From: Russ Combs (rucombs) Date: Tue, 10 Aug 2021 19:58:25 +0000 (+0000) Subject: Merge pull request #2946 in SNORT/snort3 from ~BRASTULT/snort3:dns_splitter to master X-Git-Tag: 3.1.10.0~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8754a6be6c2e8798b5014e8e30e71d896c61145e;p=thirdparty%2Fsnort3.git Merge pull request #2946 in SNORT/snort3 from ~BRASTULT/snort3:dns_splitter to master Squashed commit of the following: commit b40a755375381c084237a3113cc74a74857aabb3 Author: Brandon Stultz Date: Tue Jun 15 17:31:03 2021 -0400 dns: add DNS splitter --- diff --git a/src/service_inspectors/dns/CMakeLists.txt b/src/service_inspectors/dns/CMakeLists.txt index 4265a76d7..151d3ae57 100644 --- a/src/service_inspectors/dns/CMakeLists.txt +++ b/src/service_inspectors/dns/CMakeLists.txt @@ -4,6 +4,8 @@ set( FILE_LIST dns.h dns_module.cc dns_module.h + dns_splitter.cc + dns_splitter.h ) if (STATIC_INSPECTORS) diff --git a/src/service_inspectors/dns/dns.cc b/src/service_inspectors/dns/dns.cc index 4b830982b..bcd1e2d81 100644 --- a/src/service_inspectors/dns/dns.cc +++ b/src/service_inspectors/dns/dns.cc @@ -34,6 +34,7 @@ #include "stream/stream.h" #include "dns_module.h" +#include "dns_splitter.h" using namespace snort; @@ -1012,6 +1013,7 @@ public: Dns(DnsModule*); void eval(Packet*) override; + StreamSplitter* get_splitter(bool) override; }; Dns::Dns(DnsModule*) @@ -1027,6 +1029,11 @@ void Dns::eval(Packet* p) snort_dns(p); } +StreamSplitter* Dns::get_splitter(bool c2s) +{ + return new DnsSplitter(c2s); +} + //------------------------------------------------------------------------- // api stuff //------------------------------------------------------------------------- diff --git a/src/service_inspectors/dns/dns_splitter.cc b/src/service_inspectors/dns/dns_splitter.cc new file mode 100644 index 000000000..1b350a9a1 --- /dev/null +++ b/src/service_inspectors/dns/dns_splitter.cc @@ -0,0 +1,53 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2021-2021 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// dns_splitter.cc author Brandon Stultz + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "dns_splitter.h" + +#include + +using namespace snort; + +StreamSplitter::Status DnsSplitter::scan( + Packet*, const uint8_t* data, uint32_t len, + uint32_t, uint32_t* fp) +{ + assert(len > 0); + + if ( partial ) + { + *fp = size + *data + 1; + partial = false; + return FLUSH; + } + + if ( len == 1 ) + { + size = *data << 8; + partial = true; + return SEARCH; + } + + *fp = (*data << 8) + data[1] + 2; + return FLUSH; +} + diff --git a/src/service_inspectors/dns/dns_splitter.h b/src/service_inspectors/dns/dns_splitter.h new file mode 100644 index 000000000..ba68931d1 --- /dev/null +++ b/src/service_inspectors/dns/dns_splitter.h @@ -0,0 +1,42 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2021-2021 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// dns_splitter.h author Brandon Stultz + +#ifndef DNS_SPLITTER_H +#define DNS_SPLITTER_H + +#include "stream/stream_splitter.h" + +class DnsSplitter : public snort::StreamSplitter +{ +public: + DnsSplitter(bool c2s) : snort::StreamSplitter(c2s) { } + + Status scan(snort::Packet* p, const uint8_t* data, uint32_t len, + uint32_t flags, uint32_t* fp) override; + + bool is_paf() override + { return true; } + +private: + bool partial = false; + uint16_t size = 0; +}; + +#endif +