From: Rishabh Choudhary (rishacho) Date: Tue, 10 Sep 2024 07:22:07 +0000 (+0000) Subject: Pull request #4427: appid: dns sinkhole support for edns X-Git-Tag: 3.3.7.0~14 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2ae5cc328fbe3bd95cce5add93f98befc9a2f7b1;p=thirdparty%2Fsnort3.git Pull request #4427: appid: dns sinkhole support for edns Merge in SNORT/snort3 from ~RISHACHO/snort3:dns_sinkhole to master Squashed commit of the following: commit a63ed896fa9b21e1267b9c397c2104d7111c40e3 Author: Rishabh Choudhary Date: Tue Aug 27 00:28:11 2024 +0530 appid: dns sinkhole support for edns --- diff --git a/src/network_inspectors/appid/appid_dns_session.h b/src/network_inspectors/appid/appid_dns_session.h index c54dadcd7..d2ea64ef3 100644 --- a/src/network_inspectors/appid/appid_dns_session.h +++ b/src/network_inspectors/appid/appid_dns_session.h @@ -43,6 +43,7 @@ public: host_offset = 0; record_type = 0; ttl = 0; + options_offset = 0; } uint8_t get_state() const @@ -93,6 +94,12 @@ public: void set_host_offset(uint16_t hostOffset) { host_offset = hostOffset; } + uint16_t get_options_offset() const + { return options_offset; } + + void set_options_offset(uint16_t optionsOffset) + { options_offset = optionsOffset; } + protected: uint8_t state = 0; uint8_t response_type = 0; @@ -101,5 +108,6 @@ protected: uint32_t ttl = 0; std::string host; uint16_t host_offset = 0; + uint16_t options_offset = 0; }; #endif diff --git a/src/network_inspectors/appid/detector_plugins/detector_dns.cc b/src/network_inspectors/appid/detector_plugins/detector_dns.cc index 9170454a4..b891e803a 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_dns.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_dns.cc @@ -187,7 +187,7 @@ DnsUdpServiceDetector::DnsUdpServiceDetector(ServiceDiscovery* sd) APPID_STATUS_CODE DnsValidator::add_dns_query_info(AppIdSession& asd, uint16_t id, const uint8_t* host, uint8_t host_len, uint16_t host_offset, uint16_t record_type, - AppidChangeBits& change_bits) + uint16_t options_offset, AppidChangeBits& change_bits) { AppIdDnsSession* dsession = asd.get_dns_session(); if (!dsession) @@ -211,6 +211,7 @@ APPID_STATUS_CODE DnsValidator::add_dns_query_info(AppIdSession& asd, uint16_t i return APPID_NOMATCH; dsession->set_host(new_host, change_bits); dsession->set_host_offset(host_offset); + dsession->set_options_offset(options_offset); snort_free(new_host); } } @@ -357,10 +358,10 @@ int DnsValidator::dns_validate_query(const uint8_t* data, uint16_t* offset, uint case PATTERN_SOA_REC: case PATTERN_NS_REC: case PATTERN_ANY_REC: - ret = add_dns_query_info(asd, id, host, host_len, host_offset, record_type, change_bits); + ret = add_dns_query_info(asd, id, host, host_len, host_offset, record_type, *offset, change_bits); break; case PATTERN_PTR_REC: - ret = add_dns_query_info(asd, id, nullptr, 0, 0, record_type, change_bits); + ret = add_dns_query_info(asd, id, nullptr, 0, 0, record_type, *offset, change_bits); break; default: break; diff --git a/src/network_inspectors/appid/detector_plugins/detector_dns.h b/src/network_inspectors/appid/detector_plugins/detector_dns.h index 7d01e0cb9..fd867bc31 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_dns.h +++ b/src/network_inspectors/appid/detector_plugins/detector_dns.h @@ -32,7 +32,7 @@ class DnsValidator { protected: APPID_STATUS_CODE add_dns_query_info(AppIdSession&, uint16_t, const uint8_t*, - uint8_t, uint16_t, uint16_t, AppidChangeBits&); + uint8_t, uint16_t, uint16_t, uint16_t, AppidChangeBits&); APPID_STATUS_CODE add_dns_response_info(AppIdSession&, uint16_t, const uint8_t*, uint8_t, uint16_t, uint8_t, uint32_t, AppidChangeBits&); APPID_STATUS_CODE dns_validate_label(const uint8_t*, uint16_t&, uint16_t, uint8_t&, bool&); diff --git a/src/network_inspectors/appid/test/appid_mock_session.h b/src/network_inspectors/appid/test/appid_mock_session.h index 8ed886671..6dd9905d9 100644 --- a/src/network_inspectors/appid/test/appid_mock_session.h +++ b/src/network_inspectors/appid/test/appid_mock_session.h @@ -39,6 +39,7 @@ char const* APPID_UT_SERVICE_IP_ADDR = "192.168.0.2"; char const* APPID_UT_INITIATOR_IP_ADDR = "192.168.0.3"; char const* APPID_ID_UT_DNS_HOST = "delphi.opendns.com"; +#define APPID_UT_DNS_OPTIONS_OFFSET 28 #define APPID_UT_DNS_HOST_OFFSET 22 #define APPID_UT_DNS_PATTERN_CNAME_REC 5 #define APPID_UT_DNS_NOERROR 0 @@ -69,6 +70,7 @@ public: { host = (const char*) APPID_ID_UT_DNS_HOST; host_offset = APPID_UT_DNS_HOST_OFFSET; + options_offset = APPID_UT_DNS_OPTIONS_OFFSET; record_type = APPID_UT_DNS_PATTERN_CNAME_REC; response_type = APPID_UT_DNS_NOERROR; ttl = APPID_UT_DNS_TTL; diff --git a/src/network_inspectors/appid/test/appid_session_api_test.cc b/src/network_inspectors/appid/test/appid_session_api_test.cc index 2a54ff1c1..cb1bf8c4a 100644 --- a/src/network_inspectors/appid/test/appid_session_api_test.cc +++ b/src/network_inspectors/appid/test/appid_session_api_test.cc @@ -539,6 +539,10 @@ TEST(appid_session_api, appid_dns_api) qoff = dsession->get_host_offset(); CHECK_TRUE(qoff == APPID_UT_DNS_HOST_OFFSET); + uint16_t opoff; + opoff = dsession->get_options_offset(); + CHECK_TRUE(opoff == APPID_UT_DNS_OPTIONS_OFFSET); + uint16_t rt; rt = dsession->get_record_type(); CHECK_TRUE(rt == APPID_UT_DNS_PATTERN_CNAME_REC);