DNS: convert dns_query to sticky buffer

diff --git a/src/detect-dns-query.c b/src/detect-dns-query.c
index 8f1c6597fe7f81da693883677db543c6ea05ddcf..2ecc23547fc3695029af3e7ef36c36b402c5f11d 100644 (file)
--- a/src/detect-dns-query.c
+++ b/src/detect-dns-query.c
@@ -89,10 +89,8 @@ void DetectDnsQueryRegister (void) {
 
 static int DetectDnsQuerySetup(DetectEngineCtx *de_ctx, Signature *s, char *str)
 {
-    return DetectEngineContentModifierBufferSetup(de_ctx, s, str,
-                                                  DETECT_AL_DNS_QUERY,
-                                                  DETECT_SM_LIST_DNSQUERY_MATCH,
-                                                  ALPROTO_DNS, NULL);
+    s->list = DETECT_SM_LIST_DNSQUERY_MATCH;
+    return 0;
 }
 
 /**
@@ -170,7 +168,7 @@ static int DetectDnsQueryTest01(void) {
 
     s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
                                    "(msg:\"Test dns_query option\"; "
-                                   "content:\"google\"; nocase; dns_query; sid:1;)");
+                                   "dns_query; content:\"google\"; nocase; sid:1;)");
     if (s == NULL) {
         goto end;
     }
@@ -288,13 +286,13 @@ static int DetectDnsQueryTest02(void) {
 
     s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
                                    "(msg:\"Test dns_query option\"; "
-                                   "content:\"google.com\"; nocase; dns_query; sid:1;)");
+                                   "dns_query; content:\"google.com\"; nocase; sid:1;)");
     if (s == NULL) {
         goto end;
     }
     s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
                                    "(msg:\"Test dns_query option\"; "
-                                   "content:\"google.net\"; nocase; dns_query; sid:2;)");
+                                   "dns_query; content:\"google.net\"; nocase; sid:2;)");
     if (s == NULL) {
         goto end;
     }
@@ -518,7 +516,7 @@ static int DetectDnsQueryTest04(void) {
 
     s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
                                    "(msg:\"Test dns_query option\"; "
-                                   "content:\"google\"; nocase; dns_query; sid:1;)");
+                                   "dns_query; content:\"google\"; nocase; sid:1;)");
     if (s == NULL) {
         goto end;
     }
@@ -663,13 +661,13 @@ static int DetectDnsQueryTest05(void) {
 
     s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
                                       "(msg:\"Test dns_query option\"; "
-                                      "content:\"google.com\"; nocase; dns_query; sid:1;)");
+                                      "dns_query; content:\"google.com\"; nocase; sid:1;)");
     if (s == NULL) {
         goto end;
     }
     s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
                                       "(msg:\"Test dns_query option\"; "
-                                      "content:\"google.net\"; nocase; dns_query; sid:2;)");
+                                      "dns_query; content:\"google.net\"; nocase; sid:2;)");
     if (s == NULL) {
         goto end;
     }
@@ -813,15 +811,15 @@ static int DetectDnsQueryTest06(void) {
 
     s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
                                       "(msg:\"Test dns_query option\"; "
-                                      "content:\"google\"; nocase; dns_query; "
-                                      "pcre:\"/google\\.com$/iF\"; sid:1;)");
+                                      "dns_query; content:\"google\"; nocase; "
+                                      "pcre:\"/google\\.com$/i\"; sid:1;)");
     if (s == NULL) {
         goto end;
     }
     s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
                                       "(msg:\"Test dns_query option\"; "
-                                      "content:\"google\"; nocase; dns_query; "
-                                      "pcre:\"/^\\.[a-z]{2,3}$/iRF\"; sid:2;)");
+                                      "dns_query; content:\"google\"; nocase; "
+                                      "pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)");
     if (s == NULL) {
         goto end;
     }
@@ -945,13 +943,13 @@ static int DetectDnsQueryTest07(void) {
 
