From: Jason Ish Date: Wed, 27 Apr 2022 18:32:18 +0000 (-0600) Subject: eve/dns: remove dns v1 logging X-Git-Tag: suricata-7.0.0-beta1~648 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d712a8b29d380ef52292f5c70a8644cac6a93d93;p=thirdparty%2Fsuricata.git eve/dns: remove dns v1 logging Removal of DNS v1 logging was scheduled to be removed in May 2022. Ticket: #4157 --- diff --git a/rust/src/dns/log.rs b/rust/src/dns/log.rs index 6b09dfb901..564e26a7af 100644 --- a/rust/src/dns/log.rs +++ b/rust/src/dns/log.rs @@ -685,138 +685,3 @@ pub extern "C" fn rs_dns_do_log_answer(tx: &mut DNSTransaction, } return false; } - -// Version 1 logging support. - -fn dns_log_json_answer_v1(header: &DNSHeader, answer: &DNSAnswerEntry) - -> Result -{ - let mut js = JsonBuilder::new_object(); - - js.set_string("type", "answer")?; - js.set_uint("id", header.tx_id as u64)?; - js.set_string("flags", format!("{:x}", header.flags).as_str())?; - if header.flags & 0x8000 != 0 { - js.set_bool("qr", true)?; - } - if header.flags & 0x0400 != 0 { - js.set_bool("aa", true)?; - } - if header.flags & 0x0200 != 0 { - js.set_bool("tc", true)?; - } - if header.flags & 0x0100 != 0 { - js.set_bool("rd", true)?; - } - if header.flags & 0x0080 != 0 { - js.set_bool("ra", true)?; - } - if header.flags & 0x0040 != 0 { - js.set_bool("z", true)?; - } - js.set_string("rcode", &dns_rcode_string(header.flags))?; - js.set_string_from_bytes("rrname", &answer.name)?; - js.set_string("rrtype", &dns_rrtype_string(answer.rrtype))?; - js.set_uint("ttl", answer.ttl as u64)?; - - match &answer.data { - DNSRData::A(addr) | DNSRData::AAAA(addr) => { - js.set_string("rdata", &dns_print_addr(addr))?; - } - DNSRData::CNAME(bytes) | - DNSRData::MX(bytes) | - DNSRData::NS(bytes) | - DNSRData::TXT(bytes) | - DNSRData::NULL(bytes) | - DNSRData::PTR(bytes) => { - js.set_string_from_bytes("rdata", bytes)?; - } - DNSRData::SOA(soa) => { - js.set_object("soa", &dns_log_soa(soa)?)?; - } - DNSRData::SSHFP(sshfp) => { - js.set_object("sshfp", &dns_log_sshfp(sshfp)?)?; - } - _ => {} - } - - js.close()?; - - return Ok(js); -} - -fn dns_log_json_failure_v1(r: &DNSResponse, index: usize, flags: u64) - -> Result, JsonError> { - if index >= r.queries.len() { - return Ok(None); - } - - let query = &r.queries[index]; - - if !dns_log_rrtype_enabled(query.rrtype, flags) { - return Ok(None); - } - - let mut js = JsonBuilder::new_object(); - - js.set_string("type", "answer")?; - js.set_uint("id", r.header.tx_id as u64)?; - js.set_string("rcode", &dns_rcode_string(r.header.flags))?; - js.set_string_from_bytes("rrname", &query.name)?; - - js.close()?; - - return Ok(Some(js)); -} - -#[no_mangle] -pub extern "C" fn rs_dns_log_json_answer_v1(tx: &mut DNSTransaction, - i: u16, - flags: u64) - -> *mut JsonBuilder -{ - let index = i as usize; - // Note for loop over Option for easier break out to default - // return value. - for response in &tx.response { - if response.header.flags & 0x000f > 0 { - if index == 0 { - if let Ok(Some(js)) = dns_log_json_failure_v1(response, index, flags) { - return Box::into_raw(Box::new(js)); - } - } - break; - } - if index >= response.answers.len() { - break; - } - let answer = &response.answers[index]; - if dns_log_rrtype_enabled(answer.rrtype, flags) { - if let Ok(js) = dns_log_json_answer_v1(&response.header, answer) { - return Box::into_raw(Box::new(js)); - } - break; - } - } - return std::ptr::null_mut(); -} - -#[no_mangle] -pub extern "C" fn rs_dns_log_json_authority_v1(tx: &mut DNSTransaction, - i: u16, - flags: u64) - -> *mut JsonBuilder -{ - let index = i as usize; - if let &Some(ref response) = &tx.response { - if index < response.authorities.len() { - let answer = &response.authorities[index]; - if dns_log_rrtype_enabled(answer.rrtype, flags) { - if let Ok(js) = dns_log_json_answer_v1(&response.header, answer) { - return Box::into_raw(Box::new(js)); - } - } - } - } - return std::ptr::null_mut(); -} diff --git a/src/output-json-dns.c b/src/output-json-dns.c index ce74856cfb..2dfd69ebb8 100644 --- a/src/output-json-dns.c +++ b/src/output-json-dns.