From: Jason Ish <jason.ish@oisf.net>
Date: Tue, 21 Dec 2021 22:34:05 +0000 (-0600)
Subject: dns: create transaction even if z-bit was set
X-Git-Tag: suricata-5.0.9~109
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=63d85546babee6d89acb5d0339fe47131d76f4f7;p=thirdparty%2Fsuricata.git

dns: create transaction even if z-bit was set

It appears that DNS servers will still process a DNS request even if the
z-bit is set, our parser will fail the transaction. So create the
transaction, but still set the event.

Ticket #4924

(cherry picked from commit fcbdc304265aaba724b245a5c3f02e00c8059a1a)
---

diff --git a/rust/src/dns/dns.rs b/rust/src/dns/dns.rs
index 2b73ef2dd5..1fe8ae5c1f 100644
--- a/rust/src/dns/dns.rs
+++ b/rust/src/dns/dns.rs
@@ -358,15 +358,17 @@ impl DNSState {
                     return false;
                 }
 
-                if request.header.flags & 0x0040 != 0 {
-                    SCLogDebug!("Z-flag set on DNS response");
-                    self.set_event(DNSEvent::ZFlagSet);
-                    return false;
-                }
+                let z_flag = request.header.flags & 0x0040 != 0;
 
                 let mut tx = self.new_tx();
                 tx.request = Some(request);
                 self.transactions.push(tx);
+
+                if z_flag {
+                    SCLogDebug!("Z-flag set on DNS response");
+                    self.set_event(DNSEvent::ZFlagSet);
+                }
+
                 return true;
             }
             Err(nom::Err::Incomplete(_)) => {
@@ -395,15 +397,17 @@ impl DNSState {
                     self.set_event(DNSEvent::NotResponse);
                 }
 
-                if response.header.flags & 0x0040 != 0 {
-                    SCLogDebug!("Z-flag set on DNS response");
-                    self.set_event(DNSEvent::ZFlagSet);
-                    return false;
-                }
+                let z_flag = response.header.flags & 0x0040 != 0;
 
                 let mut tx = self.new_tx();
                 tx.response = Some(response);
                 self.transactions.push(tx);
+
+                if z_flag {
+                    SCLogDebug!("Z-flag set on DNS response");
+                    self.set_event(DNSEvent::ZFlagSet);
+                }
+
                 return true;
             }
             Err(nom::Err::Incomplete(_)) => {
diff --git a/src/detect-dns-query.c b/src/detect-dns-query.c
index b0a854ab01..35d417b131 100644
--- a/src/detect-dns-query.c
+++ b/src/detect-dns-query.c
@@ -1156,8 +1156,8 @@ static int DetectDnsQueryTest07(void)
     FLOWLOCK_WRLOCK(&f);
     r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOCLIENT,
                             buf2, sizeof(buf2));
-    if (r != -1) {
-        printf("toserver client 1 returned %" PRId32 ", expected -1\n", r);
+    if (r != 0) {
+        printf("toserver client 1 returned %" PRId32 ", expected 0\n", r);
         FLOWLOCK_UNLOCK(&f);
         FAIL;
     }