Hacks to enable alert dns even though we have dnstcp and dnsudp parsers. Needs proper...

diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c
index d84162de6a101ae84525f92b9cccb6ab960d0b03..46ee54ea520b91148c1bbb59b99ce05d5486b1bb 100644 (file)
--- a/src/app-layer-parser.c
+++ b/src/app-layer-parser.c
@@ -635,6 +635,13 @@ int AppLayerRegisterProto(char *name, uint8_t proto, uint8_t flags,
         exit(EXIT_FAILURE);
     }
 
+    /* register name here as well so pp only protocols will work */
+    if (al_proto_table[proto].name != NULL) {
+        BUG_ON(strcmp(al_proto_table[proto].name, name) != 0);
+    } else {
+        al_proto_table[proto].name = name;
+    }
+
     al_parser_table[al_max_parsers].name = name;
     al_parser_table[al_max_parsers].AppLayerParser = AppLayerParser;
 

diff --git a/src/detect-app-layer-event.c b/src/detect-app-layer-event.c
index aa59f33bb1f7e48cf7f60dc504e449a5cd2ee4fc..147a30ba1412370f64c7ac1ac72f067bab179800 100644 (file)
--- a/src/detect-app-layer-event.c
+++ b/src/detect-app-layer-event.c
@@ -115,14 +115,22 @@ static DetectAppLayerEventData *DetectAppLayerEventParse(const char *arg)
     char buffer[50] = "";
     strlcpy(buffer, arg, p_idx - arg + 1); /* + 1 for trailing \0 */
 
-    //int module_id = DecoderEventModuleGetModuleId(buffer);
-    //uint16_t alproto = AppLayerGetProtoByName(buffer);
+    /** XXX HACK to support "dns" we use this trick */
+    if (strcasecmp(buffer, "dns") == 0)
+        strlcpy(buffer, "dnsudp", sizeof(buffer));
+
     uint16_t alproto = AppLayerDecoderEventsModuleGetAlproto(buffer);
-    if (alproto == ALPROTO_UNKNOWN)
+    if (alproto == ALPROTO_UNKNOWN) {
+        SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword supplied "
+                   "with unknown protocol \"%s\"", buffer);
         return NULL;
+    }
     int event_id = AppLayerDecoderEventsModuleGetEventId(alproto, p_idx + 1);
-    if (event_id == -1)
+    if (event_id == -1) {
+        SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword protocol "
+                   "\"%s\" don't have event \"%s\" registered", buffer, p_idx + 1);
         return NULL;
+    }
 
     DetectAppLayerEventData *aled = SCMalloc(sizeof(DetectAppLayerEventData));
     if (unlikely(aled == NULL))

diff --git a/src/detect-parse.c b/src/detect-parse.c
index d386691bff0b47c713a9f8c7896683dcdc6eba60..2b32842fbf2597b9ef61d662c66c91c11e958a45 100644 (file)
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -596,6 +596,17 @@ int SigParseProto(Signature *s, const char *protostr) {
                 }
                 als = als->next;
             }
+            /** VJ since our dns parser uses only pp, this is required to set
+             *  ipprotos */
+            AppLayerProbingParserInfo *ppi =
+                AppLayerGetProbingParserInfo(alp_proto_ctx.probing_parsers_info,
+                        protostr);
+            if (ppi != NULL) {
+                /* indicate that the signature is app-layer */
+                s->flags |= SIG_FLAG_APPLAYER;
+                s->alproto = ppi->al_proto;
+                s->proto.proto[ppi->ip_proto / 8] |= 1 << (ppi->ip_proto % 8);
+            }
             SCReturnInt(0);
         }
         AppLayerProbingParserInfo *ppi =
@@ -762,8 +773,17 @@ static int SigParseBasics(Signature *s, char *sigstr, char ***result, uint8_t ad
         goto error;
 
     /* Parse Proto */
-    if (SigParseProto(s, arr[CONFIG_PROTO]) < 0)
-        goto error;
+    if (strcasecmp(arr[CONFIG_PROTO], "dns") == 0) {
+        /** XXX HACK */
+        if (SigParseProto(s, "dnstcp") < 0)
+            goto error;
+        if (SigParseProto(s, "dnsudp") < 0)
+            goto error;
+
+    } else {
+        if (SigParseProto(s, arr[CONFIG_PROTO]) < 0)
+            goto error;
+    }
 
     if (strcmp(arr[CONFIG_DIREC], "<-") == 0) {
         SCLogError(SC_ERR_INVALID_DIRECTION, "\"<-\" is not a valid direction modifier, \"->\" and \"<>\" are supported.");