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2021 Open Information Security Foundation +/* Copyright (C) 2007-2022 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -185,13 +185,6 @@ typedef enum { DNS_RRTYPE_MAX, } DnsRRTypes; -typedef enum { - DNS_VERSION_1 = 1, - DNS_VERSION_2 -} DnsVersion; - -#define DNS_VERSION_DEFAULT DNS_VERSION_2 - static struct { const char *config_rrtype; uint64_t flags; @@ -258,7 +251,6 @@ static struct { typedef struct LogDnsFileCtx_ { uint64_t flags; /** Store mode */ - DnsVersion version; OutputJsonCtx *eve_ctx; } LogDnsFileCtx; @@ -267,8 +259,6 @@ typedef struct LogDnsLogThread_ { OutputJsonThreadCtx *ctx; } LogDnsLogThread; -static bool v1_deprecation_warned = false; - JsonBuilder *JsonDNSLogQuery(void *txptr, uint64_t tx_id) { JsonBuilder *queryjb = jb_new_array(); @@ -347,58 +337,17 @@ static int JsonDnsLoggerToClient(ThreadVars *tv, void *thread_data, return TM_ECODE_OK; } - if (td->dnslog_ctx->version == DNS_VERSION_2) { - if (rs_dns_do_log_answer(txptr, td->dnslog_ctx->flags)) { - JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_FLOW, "dns", NULL, dnslog_ctx->eve_ctx); - if (unlikely(jb == NULL)) { - return TM_ECODE_OK; - } - - jb_open_object(jb, "dns"); - rs_dns_log_json_answer(txptr, td->dnslog_ctx->flags, jb); - jb_close(jb); - OutputJsonBuilderBuffer(jb, td->ctx); - jb_free(jb); - } - } else { - /* Log answers. */ - for (uint16_t i = 0; i < UINT16_MAX; i++) { - JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_FLOW, "dns", NULL, dnslog_ctx->eve_ctx); - if (unlikely(jb == NULL)) { - return TM_ECODE_OK; - } - - JsonBuilder *answer = rs_dns_log_json_answer_v1(txptr, i, - td->dnslog_ctx->flags); - if (answer == NULL) { - jb_free(jb); - break; - } - jb_set_object(jb, "dns", answer); - jb_free(answer); - - OutputJsonBuilderBuffer(jb, td->ctx); - jb_free(jb); + if (rs_dns_do_log_answer(txptr, td->dnslog_ctx->flags)) { + JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_FLOW, "dns", NULL, dnslog_ctx->eve_ctx); + if (unlikely(jb == NULL)) { + return TM_ECODE_OK; } - /* Log authorities. */ - for (uint16_t i = 0; i < UINT16_MAX; i++) { - JsonBuilder *jb = CreateEveHeader(p, LOG_DIR_FLOW, "dns", NULL, dnslog_ctx->eve_ctx); - if (unlikely(jb == NULL)) { - return TM_ECODE_OK; - } - JsonBuilder *answer = rs_dns_log_json_authority_v1(txptr, i, - td->dnslog_ctx->flags); - if (answer == NULL) { - jb_free(jb); - break; - } - jb_set_object(jb, "dns", answer); - jb_free(answer); - - OutputJsonBuilderBuffer(jb, td->ctx); - jb_free(jb); - } + jb_open_object(jb, "dns"); + rs_dns_log_json_answer(txptr, td->dnslog_ctx->flags, jb); + jb_close(jb); + OutputJsonBuilderBuffer(jb, td->ctx); + jb_free(jb); } SCReturnInt(TM_ECODE_OK); @@ -477,9 +426,7 @@ static void JsonDnsLogParseConfig(LogDnsFileCtx *dnslog_ctx, ConfNode *conf, dnslog_ctx->flags &= ~LOG_QUERIES; } } else { - if (dnslog_ctx->version == DNS_VERSION_2) { - dnslog_ctx->flags |= LOG_QUERIES; - } + dnslog_ctx->flags |= LOG_QUERIES; } const char *response = ConfNodeLookupChildValue(conf, answer_key); @@ -490,9 +437,7 @@ static void JsonDnsLogParseConfig(LogDnsFileCtx *dnslog_ctx, ConfNode *conf, dnslog_ctx->flags &= ~LOG_ANSWERS; } } else { - if (dnslog_ctx->version == DNS_VERSION_2) { - dnslog_ctx->flags |= LOG_ANSWERS; - } + dnslog_ctx->flags |= LOG_ANSWERS; } ConfNode *custom; @@ -516,31 +461,31 @@ static void JsonDnsLogParseConfig(LogDnsFileCtx *dnslog_ctx, ConfNode *conf, } } } else { - if (dnslog_ctx->version == DNS_VERSION_2) { - dnslog_ctx->flags |= LOG_ALL_RRTYPES; - } + dnslog_ctx->flags |= LOG_ALL_RRTYPES; } } -static DnsVersion JsonDnsParseVersion(ConfNode *conf) +static void JsonDnsCheckVersion(ConfNode *conf) { if (conf == NULL) { - return DNS_VERSION_DEFAULT; + return; } - DnsVersion version = DNS_VERSION_DEFAULT; - intmax_t config_version; + static bool v1_deprecation_warned = false; const ConfNode *has_version = ConfNodeLookupChild(conf, "version"); - if (has_version != NULL) { bool invalid = false; + intmax_t config_version; if (ConfGetChildValueInt(conf, "version", &config_version)) { switch(config_version) { - case 1: - version = DNS_VERSION_1; - break; case 2: - version = DNS_VERSION_2; + break; + case 1: + if (!v1_deprecation_warned) { + SCLogError(SC_WARN_DEPRECATED, + "DNS EVE v1 logging has been removed, will use v2"); + v1_deprecation_warned = true; + } break; default: invalid = true; @@ -550,23 +495,10 @@ static DnsVersion JsonDnsParseVersion(ConfNode *conf) invalid = true; } if (invalid) { - SCLogWarning(SC_ERR_INVALID_ARGUMENT, - "invalid eve-log dns version option: %s, " - "defaulting to version %u", - has_version->val, version); + SCLogWarning(SC_ERR_INVALID_ARGUMENT, "Invalid EVE DNS version \"%s\", will use v2", + has_version->val); } - } else { - SCLogConfig("eve-log dns version not set, defaulting to version %u", - version); - } - - if (!v1_deprecation_warned && version == DNS_VERSION_1) { - SCLogWarning(SC_WARN_DEPRECATED, "DNS EVE v1 style logs have been " - "deprecated and will be removed by May 2022"); - v1_deprecation_warned = true; } - - return version; } static void JsonDnsLogInitFilters(LogDnsFileCtx *dnslog_ctx, ConfNode *conf) @@ -574,26 +506,21 @@ static void JsonDnsLogInitFilters(LogDnsFileCtx *dnslog_ctx, ConfNode *conf) dnslog_ctx->flags = ~0ULL; if (conf) { - if (dnslog_ctx->version == DNS_VERSION_1) { - JsonDnsLogParseConfig(dnslog_ctx, conf, "query", "answer", "custom"); - } else { - JsonDnsLogParseConfig(dnslog_ctx, conf, "requests", "responses", "types"); - - if (dnslog_ctx->flags & LOG_ANSWERS) { - ConfNode *format; - if ((format = ConfNodeLookupChild(conf, "formats")) != NULL) { - dnslog_ctx->flags &= ~LOG_FORMAT_ALL; - ConfNode *field; - TAILQ_FOREACH(field, &format->head, next) { - if (strcasecmp(field->val, "detailed") == 0) { - dnslog_ctx->flags |= LOG_FORMAT_DETAILED; - } else if (strcasecmp(field->val, "grouped") == 0) { - dnslog_ctx->flags |= LOG_FORMAT_GROUPED; - } + JsonDnsLogParseConfig(dnslog_ctx, conf, "requests", "responses", "types"); + if (dnslog_ctx->flags & LOG_ANSWERS) { + ConfNode *format; + if ((format = ConfNodeLookupChild(conf, "formats")) != NULL) { + dnslog_ctx->flags &= ~LOG_FORMAT_ALL; + ConfNode *field; + TAILQ_FOREACH (field, &format->head, next) { + if (strcasecmp(field->val, "detailed") == 0) { + dnslog_ctx->flags |= LOG_FORMAT_DETAILED; + } else if (strcasecmp(field->val, "grouped") == 0) { + dnslog_ctx->flags |= LOG_FORMAT_GROUPED; } - } else { - dnslog_ctx->flags |= LOG_FORMAT_ALL; } + } else { + dnslog_ctx->flags |= LOG_FORMAT_ALL; } } } @@ -608,7 +535,9 @@ static OutputInitResult JsonDnsLogInitCtxSub(ConfNode *conf, OutputCtx *parent_c return result; } - DnsVersion version = JsonDnsParseVersion(conf); + /* As only a single version of logging is supported, this exists to warn about + * unsupported versions. */ + JsonDnsCheckVersion(conf); OutputJsonCtx *ojc = parent_ctx->data; @@ -629,7 +558,6 @@ static OutputInitResult JsonDnsLogInitCtxSub(ConfNode *conf, OutputCtx *parent_c output_ctx->data = dnslog_ctx; output_ctx->DeInit = LogDnsLogDeInitCtxSub; - dnslog_ctx->version = version; JsonDnsLogInitFilters(dnslog_ctx, conf); SCLogDebug("DNS log sub-module initialized");