     s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
                                    "(msg:\"Test dns_query option\"; "
-                                   "content:\"google.com\"; nocase; dns_query; sid:1;)");
+                                   "dns_query; content:\"google.com\"; nocase; sid:1;)");
     if (s == NULL) {
         goto end;
     }
     s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
                                    "(msg:\"Test dns_query option\"; "
-                                   "content:\"google.net\"; nocase; dns_query; sid:2;)");
+                                   "dns_query; content:\"google.net\"; nocase; sid:2;)");
     if (s == NULL) {
         goto end;
     }

diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c
index 01c8ac80c37ed4a43bc49652f2823dd6f459944d..23b10fe79b75c762b8221bdd89f82c849b974afa 100644 (file)
--- a/src/detect-engine-mpm.c
+++ b/src/detect-engine-mpm.c
@@ -2896,7 +2896,7 @@ uint32_t DetectPatternGetId(MpmPatternIdStore *ht, void *ctx, Signature *s, uint
     r = HashTableLookup(ht->hash, (void *)e, sizeof(MpmPatternIdTableElmt));
     if (r == NULL) {
         if (s->list != DETECT_SM_LIST_NOTSET) {
-            BUG_ON((sm_list != DETECT_SM_LIST_HSBDMATCH) && (sm_list != DETECT_SM_LIST_DMATCH));
+            BUG_ON(sm_list != DETECT_SM_LIST_HSBDMATCH && sm_list != DETECT_SM_LIST_DMATCH && sm_list != DETECT_SM_LIST_DNSQUERY_MATCH);
             e->id = ht->max_id;
             ht->max_id++;
             id = e->id;

diff --git a/src/detect-isdataat.c b/src/detect-isdataat.c
index 45b6fc768ee50052d183d3c8e021e207cb321212..a62a5331d9b1858310e7df005a5bdc8c36962c93 100644 (file)
--- a/src/detect-isdataat.c
+++ b/src/detect-isdataat.c
@@ -1054,6 +1054,56 @@ static int DetectIsdataatTestParse15(void)
     return result;
 }
 
+/**
+ *  \test dns_query with isdataat relative to it
+ */
+static int DetectIsdataatTestParse16(void)
+{
+    DetectEngineCtx *de_ctx = NULL;
+    int result = 0;
+    Signature *s = NULL;
+    DetectIsdataatData *data = NULL;
+
+    de_ctx = DetectEngineCtxInit();
+    if (de_ctx == NULL)
+        goto end;
+
+    de_ctx->flags |= DE_QUIET;
+    de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+                               "(msg:\"Testing dns_query and isdataat\"; "
+                               "dns_query; isdataat:!4,relative; sid:1;)");
+    if (de_ctx->sig_list == NULL) {
+        printf("sig parse: ");
+        goto end;
+    }
+
+    s = de_ctx->sig_list;
+    if (s->sm_lists_tail[DETECT_SM_LIST_DNSQUERY_MATCH] == NULL) {
+        printf("dns_query list empty: ");
+        goto end;
+    }
+
+    if (s->sm_lists_tail[DETECT_SM_LIST_DNSQUERY_MATCH]->type != DETECT_ISDATAAT) {
+        printf("last dns_query body sm not isdataat: ");
+        goto end;
+    }
+
+    data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_DNSQUERY_MATCH]->ctx;
+    if ( !(data->flags & ISDATAAT_RELATIVE) ||
+         (data->flags & ISDATAAT_RAWBYTES) ||
+         !(data->flags & ISDATAAT_NEGATED) ) {
+        goto end;
+    }
+
+    result = 1;
+ end:
+    SigGroupCleanup(de_ctx);
+    SigCleanSignatures(de_ctx);
+    DetectEngineCtxFree(de_ctx);
+
+    return result;
+}
+
 /**
  * \test DetectIsdataatTestPacket01 is a test to check matches of
  * isdataat, and isdataat relative
@@ -1177,6 +1227,7 @@ void DetectIsdataatRegisterTests(void) {
     UtRegisterTest("DetectIsdataatTestParse13", DetectIsdataatTestParse13, 1);
     UtRegisterTest("DetectIsdataatTestParse14", DetectIsdataatTestParse14, 1);
     UtRegisterTest("DetectIsdataatTestParse15", DetectIsdataatTestParse15, 1);
+    UtRegisterTest("DetectIsdataatTestParse16", DetectIsdataatTestParse16, 1);
 
