From: Sascha Steinbiss <satta@debian.org>
Date: Tue, 3 Nov 2020 18:29:00 +0000 (+0100)
Subject: dns: parse SRV records
X-Git-Tag: suricata-7.0.0-beta1~1953
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=08a6f1441a657a4424d00011e9bba96d5952042b;p=thirdparty%2Fsuricata.git

dns: parse SRV records
---

diff --git a/rust/src/dns/dns.rs b/rust/src/dns/dns.rs
index 4586be589d..4f2d9a38b6 100644
--- a/rust/src/dns/dns.rs
+++ b/rust/src/dns/dns.rs
@@ -259,6 +259,18 @@ pub struct DNSRDataSSHFP {
     pub fingerprint: Vec<u8>,
 }
 
+#[derive(Debug,PartialEq)]
+pub struct DNSRDataSRV {
+    /// Priority
+    pub priority: u16,
+    /// Weight
+    pub weight: u16,
+    /// Port
+    pub port: u16,
+    /// Target
+    pub target: Vec<u8>,
+}
+
 /// Represents RData of various formats
 #[derive(Debug,PartialEq)]
 pub enum DNSRData {
@@ -275,6 +287,7 @@ pub enum DNSRData {
     NULL(Vec<u8>),
     // RData has several fields
     SOA(DNSRDataSOA),
+    SRV(DNSRDataSRV),
     SSHFP(DNSRDataSSHFP),
     // RData for remaining types is sometimes ignored
     Unknown(Vec<u8>),
diff --git a/rust/src/dns/log.rs b/rust/src/dns/log.rs
index 2b1286f77d..12c6358c7e 100644
--- a/rust/src/dns/log.rs
+++ b/rust/src/dns/log.rs
@@ -429,6 +429,20 @@ fn dns_log_sshfp(sshfp: &DNSRDataSSHFP) -> Result<JsonBuilder, JsonError>
     return Ok(js);
 }
 
+/// Log SRV section fields.
+fn dns_log_srv(srv: &DNSRDataSRV) -> Result<JsonBuilder, JsonError>
+{
+    let mut js = JsonBuilder::new_object();
+
+    js.set_uint("priority", srv.priority as u64)?;
+    js.set_uint("weight", srv.weight as u64)?;
+    js.set_uint("port", srv.port as u64)?;
+    js.set_string_from_bytes("name", &srv.target)?;
+
+    js.close()?;
+    return Ok(js);
+}
+
 fn dns_log_json_answer_detail(answer: &DNSAnswerEntry) -> Result<JsonBuilder, JsonError>
 {
     let mut jsa = JsonBuilder::new_object();
@@ -455,6 +469,9 @@ fn dns_log_json_answer_detail(answer: &DNSAnswerEntry) -> Result<JsonBuilder, Js
         DNSRData::SSHFP(sshfp) => {
             jsa.set_object("sshfp", &dns_log_sshfp(&sshfp)?)?;
         }
+        DNSRData::SRV(srv) => {
+            jsa.set_object("srv", &dns_log_srv(&srv)?)?;
+        }
         _ => {}
     }
 
@@ -546,6 +563,15 @@ fn dns_log_json_answer(js: &mut JsonBuilder, response: &DNSResponse, flags: u64)
                             a.append_object(&dns_log_sshfp(&sshfp)?)?;
                         }
                     },
+                    DNSRData::SRV(srv) => {
+                        if !answer_types.contains_key(&type_string) {
+                            answer_types.insert(type_string.to_string(),
+                                                JsonBuilder::new_array());
+                        }
+                        if let Some(a) = answer_types.get_mut(&type_string) {
+                            a.append_object(&dns_log_srv(&srv)?)?;
+                        }
+                    },
                     _ => {}
                 }
             }
diff --git a/rust/src/dns/lua.rs b/rust/src/dns/lua.rs
index c1731b6f46..57a492f1da 100644
--- a/rust/src/dns/lua.rs
+++ b/rust/src/dns/lua.rs
@@ -199,6 +199,11 @@ pub extern "C" fn rs_dns_lua_get_answer_table(clua: &mut CLuaState,
                     lua.pushstring(&String::from_utf8_lossy(&sshfp.fingerprint));
                     lua.settable(-3);
                 },
+                DNSRData::SRV(ref srv) => {
+                    lua.pushstring("addr");
+                    lua.pushstring(&String::from_utf8_lossy(&srv.target));
+                    lua.settable(-3);
+                },
             }
             lua.settable(-3);
         }
diff --git a/rust/src/dns/parser.rs b/rust/src/dns/parser.rs
index c821f13d9d..a3164e3286 100644
--- a/rust/src/dns/parser.rs
+++ b/rust/src/dns/parser.rs
@@ -319,6 +319,23 @@ fn dns_parse_rdata_mx<'a>(input: &'a [u8], message: &'a [u8])
     )
 }
 
+fn dns_parse_rdata_srv<'a>(input: &'a [u8], message: &'a [u8])
+                             -> IResult<&'a [u8], DNSRData> {
+    do_parse!(
+        input,
+        priority: be_u16 >>
+        weight: be_u16 >>
+        port: be_u16 >>
+        target: call!(dns_parse_name, message) >>
+            (DNSRData::SRV(DNSRDataSRV{
+                priority,
+                weight,
+                port,
+                target,
+            }))
+    )
+}
+
 fn dns_parse_rdata_txt<'a>(input: &'a [u8])
                            -> IResult<&'a [u8], DNSRData> {
     do_parse!(
@@ -372,6 +389,7 @@ pub fn dns_parse_rdata<'a>(input: &'a [u8], message: &'a [u8], rrtype: u16)
         DNS_RECORD_TYPE_TXT => dns_parse_rdata_txt(input),
         DNS_RECORD_TYPE_NULL => dns_parse_rdata_null(input),
         DNS_RECORD_TYPE_SSHFP => dns_parse_rdata_sshfp(input),
+        DNS_RECORD_TYPE_SRV => dns_parse_rdata_srv(input, message),
         _ => dns_parse_rdata_unknown(input),
     }
 }