From: Victor Julien Date: Thu, 12 Dec 2013 12:12:13 +0000 (+0100) Subject: dns: tag each tx we get a reply for as replied X-Git-Tag: suricata-2.0rc1~202 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F765%2Fhead;p=thirdparty%2Fsuricata.git dns: tag each tx we get a reply for as replied Also, detect and print when server says recursion is desired. --- diff --git a/src/app-layer-dns-common.h b/src/app-layer-dns-common.h index 6fb13c8f2e..6c72c1d475 100644 --- a/src/app-layer-dns-common.h +++ b/src/app-layer-dns-common.h @@ -129,6 +129,7 @@ typedef struct DNSTransaction_ { replied to. */ uint8_t reply_lost; uint8_t no_such_name; /**< server said "no such name" */ + uint8_t recursion_desired; /**< server said "recursion desired" */ TAILQ_HEAD(, DNSQueryEntry_) query_list; /**< list for query/queries */ TAILQ_HEAD(, DNSAnswerEntry_) answer_list; /**< list for answers */ diff --git a/src/app-layer-dns-tcp.c b/src/app-layer-dns-tcp.c index 1596078d7c..ecf4bf8213 100644 --- a/src/app-layer-dns-tcp.c +++ b/src/app-layer-dns-tcp.c @@ -439,6 +439,23 @@ static int DNSReponseParseData(Flow *f, DNSState *dns_state, const uint8_t *inpu } } + /* see if this is a "no such name" error */ + if (ntohs(dns_header->flags) & 0x0003) { + SCLogDebug("no such name"); + if (tx != NULL) + tx->no_such_name = 1; + } + + if (ntohs(dns_header->flags) & 0x0080) { + SCLogDebug("recursion desired"); + if (tx != NULL) + tx->recursion_desired = 1; + } + + if (tx != NULL) { + tx->replied = 1; + } + SCReturnInt(1); bad_data: insufficient_data: diff --git a/src/app-layer-dns-udp.c b/src/app-layer-dns-udp.c index 2fc20e546e..cb45c24df2 100644 --- a/src/app-layer-dns-udp.c +++ b/src/app-layer-dns-udp.c @@ -272,10 +272,18 @@ static int DNSUDPResponseParse(Flow *f, void *dstate, /* see if this is a "no such name" error */ if (ntohs(dns_header->flags) & 0x0003) { SCLogDebug("no such name"); - - if (tx != NULL) { + if (tx != NULL) tx->no_such_name = 1; - } + } + + if (ntohs(dns_header->flags) & 0x0080) { + SCLogDebug("recursion desired"); + if (tx != NULL) + tx->recursion_desired = 1; + } + + if (tx != NULL) { + tx->replied = 1; } SCReturnInt(1); diff --git a/src/log-dnslog.c b/src/log-dnslog.c index 2d43087b0c..80b9e94c7b 100644 --- a/src/log-dnslog.c +++ b/src/log-dnslog.c @@ -143,8 +143,10 @@ static void LogAnswer(LogDnsLogThread *aft, char *timebuf, char *srcip, char *ds "%s [**] Response TX %04x [**] ", timebuf, tx->tx_id); if (entry == NULL) { - MemBufferWriteString(aft->buffer, - "No Such Name"); + if (tx->no_such_name) + MemBufferWriteString(aft->buffer, "No Such Name"); + else if (tx->recursion_desired) + MemBufferWriteString(aft->buffer, "Recursion Desired"); } else { /* query */ if (entry->fqdn_len > 0) { @@ -284,9 +286,10 @@ static TmEcode LogDnsLogIPWrapper(ThreadVars *tv, Packet *p, void *data, PacketQ LogQuery(aft, timebuf, dstip, srcip, dp, sp, tx, query); } - if (tx->no_such_name) { + if (tx->no_such_name) + LogAnswer(aft, timebuf, srcip, dstip, sp, dp, tx, NULL); + if (tx->recursion_desired) LogAnswer(aft, timebuf, srcip, dstip, sp, dp, tx, NULL); - } DNSAnswerEntry *entry = NULL; TAILQ_FOREACH(entry, &tx->answer_list, next) {