From d9b3ae6cd6da2d8939618a763aa513a774a36b92 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Sat, 10 Dec 2016 10:49:51 +0100 Subject: [PATCH] dns: use dynamic buffers --- src/detect-dns-query.c | 58 ++++++++++++++++++++++++++++++------ src/detect-engine-analyzer.c | 2 -- src/detect-engine.c | 7 ----- src/detect-isdataat.c | 51 ------------------------------- src/detect-lua.c | 9 ++++-- src/detect-parse.c | 6 ---- src/detect.h | 4 --- 7 files changed, 55 insertions(+), 82 deletions(-) diff --git a/src/detect-dns-query.c b/src/detect-dns-query.c index a5e7823afb..573f021f9a 100644 --- a/src/detect-dns-query.c +++ b/src/detect-dns-query.c @@ -60,6 +60,7 @@ static int DetectDnsQuerySetup (DetectEngineCtx *, Signature *, char *); static void DetectDnsQueryRegisterTests(void); +static int g_dns_query_buffer_id = 0; /** * \brief Registration function for keyword: dns_query @@ -77,21 +78,30 @@ void DetectDnsQueryRegister (void) sigmatch_table[DETECT_AL_DNS_QUERY].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_AL_DNS_QUERY].flags |= SIGMATCH_PAYLOAD; - DetectMpmAppLayerRegister("dns_query", SIG_FLAG_TOSERVER, - DETECT_SM_LIST_DNSQUERYNAME_MATCH, 2, + DetectAppLayerMpmRegister("dns_query", SIG_FLAG_TOSERVER, 2, PrefilterTxDnsQueryRegister); - DetectAppLayerInspectEngineRegister(ALPROTO_DNS, SIG_FLAG_TOSERVER, - DETECT_SM_LIST_DNSQUERYNAME_MATCH, + DetectAppLayerInspectEngineRegister2("dns_query", + ALPROTO_DNS, SIG_FLAG_TOSERVER, DetectEngineInspectDnsQueryName); + DetectBufferTypeSetDescriptionByName("dns_query", + "dns request query"); + + g_dns_query_buffer_id = DetectBufferTypeGetByName("dns_query"); + /* register these generic engines from here for now */ - DetectAppLayerInspectEngineRegister(ALPROTO_DNS, SIG_FLAG_TOSERVER, - DETECT_SM_LIST_DNSREQUEST_MATCH, + DetectAppLayerInspectEngineRegister2("dns_request", + ALPROTO_DNS, SIG_FLAG_TOSERVER, DetectEngineInspectDnsRequest); - DetectAppLayerInspectEngineRegister(ALPROTO_DNS, SIG_FLAG_TOCLIENT, - DETECT_SM_LIST_DNSRESPONSE_MATCH, + DetectAppLayerInspectEngineRegister2("dns_response", + ALPROTO_DNS, SIG_FLAG_TOCLIENT, DetectEngineInspectDnsResponse); + + DetectBufferTypeSetDescriptionByName("dns_request", + "dns requests"); + DetectBufferTypeSetDescriptionByName("dns_response", + "dns responses"); } @@ -108,12 +118,14 @@ void DetectDnsQueryRegister (void) static int DetectDnsQuerySetup(DetectEngineCtx *de_ctx, Signature *s, char *str) { - s->init_data->list = DETECT_SM_LIST_DNSQUERYNAME_MATCH; + s->init_data->list = g_dns_query_buffer_id; s->alproto = ALPROTO_DNS; return 0; } #ifdef UNITTESTS +#include "detect-isdataat.h" + /** \test simple google.com query matching */ static int DetectDnsQueryTest01(void) { @@ -1159,6 +1171,31 @@ end: return result; } +static int DetectDnsQueryIsdataatParseTest(void) +{ + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + FAIL_IF_NULL(de_ctx); + de_ctx->flags |= DE_QUIET; + + Signature *s = DetectEngineAppendSig(de_ctx, + "alert dns any any -> any any (" + "dns_query; content:\"one\"; " + "isdataat:!4,relative; sid:1;)"); + FAIL_IF_NULL(s); + + SigMatch *sm = s->init_data->smlists_tail[g_dns_query_buffer_id]; + FAIL_IF_NULL(sm); + FAIL_IF_NOT(sm->type == DETECT_ISDATAAT); + + DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx; + FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE); + FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED); + FAIL_IF(data->flags & ISDATAAT_RAWBYTES); + + DetectEngineCtxFree(de_ctx); + PASS; +} + #endif static void DetectDnsQueryRegisterTests(void) @@ -1174,5 +1211,8 @@ static void DetectDnsQueryRegisterTests(void) UtRegisterTest("DetectDnsQueryTest06 -- pcre", DetectDnsQueryTest06); UtRegisterTest("DetectDnsQueryTest07 -- app layer event", DetectDnsQueryTest07); + + UtRegisterTest("DetectDnsQueryIsdataatParseTest", + DetectDnsQueryIsdataatParseTest); #endif } diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c index 68de322fb5..06647980c2 100644 --- a/src/detect-engine-analyzer.c +++ b/src/detect-engine-analyzer.c @@ -446,8 +446,6 @@ static void EngineAnalysisRulesPrintFP(const Signature *s) fprintf(rule_engine_analysis_FD, "%s", payload ? (stream ? "payload and reassembled stream" : "payload") : "reassembled stream"); } - else if (list_type == DETECT_SM_LIST_DNSQUERYNAME_MATCH) - fprintf(rule_engine_analysis_FD, "dns query name content"); else if (list_type == DETECT_SM_LIST_TLSSNI_MATCH) fprintf(rule_engine_analysis_FD, "tls sni extension content"); else if (list_type == DETECT_SM_LIST_TLSISSUER_MATCH) diff --git a/src/detect-engine.c b/src/detect-engine.c index 3343448802..994a44290a 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -2811,13 +2811,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type) case DETECT_SM_LIST_FILEMATCH: return "file"; - case DETECT_SM_LIST_DNSQUERYNAME_MATCH: - return "dns query name"; - case DETECT_SM_LIST_DNSREQUEST_MATCH: - return "dns request"; - case DETECT_SM_LIST_DNSRESPONSE_MATCH: - return "dns response"; - case DETECT_SM_LIST_TLSSNI_MATCH: return "tls sni extension"; case DETECT_SM_LIST_TLSISSUER_MATCH: diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c index d6a459934e..5a018a5891 100644 --- a/src/detect-isdataat.c +++ b/src/detect-isdataat.c @@ -516,56 +516,6 @@ int DetectIsdataatTestParse06(void) return result; } -/** - * \test dns_query with isdataat relative to it - */ -static int DetectIsdataatTestParse16(void) -{ - DetectEngineCtx *de_ctx = NULL; - int result = 0; - Signature *s = NULL; - DetectIsdataatData *data = NULL; - - de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " - "(msg:\"Testing dns_query and isdataat\"; " - "dns_query; isdataat:!4,relative; sid:1;)"); - if (de_ctx->sig_list == NULL) { - printf("sig parse: "); - goto end; - } - - s = de_ctx->sig_list; - if (s->sm_lists_tail[DETECT_SM_LIST_DNSQUERYNAME_MATCH] == NULL) { - printf("dns_query list empty: "); - goto end; - } - - if (s->sm_lists_tail[DETECT_SM_LIST_DNSQUERYNAME_MATCH]->type != DETECT_ISDATAAT) { - printf("last dns_query body sm not isdataat: "); - goto end; - } - - data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_DNSQUERYNAME_MATCH]->ctx; - if ( !(data->flags & ISDATAAT_RELATIVE) || - (data->flags & ISDATAAT_RAWBYTES) || - !