From: Jason Ish <jason.ish@oisf.net>
Date: Tue, 21 Dec 2021 22:34:05 +0000 (-0600)
Subject: dns: create transaction even if z-bit was set
X-Git-Tag: suricata-7.0.0-beta1~1101
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fcbdc304265aaba724b245a5c3f02e00c8059a1a;p=thirdparty%2Fsuricata.git

dns: create transaction even if z-bit was set

It appears that DNS servers will still process a DNS request even if the
z-bit is set, our parser will fail the transaction. So create the
transaction, but still set the event.

Ticket #4924
---

diff --git a/rust/src/dns/dns.rs b/rust/src/dns/dns.rs
index 3697208bce..9d47a68a27 100644
--- a/rust/src/dns/dns.rs
+++ b/rust/src/dns/dns.rs
@@ -393,15 +393,17 @@ impl DNSState {
                     return false;
                 }
 
-                if request.header.flags & 0x0040 != 0 {
-                    SCLogDebug!("Z-flag set on DNS response");
-                    self.set_event(DNSEvent::ZFlagSet);
-                    return false;
-                }
+                let z_flag = request.header.flags & 0x0040 != 0;
 
                 let mut tx = self.new_tx();
                 tx.request = Some(request);
                 self.transactions.push(tx);
+
+                if z_flag {
+                    SCLogDebug!("Z-flag set on DNS response");
+                    self.set_event(DNSEvent::ZFlagSet);
+                }
+
                 return true;
             }
             Err(Err::Incomplete(_)) => {
@@ -430,11 +432,7 @@ impl DNSState {
                     self.set_event(DNSEvent::NotResponse);
                 }
 
-                if response.header.flags & 0x0040 != 0 {
-                    SCLogDebug!("Z-flag set on DNS response");
-                    self.set_event(DNSEvent::ZFlagSet);
-                    return false;
-                }
+                let z_flag = response.header.flags & 0x0040 != 0;
 
                 let mut tx = self.new_tx();
                 if let Some(ref mut config) = &mut self.config {
@@ -444,6 +442,12 @@ impl DNSState {
                 }
                 tx.response = Some(response);
                 self.transactions.push(tx);
+
+                if z_flag {
+                    SCLogDebug!("Z-flag set on DNS response");
+                    self.set_event(DNSEvent::ZFlagSet);
+                }
+
                 return true;
             }
             Err(Err::Incomplete(_)) => {
diff --git a/src/detect-dns-query.c b/src/detect-dns-query.c
index 50728041f2..c256f2a30e 100644
--- a/src/detect-dns-query.c
+++ b/src/detect-dns-query.c
@@ -829,8 +829,8 @@ static int DetectDnsQueryTest05(void)
     FLOWLOCK_WRLOCK(&f);
     r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOCLIENT,
                             buf2, sizeof(buf2));
-    if (r != -1) {
-        printf("toserver client 1 returned %" PRId32 ", expected -1\n", r);
+    if (r != 0) {
+        printf("toserver client 1 returned %" PRId32 ", expected 0\n", r);
         FLOWLOCK_UNLOCK(&f);
         FAIL;
     }