     UtRegisterTest("DetectIsdataatTestPacket01", DetectIsdataatTestPacket01, 1);
     UtRegisterTest("DetectIsdataatTestPacket02", DetectIsdataatTestPacket02, 1);

diff --git a/src/detect-pcre.c b/src/detect-pcre.c
index 4d03e0e0d8563347264c14865f74fb75fdfc92d0..e496d8f046bf125c2456c0b4356079a992c5949c 100644 (file)
--- a/src/detect-pcre.c
+++ b/src/detect-pcre.c
@@ -471,10 +471,6 @@ DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr)
                     /* snort's option */
                     pd->flags |= DETECT_PCRE_HTTP_STAT_CODE;
                     break;
-                case 'F':
-                    /* suricata extension (dns query name) */
-                    pd->flags |= DETECT_PCRE_DNS_QUERY;
-                    break;
                 default:
                     SCLogError(SC_ERR_UNKNOWN_REGEX_MOD, "unknown regex modifier '%c'", *op);
                     goto error;
@@ -697,22 +693,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
         }
     }
 
-    if (pd->flags & DETECT_PCRE_DNS_QUERY) {
-        if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DNS) {
-            SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option.  "
-                       "Conflicting alprotos detected for this rule. Dns "
-                       "pcre modifier found along with a different protocol "
-                       "for the rule.");
-            goto error;
-        }
-        if (s->list != DETECT_SM_LIST_NOTSET) {
-            SCLogError(SC_ERR_INVALID_SIGNATURE, "pcre found with dns "
-                       "modifier set, with file_data/dce_stub_data sticky "
-                       "option set.");
-            goto error;
-        }
-    }
-
     int sm_list;
     if (s->list != DETECT_SM_LIST_NOTSET) {
         if (s->list == DETECT_SM_LIST_HSBDMATCH) {
@@ -720,6 +700,8 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
             AppLayerHtpEnableResponseBodyCallback();
         } else if (s->list == DETECT_SM_LIST_DMATCH) {
             SCLogDebug("adding to dmatch list because of dce_stub_data");
+        } else if (s->list == DETECT_SM_LIST_DNSQUERY_MATCH) {
+            SCLogDebug("adding to DETECT_SM_LIST_DNSQUERY_MATCH list because of dns_query");
         }
         s->flags |= SIG_FLAG_APPLAYER;
         sm_list = s->list;
@@ -786,11 +768,6 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
         s->flags |= SIG_FLAG_APPLAYER;
         s->alproto = ALPROTO_HTTP;
         sm_list = DETECT_SM_LIST_HUADMATCH;
-    } else if (pd->flags & DETECT_PCRE_DNS_QUERY) {
-        SCLogDebug("DNS query inspection modifier set on pcre");
-        s->flags |= SIG_FLAG_APPLAYER;
-        s->alproto = ALPROTO_DNS;
-        sm_list = DETECT_SM_LIST_DNSQUERY_MATCH;
     } else {
         sm_list = DETECT_SM_LIST_PMATCH;
     }

diff --git a/src/detect-pcre.h b/src/detect-pcre.h
index 56c62cc3c6f47d7552ca9422fb87d964b8d917c9..986ca0a3d532267313a936c34432c35f26aa0f89 100644 (file)
--- a/src/detect-pcre.h
+++ b/src/detect-pcre.h
@@ -52,8 +52,6 @@
 #define DETECT_PCRE_NEGATE              0x80000
 #define DETECT_PCRE_CASELESS           0x100000
 
-#define DETECT_PCRE_DNS_QUERY          0x200000
-
 typedef struct DetectPcreData_ {
     /* pcre options */
     pcre *re;