(data->flags & ISDATAAT_NEGATED) ) { - goto end; - } - - result = 1; - end: - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - - return result; -} - /** * \test DetectIsdataatTestPacket01 is a test to check matches of * isdataat, and isdataat relative @@ -684,7 +634,6 @@ void DetectIsdataatRegisterTests(void) UtRegisterTest("DetectIsdataatTestParse04", DetectIsdataatTestParse04); UtRegisterTest("DetectIsdataatTestParse05", DetectIsdataatTestParse05); UtRegisterTest("DetectIsdataatTestParse06", DetectIsdataatTestParse06); - UtRegisterTest("DetectIsdataatTestParse16", DetectIsdataatTestParse16); UtRegisterTest("DetectIsdataatTestPacket01", DetectIsdataatTestPacket01); UtRegisterTest("DetectIsdataatTestPacket02", DetectIsdataatTestPacket02); diff --git a/src/detect-lua.c b/src/detect-lua.c index 3d59b5d61b..9b5484407a 100644 --- a/src/detect-lua.c +++ b/src/detect-lua.c @@ -1023,11 +1023,14 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) } } else if (lua->alproto == ALPROTO_DNS) { if (lua->flags & DATATYPE_DNS_RRNAME) { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DNSQUERYNAME_MATCH); + int list = DetectBufferTypeGetByName("dns_query"); + SigMatchAppendSMToList(s, sm, list); } else if (lua->flags & DATATYPE_DNS_REQUEST) { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DNSREQUEST_MATCH); + int list = DetectBufferTypeGetByName("dns_request"); + SigMatchAppendSMToList(s, sm, list); } else if (lua->flags & DATATYPE_DNS_RESPONSE) { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DNSRESPONSE_MATCH); + int list = DetectBufferTypeGetByName("dns_response"); + SigMatchAppendSMToList(s, sm, list); } } else if (lua->alproto == ALPROTO_TLS) { SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH); diff --git a/src/detect-parse.c b/src/detect-parse.c index 1886ee9081..3354847069 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -146,9 +146,6 @@ const char *DetectListToHumanString(int list) CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc"); CASE_CODE_STRING(DETECT_SM_LIST_TMATCH, "tag"); CASE_CODE_STRING(DETECT_SM_LIST_FILEMATCH, "file"); - CASE_CODE_STRING(DETECT_SM_LIST_DNSREQUEST_MATCH, "dns_request"); - CASE_CODE_STRING(DETECT_SM_LIST_DNSRESPONSE_MATCH, "dns_response"); - CASE_CODE_STRING(DETECT_SM_LIST_DNSQUERYNAME_MATCH, "dns_query"); CASE_CODE_STRING(DETECT_SM_LIST_TLSSNI_MATCH, "tls_sni"); CASE_CODE_STRING(DETECT_SM_LIST_TLSISSUER_MATCH, "tls_cert_issuer"); CASE_CODE_STRING(DETECT_SM_LIST_TLSSUBJECT_MATCH, "tls_cert_subject"); @@ -176,9 +173,6 @@ const char *DetectListToString(int list) CASE_CODE(DETECT_SM_LIST_DMATCH); CASE_CODE(DETECT_SM_LIST_TMATCH); CASE_CODE(DETECT_SM_LIST_FILEMATCH); - CASE_CODE(DETECT_SM_LIST_DNSREQUEST_MATCH); - CASE_CODE(DETECT_SM_LIST_DNSRESPONSE_MATCH); - CASE_CODE(DETECT_SM_LIST_DNSQUERYNAME_MATCH); CASE_CODE(DETECT_SM_LIST_TLSSNI_MATCH); CASE_CODE(DETECT_SM_LIST_TLSISSUER_MATCH); CASE_CODE(DETECT_SM_LIST_TLSSUBJECT_MATCH); diff --git a/src/detect.h b/src/detect.h index 290c7d37ea..4f7cf94097 100644 --- a/src/detect.h +++ b/src/detect.h @@ -120,10 +120,6 @@ enum DetectSigmatchListEnum { DETECT_SM_LIST_FILEMATCH, - DETECT_SM_LIST_DNSREQUEST_MATCH, /**< per DNS query tx match list */ - DETECT_SM_LIST_DNSRESPONSE_MATCH, /**< per DNS response tx match list */ - DETECT_SM_LIST_DNSQUERYNAME_MATCH, /**< per query in a tx list */ - DETECT_SM_LIST_TLSSNI_MATCH, DETECT_SM_LIST_TLSISSUER_MATCH, DETECT_SM_LIST_TLSSUBJECT_MATCH, -- 2.47.2