From: Jason Ish Date: Tue, 28 Jan 2025 22:15:00 +0000 (-0600) Subject: dns: rename dns.response keyword to dns.response.rrname X-Git-Tag: suricata-8.0.0-beta1~321 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a026293b4296e1a7598730eb4260080c30881617;p=thirdparty%2Fsuricata.git dns: rename dns.response keyword to dns.response.rrname This is a better name as the keyword is looking at all rrname type fields in the response. --- diff --git a/doc/userguide/rules/dns-keywords.rst b/doc/userguide/rules/dns-keywords.rst index 3f0efe4c8f..9a88475d67 100644 --- a/doc/userguide/rules/dns-keywords.rst +++ b/doc/userguide/rules/dns-keywords.rst @@ -177,23 +177,30 @@ resource name, for example "www.suricata.io". ``dns.query.name`` was introduced in Suricata 8.0.0. -dns.response ------------- +dns.response.rrname +------------------- -``dns.response`` is a sticky buffer that is used to look at all name and -rdata fields of DNS response (answer) resource records. It supports -inspecting all DNS response sections. Example:: +``dns.response.rrname`` is a sticky buffer that is used to look at all name +and rdata fields of DNS response (answer) resource records that are +represented as a resource name (hostname). It supports inspecting all +DNS response sections. Example:: - alert dns any any -> any any (msg:"Test dns.response option"; dns.response; content:"google"; nocase; sid:1;) + alert dns any any -> any any (msg:"Test dns.response.rrname option"; \ + dns.response.rrname; content:"google"; nocase; sid:1;) -rdata field matching supports a subset of types that contain -domain name structured data, for example: "www.suricata.io". -The list of types inspected is: -CNAME, PTR, MX, NS, SOA (mname data: primary name server). +``rdata`` field matching supports a subset of types that contain +domain name structured data, for example: "www.suricata.io". The list +of types inspected is: + +* CNAME +* PTR +* MX +* NS +* SOA (mname data: primary name server) The buffer being matched on contains the complete re-assembled resource name, for example "www.suricata.io". -``dns.response`` supports :doc:`multi-buffer-matching`. +``dns.response.rrname`` supports :doc:`multi-buffer-matching`. -``dns.response`` was introduced in Suricata 8.0.0. +``dns.response.rrname`` was introduced in Suricata 8.0.0. diff --git a/src/detect-dns-response.c b/src/detect-dns-response.c index ab544f89da..d15fb94280 100644 --- a/src/detect-dns-response.c +++ b/src/detect-dns-response.c @@ -18,7 +18,7 @@ /** * \file * - * Detect keyword for DNS response: dns.response + * Detect keyword for DNS response: dns.response.rrname */ #include "detect.h" @@ -311,10 +311,10 @@ static int DetectDnsResponsePrefilterMpmRegister(DetectEngineCtx *de_ctx, SigGro void DetectDnsResponseRegister(void) { - static const char *keyword = "dns.response"; + static const char *keyword = "dns.response.rrname"; sigmatch_table[DETECT_DNS_RESPONSE].name = keyword; sigmatch_table[DETECT_DNS_RESPONSE].desc = "DNS response sticky buffer"; - sigmatch_table[DETECT_DNS_RESPONSE].url = "/rules/dns-keywords.html#dns-response"; + sigmatch_table[DETECT_DNS_RESPONSE].url = "/rules/dns-keywords.html#dns-response-rrname"; sigmatch_table[DETECT_DNS_RESPONSE].Setup = DetectSetup; #ifdef UNITTESTS sigmatch_table[DETECT_DNS_RESPONSE].RegisterTests = DetectDnsResponseRegisterTests; @@ -328,7 +328,7 @@ void DetectDnsResponseRegister(void) DetectAppLayerMpmRegister(keyword, SIG_FLAG_TOCLIENT, 2, DetectDnsResponsePrefilterMpmRegister, NULL, ALPROTO_DNS, 1); - DetectBufferTypeSetDescriptionByName(keyword, "dns response"); + DetectBufferTypeSetDescriptionByName(keyword, "dns response rrname"); DetectBufferTypeSupportsMultiInstance(keyword); detect_buffer_id = DetectBufferTypeGetByName(keyword); @@ -409,9 +409,10 @@ static int DetectDnsResponseTest01(void) de_ctx->mpm_matcher = mpm_default_matcher; de_ctx->flags |= DE_QUIET; - s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " - "(msg:\"Test dns response query name match\"; " - "dns.response; content:\"google.com\"; nocase; sid:1;)"); + s = DetectEngineAppendSig(de_ctx, + "alert dns any any -> any any " + "(msg:\"Test dns response query name match\"; " + "dns.response.rrname; content:\"google.com\"; nocase; sid:1;)"); FAIL_IF_NULL(s); SigGroupBuild(de_ctx); @@ -519,9 +520,10 @@ static int DetectDnsResponseTest02(void) de_ctx->mpm_matcher = mpm_default_matcher; de_ctx->flags |= DE_QUIET; - s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " - "(msg:\"Test dns response answer name match\"; " - "dns.response; content:\"google.com\"; nocase; sid:1;)"); + s = DetectEngineAppendSig(de_ctx, + "alert dns any any -> any any " + "(msg:\"Test dns response answer name match\"; " + "dns.response.rrname; content:\"google.com\"; nocase; sid:1;)"); FAIL_IF_NULL(s); SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); @@ -680,9 +682,10 @@ static int DetectDnsResponseTest03(void) de_ctx->mpm_matcher = mpm_default_matcher; de_ctx->flags |= DE_QUIET; - s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " - "(msg:\"Test dns response authority name match\"; " - "dns.response; content:\"google.com\"; nocase; sid:1;)"); + s = DetectEngineAppendSig(de_ctx, + "alert dns any any -> any any " + "(msg:\"Test dns response authority name match\"; " + "dns.response.rrname; content:\"google.com\"; nocase; sid:1;)"); FAIL_IF_NULL(s); SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); @@ -816,9 +819,10 @@ static int DetectDnsResponseTest04(void) de_ctx->mpm_matcher = mpm_default_matcher; de_ctx->flags |= DE_QUIET; - s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " - "(msg:\"Test dns response additional name match\"; " - "dns.response; content:\"ns1.google.com\"; nocase; sid:1;)"); + s = DetectEngineAppendSig(de_ctx, + "alert dns any any -> any any " + "(msg:\"Test dns response additional name match\"; " + "dns.response.rrname; content:\"ns1.google.com\"; nocase; sid:1;)"); FAIL_IF_NULL(s); SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); @@ -1002,9 +1006,10 @@ static int DetectDnsResponseTest05(void) de_ctx->mpm_matcher = mpm_default_matcher; de_ctx->flags |= DE_QUIET; - s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " - "(msg:\"Test dns response answer data match\"; " - "dns.response; content:\"mail.google.com\"; nocase; sid:1;)"); + s = DetectEngineAppendSig(de_ctx, + "alert dns any any -> any any " + "(msg:\"Test dns response answer data match\"; " + "dns.response.rrname; content:\"mail.google.com\"; nocase; sid:1;)"); FAIL_IF_NULL(s); SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); @@ -1143,9 +1148,10 @@ static int DetectDnsResponseTest06(void) de_ctx->mpm_matcher = mpm_default_matcher; de_ctx->flags |= DE_QUIET; - s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " - "(msg:\"Test dns response 2nd answer data match\"; " - "dns.response; content:\"ns2.google.com\"; nocase; sid:1;)"); + s = DetectEngineAppendSig(de_ctx, + "alert dns any any -> any any " + "(msg:\"Test dns response 2nd answer data match\"; " + "dns.response.rrname; content:\"ns2.google.com\"; nocase; sid:1;)"); FAIL_IF_NULL(s); SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); @@ -1294,9 +1300,10 @@ static int DetectDnsResponseTest07(void) de_ctx->mpm_matcher = mpm_default_matcher; de_ctx->flags |= DE_QUIET; - s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " - "(msg:\"Test dns response authority data match\"; " - "dns.response; content:\"ns1.google.com\"; nocase; sid:1;)"); + s = DetectEngineAppendSig(de_ctx, + "alert dns any any -> any any " + "(msg:\"Test dns response authority data match\"; " + "dns.response.rrname; content:\"ns1.google.com\"; nocase; sid:1;)"); FAIL_IF_NULL(s); SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); @@ -1493,9 +1500,10 @@ static int DetectDnsResponseTest08(void) de_ctx->mpm_matcher = mpm_default_matcher; de_ctx->flags |= DE_QUIET; - s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " - "(msg:\"Test dns response additional data match\"; " - "dns.response; content:\"ns2.google.com\"; nocase; sid:1;)"); + s = DetectEngineAppendSig(de_ctx, + "alert dns any any -> any any " + "(msg:\"Test dns response additional data match\"; " + "dns.response.rrname; content:\"ns2.google.com\"; nocase; sid:1;)"); FAIL_IF_NULL(s); SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); @@ -1593,9 +1601,10 @@ static int DetectDnsResponseTest09(void) de_ctx->mpm_matcher = mpm_default_matcher; de_ctx->flags |= DE_QUIET; - s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " - "(msg:\"Test dns response query name match tcp\"; " - "dns.response; content:\"google.com\"; nocase; sid:1;)"); + s = DetectEngineAppendSig(de_ctx, + "alert dns any any -> any any " + "(msg:\"Test dns response query name match tcp\"; " + "dns.response.rrname; content:\"google.com\"; nocase; sid:1;)"); FAIL_IF_NULL(s); SigGroupBuild(de_ctx); @@ -1776,13 +1785,15 @@ static int DetectDnsResponseTest10(void) de_ctx->mpm_matcher = mpm_default_matcher; de_ctx->flags |= DE_QUIET; - s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " - "(msg:\"Test dns response multi tx answer match\"; " - "dns.response; content:\"mail.google.com\"; nocase; sid:1;)"); + s = DetectEngineAppendSig(de_ctx, + "alert dns any any -> any any " + "(msg:\"Test dns response multi tx answer match\"; " + "dns.response.rrname; content:\"mail.google.com\"; nocase; sid:1;)"); FAIL_IF_NULL(s); - s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " - "(msg:\"Test dns response multi tx additional match\"; " - "dns.response; content:\"ns2.google.com\"; nocase; sid:2;)"); + s = DetectEngineAppendSig(de_ctx, + "alert dns any any -> any any " + "(msg:\"Test dns response multi tx additional match\"; " + "dns.response.rrname; content:\"ns2.google.com\"; nocase; sid:2;)"); FAIL_IF_NULL(s); s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " "(msg:\"Test dns response multi tx additional match\"; " @@ -2033,12 +2044,12 @@ static int DetectDnsResponseTest11(void) s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " "(msg:\"Test dns response pcre match\"; " - "dns.response; content:\"google\"; nocase; " + "dns.response.rrname; content:\"google\"; nocase; " "pcre:\"/ns2\\.google\\.com$/i\"; sid:1;)"); FAIL_IF_NULL(s); s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " "(msg:\"Test dns response pcre match\"; " - "dns.response; content:\"google\"; nocase; " + "dns.response.rrname; content:\"google\"; nocase; " "pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)"); FAIL_IF_NULL(s); @@ -2144,9 +2155,10 @@ static int DetectDnsResponseTest12(void) de_ctx->mpm_matcher = mpm_default_matcher; de_ctx->flags |= DE_QUIET; - s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " - "(msg:\"Test dns response additional name match\"; " - "dns.response; content:\"ns2.google.com\"; nocase; sid:1;)"); + s = DetectEngineAppendSig(de_ctx, + "alert dns any any -> any any " + "(msg:\"Test dns response additional name match\"; " + "dns.response.rrname; content:\"ns2.google.com\"; nocase; sid:1;)"); FAIL_IF_NULL(s); SigGroupBuild(de_ctx); @@ -2182,7 +2194,7 @@ static int DetectDnsResponseTest12(void) } /** - * \test Verify transform applies to dns.response sticky buffer. + * \test Verify transform applies to dns.response.rrname sticky buffer. * Test using "to_uppercase". ns2.google.com response matching * 2nd additional section name field. */ @@ -2254,7 +2266,7 @@ static int DetectDnsResponseTest13(void) s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " "(msg:\"Test dns response additional name match with transform\"; " - "dns.response; to_uppercase; content:\"NS2.GOOGLE.COM\"; sid:1;)"); + "dns.response.rrname; to_uppercase; content:\"NS2.GOOGLE.COM\"; sid:1;)"); FAIL_IF_NULL(s); SigGroupBuild(de_ctx);