetectIsdataatTestParse16(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
- Signature *s = NULL;
- DetectIsdataatData *data = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing dns_query and isdataat\"; "
- "dns_query; isdataat:!4,relative; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- printf("sig parse: ");
- goto end;
- }
-
- s = de_ctx->sig_list;
- if (s->sm_lists_tail[DETECT_SM_LIST_DNSQUERYNAME_MATCH] == NULL) {
- printf("dns_query list empty: ");
- goto end;
- }
-
- if (s->sm_lists_tail[DETECT_SM_LIST_DNSQUERYNAME_MATCH]->type != DETECT_ISDATAAT) {
- printf("last dns_query body sm not isdataat: ");
- goto end;
- }
-
- data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_DNSQUERYNAME_MATCH]->ctx;
- if ( !(data->flags & ISDATAAT_RELATIVE) ||
- (data->flags & ISDATAAT_RAWBYTES) ||
- !(data->flags & ISDATAAT_NEGATED) ) {
- goto end;
- }
-
- result = 1;
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
/**
* \test DetectIsdataatTestPacket01 is a test to check matches of
* isdataat, and isdataat relative
UtRegisterTest("DetectIsdataatTestParse04", DetectIsdataatTestParse04);
UtRegisterTest("DetectIsdataatTestParse05", DetectIsdataatTestParse05);
UtRegisterTest("DetectIsdataatTestParse06", DetectIsdataatTestParse06);
- UtRegisterTest("DetectIsdataatTestParse16", DetectIsdataatTestParse16);
UtRegisterTest("DetectIsdataatTestPacket01", DetectIsdataatTestPacket01);
UtRegisterTest("DetectIsdataatTestPacket02", DetectIsdataatTestPacket02);
}
} else if (lua->alproto == ALPROTO_DNS) {
if (lua->flags & DATATYPE_DNS_RRNAME) {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DNSQUERYNAME_MATCH);
+ int list = DetectBufferTypeGetByName("dns_query");
+ SigMatchAppendSMToList(s, sm, list);
} else if (lua->flags & DATATYPE_DNS_REQUEST) {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DNSREQUEST_MATCH);
+ int list = DetectBufferTypeGetByName("dns_request");
+ SigMatchAppendSMToList(s, sm, list);
} else if (lua->flags & DATATYPE_DNS_RESPONSE) {
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DNSRESPONSE_MATCH);
+ int list = DetectBufferTypeGetByName("dns_response");
+ SigMatchAppendSMToList(s, sm, list);
}
} else if (lua->alproto == ALPROTO_TLS) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc");
CASE_CODE_STRING(DETECT_SM_LIST_TMATCH, "tag");
CASE_CODE_STRING(DETECT_SM_LIST_FILEMATCH, "file");
- CASE_CODE_STRING(DETECT_SM_LIST_DNSREQUEST_MATCH, "dns_request");
- CASE_CODE_STRING(DETECT_SM_LIST_DNSRESPONSE_MATCH, "dns_response");
- CASE_CODE_STRING(DETECT_SM_LIST_DNSQUERYNAME_MATCH, "dns_query");
CASE_CODE_STRING(DETECT_SM_LIST_TLSSNI_MATCH, "tls_sni");
CASE_CODE_STRING(DETECT_SM_LIST_TLSISSUER_MATCH, "tls_cert_issuer");
CASE_CODE_STRING(DETECT_SM_LIST_TLSSUBJECT_MATCH, "tls_cert_subject");
CASE_CODE(DETECT_SM_LIST_DMATCH);
CASE_CODE(DETECT_SM_LIST_TMATCH);
CASE_CODE(DETECT_SM_LIST_FILEMATCH);
- CASE_CODE(DETECT_SM_LIST_DNSREQUEST_MATCH);
- CASE_CODE(DETECT_SM_LIST_DNSRESPONSE_MATCH);
- CASE_CODE(DETECT_SM_LIST_DNSQUERYNAME_MATCH);
CASE_CODE(DETECT_SM_LIST_TLSSNI_MATCH);
CASE_CODE(DETECT_SM_LIST_TLSISSUER_MATCH);
CASE_CODE(DETECT_SM_LIST_TLSSUBJECT_MATCH);
DETECT_SM_LIST_FILEMATCH,
- DETECT_SM_LIST_DNSREQUEST_MATCH, /**< per DNS query tx match list */
- DETECT_SM_LIST_DNSRESPONSE_MATCH, /**< per DNS response tx match list */
- DETECT_SM_LIST_DNSQUERYNAME_MATCH, /**< per query in a tx list */
-
DETECT_SM_LIST_TLSSNI_MATCH,
DETECT_SM_LIST_TLSISSUER_MATCH,
DETECT_SM_LIST_TLSSUBJECT_MATCH,
projects / thirdparty / suricata.git / commitdiff
