From 433e511b636d09dfa71bd45095499210aa68bee5 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Wed, 10 Jun 2015 11:57:59 +0200 Subject: [PATCH] dns: generic inspect engines for DNS --- src/detect-engine-dns.c | 69 +++++++++++++++++++++++++++++++++++++++ src/detect-engine-dns.h | 10 ++++++ src/detect-engine-state.h | 2 ++ src/detect-engine.c | 33 ++++++++++++++++++- src/detect-parse.c | 9 +++++ 5 files changed, 122 insertions(+), 1 deletion(-) diff --git a/src/detect-engine-dns.c b/src/detect-engine-dns.c index a1e064083c..b08681c01e 100644 --- a/src/detect-engine-dns.c +++ b/src/detect-engine-dns.c @@ -92,3 +92,72 @@ int DetectEngineInspectDnsQueryName(ThreadVars *tv, } return r; } + + +/** \brief Do the content inspection & validation for a signature + * + * \param de_ctx Detection engine context + * \param det_ctx Detection engine thread context + * \param s Signature to inspect + * \param sm SigMatch to inspect + * \param f Flow + * \param flags app layer flags + * \param state App layer state + * + * \retval 0 no match + * \retval 1 match + */ +int DetectEngineInspectGenericList(ThreadVars *tv, + const DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, + const Signature *s, Flow *f, const uint8_t flags, + void *alstate, void *txv, uint64_t tx_id, const int list) +{ + KEYWORD_PROFILING_SET_LIST(det_ctx, list); + + SigMatchData *smd = s->sm_arrays[list]; + SCLogDebug("running match functions, sm %p", smd); + if (smd != NULL) { + while (1) { + int match = 0; + KEYWORD_PROFILING_START; + match = sigmatch_table[smd->type]. + AppLayerTxMatch(tv, det_ctx, f, flags, alstate, txv, s, smd->ctx); + KEYWORD_PROFILING_END(det_ctx, smd->type, (match == 1)); + + if (match == 0) + return DETECT_ENGINE_INSPECT_SIG_NO_MATCH; + if (match == 2) { + return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH; + } + + if (smd->is_last) + break; + smd++; + } + } + + return DETECT_ENGINE_INSPECT_SIG_MATCH; +} + +int DetectEngineInspectDnsRequest(ThreadVars *tv, + DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, + Signature *s, Flow *f, uint8_t flags, + void *alstate, void *txv, uint64_t tx_id) +{ + return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, f, flags, + alstate, txv, tx_id, + DETECT_SM_LIST_DNSREQUEST_MATCH); +} + +int DetectEngineInspectDnsResponse(ThreadVars *tv, + DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, + Signature *s, Flow *f, uint8_t flags, + void *alstate, void *txv, uint64_t tx_id) +{ + return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, f, flags, + alstate, txv, tx_id, + DETECT_SM_LIST_DNSRESPONSE_MATCH); +} diff --git a/src/detect-engine-dns.h b/src/detect-engine-dns.h index 419f0fed03..801a22d421 100644 --- a/src/detect-engine-dns.h +++ b/src/detect-engine-dns.h @@ -26,5 +26,15 @@ int DetectEngineInspectDnsQueryName(ThreadVars *, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *, Signature *, Flow *, uint8_t, void *, void *, uint64_t); +int DetectEngineInspectDnsRequest(ThreadVars *tv, + DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, + Signature *s, Flow *f, uint8_t flags, + void *alstate, void *txv, uint64_t tx_id); +int DetectEngineInspectDnsResponse(ThreadVars *tv, + DetectEngineCtx *de_ctx, + DetectEngineThreadCtx *det_ctx, + Signature *s, Flow *f, uint8_t flags, + void *alstate, void *txv, uint64_t tx_id); #endif /* __DETECT_ENGINE_DNS_H__ */ diff --git a/src/detect-engine-state.h b/src/detect-engine-state.h index a04b123173..4c88ae794a 100644 --- a/src/detect-engine-state.h +++ b/src/detect-engine-state.h @@ -79,6 +79,8 @@ #define DE_STATE_FLAG_MODBUS_INSPECT (1 << 19) #define DE_STATE_FLAG_HRL_INSPECT (1 << 20) #define DE_STATE_FLAG_FD_SMTP_INSPECT (1 << 21) +#define DE_STATE_FLAG_DNSREQUEST_INSPECT (1 << 22) +#define DE_STATE_FLAG_DNSRESPONSE_INSPECT (1 << 23) /* state flags */ #define DETECT_ENGINE_STATE_FLAG_FILE_STORE_DISABLED 0x0001 diff --git a/src/detect-engine.c b/src/detect-engine.c index 913aa8ab26..adb3d5908e 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -245,6 +245,22 @@ void DetectEngineRegisterAppInspectionEngines(void) DE_STATE_FLAG_DNSQUERYNAME_INSPECT, 0, DetectEngineInspectDnsQueryName }, + { IPPROTO_TCP, + ALPROTO_DNS, + DETECT_SM_LIST_DNSREQUEST_MATCH, + DE_STATE_FLAG_DNSREQUEST_INSPECT, + 0, + DetectEngineInspectDnsRequest }, + /* specifically for UDP, register again + * allows us to use the alproto w/o translation + * in the detection engine */ + { IPPROTO_UDP, + ALPROTO_DNS, + DETECT_SM_LIST_DNSREQUEST_MATCH, + DE_STATE_FLAG_DNSREQUEST_INSPECT, + 0, + DetectEngineInspectDnsRequest }, + /* SMTP */ { IPPROTO_TCP, ALPROTO_SMTP, DETECT_SM_LIST_FILEMATCH, @@ -316,7 +332,22 @@ void DetectEngineRegisterAppInspectionEngines(void) DETECT_SM_LIST_MODBUS_MATCH, DE_STATE_FLAG_MODBUS_INSPECT, 0, - DetectEngineInspectModbus } + DetectEngineInspectModbus }, + { IPPROTO_TCP, + ALPROTO_DNS, + DETECT_SM_LIST_DNSRESPONSE_MATCH, + DE_STATE_FLAG_DNSRESPONSE_INSPECT, + 1, + DetectEngineInspectDnsResponse }, + /* specifically for UDP, register again + * allows us to use the alproto w/o translation + * in the detection engine */ + { IPPROTO_UDP, + ALPROTO_DNS, + DETECT_SM_LIST_DNSRESPONSE_MATCH, + DE_STATE_FLAG_DNSRESPONSE_INSPECT, + 1, + DetectEngineInspectDnsResponse }, }; size_t i; diff --git a/src/detect-parse.c b/src/detect-parse.c index 2517036643..d077791e34 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -1478,8 +1478,17 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, char *sigstr, sig->flags |= SIG_FLAG_STATE_MATCH; if (sig->sm_lists[DETECT_SM_LIST_HRHHDMATCH]) sig->flags |= SIG_FLAG_STATE_MATCH; + + /* DNS */ if (sig->sm_lists[DETECT_SM_LIST_DNSQUERYNAME_MATCH]) sig->flags |= SIG_FLAG_STATE_MATCH; + if (sig->sm_lists[DETECT_SM_LIST_DNSREQUEST_MATCH]) { + sig->flags |= SIG_FLAG_STATE_MATCH; + } + if (sig->sm_lists[DETECT_SM_LIST_DNSRESPONSE_MATCH]) { + sig->flags |= SIG_FLAG_STATE_MATCH; + } + if (sig->sm_lists[DETECT_SM_LIST_MODBUS_MATCH]) sig->flags |= SIG_FLAG_STATE_MATCH; if (sig->sm_lists[DETECT_SM_LIST_APP_EVENT]) -- 2.47.2