From: Victor Julien Date: Mon, 25 Mar 2013 16:19:54 +0000 (+0100) Subject: Hacks to enable alert dns even though we have dnstcp and dnsudp parsers. Needs proper... X-Git-Tag: suricata-2.0beta1~78 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=59780ca77020ac71f6bbc05d69a91136f91696ee;p=thirdparty%2Fsuricata.git Hacks to enable alert dns even though we have dnstcp and dnsudp parsers. Needs proper solution later. --- diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c index d84162de6a..46ee54ea52 100644 --- a/src/app-layer-parser.c +++ b/src/app-layer-parser.c @@ -635,6 +635,13 @@ int AppLayerRegisterProto(char *name, uint8_t proto, uint8_t flags, exit(EXIT_FAILURE); } + /* register name here as well so pp only protocols will work */ + if (al_proto_table[proto].name != NULL) { + BUG_ON(strcmp(al_proto_table[proto].name, name) != 0); + } else { + al_proto_table[proto].name = name; + } + al_parser_table[al_max_parsers].name = name; al_parser_table[al_max_parsers].AppLayerParser = AppLayerParser; diff --git a/src/detect-app-layer-event.c b/src/detect-app-layer-event.c index aa59f33bb1..147a30ba14 100644 --- a/src/detect-app-layer-event.c +++ b/src/detect-app-layer-event.c @@ -115,14 +115,22 @@ static DetectAppLayerEventData *DetectAppLayerEventParse(const char *arg) char buffer[50] = ""; strlcpy(buffer, arg, p_idx - arg + 1); /* + 1 for trailing \0 */ - //int module_id = DecoderEventModuleGetModuleId(buffer); - //uint16_t alproto = AppLayerGetProtoByName(buffer); + /** XXX HACK to support "dns" we use this trick */ + if (strcasecmp(buffer, "dns") == 0) + strlcpy(buffer, "dnsudp", sizeof(buffer)); + uint16_t alproto = AppLayerDecoderEventsModuleGetAlproto(buffer); - if (alproto == ALPROTO_UNKNOWN) + if (alproto == ALPROTO_UNKNOWN) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword supplied " + "with unknown protocol \"%s\"", buffer); return NULL; + } int event_id = AppLayerDecoderEventsModuleGetEventId(alproto, p_idx + 1); - if (event_id == -1) + if (event_id == -1) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword protocol " + "\"%s\" don't have event \"%s\" registered", buffer, p_idx + 1); return NULL; + } DetectAppLayerEventData *aled = SCMalloc(sizeof(DetectAppLayerEventData)); if (unlikely(aled == NULL)) diff --git a/src/detect-parse.c b/src/detect-parse.c index d386691bff..2b32842fbf 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -596,6 +596,17 @@ int SigParseProto(Signature *s, const char *protostr) { } als = als->next; } + /** VJ since our dns parser uses only pp, this is required to set + * ipprotos */ + AppLayerProbingParserInfo *ppi = + AppLayerGetProbingParserInfo(alp_proto_ctx.probing_parsers_info, + protostr); + if (ppi != NULL) { + /* indicate that the signature is app-layer */ + s->flags |= SIG_FLAG_APPLAYER; + s->alproto = ppi->al_proto; + s->proto.proto[ppi->ip_proto / 8] |= 1 << (ppi->ip_proto % 8); + } SCReturnInt(0); } AppLayerProbingParserInfo *ppi = @@ -762,8 +773,17 @@ static int SigParseBasics(Signature *s, char *sigstr, char ***result, uint8_t ad goto error; /* Parse Proto */ - if (SigParseProto(s, arr[CONFIG_PROTO]) < 0) - goto error; + if (strcasecmp(arr[CONFIG_PROTO], "dns") == 0) { + /** XXX HACK */ + if (SigParseProto(s, "dnstcp") < 0) + goto error; + if (SigParseProto(s, "dnsudp") < 0) + goto error; + + } else { + if (SigParseProto(s, arr[CONFIG_PROTO]) < 0) + goto error; + } if (strcmp(arr[CONFIG_DIREC], "<-") == 0) { SCLogError(SC_ERR_INVALID_DIRECTION, "\"<-\" is not a valid direction modifier, \"->\" and \"<>\" are supported.");