dns: multibuffer support for dns.response.answer.name

jasonish · Oct 25, 2023 · 037f8fc · 037f8fc
1 parent 2437f77
commit 037f8fc
Showing 1 changed file with 46 additions and 10 deletions.
diff --git a/src/detect-dns-answer-name.c b/src/detect-dns-answer-name.c
@@ -52,11 +52,15 @@ void DetectDnsAnswerNameRegister(void)
             DetectDnsAnswerNameRegisterTests;
 #endif
     sigmatch_table[DETECT_AL_DNS_RESPONSE_ANSWER_NAME].flags |= SIGMATCH_NOOPT;
+    sigmatch_table[DETECT_AL_DNS_RESPONSE_ANSWER_NAME].flags |= SIGMATCH_INFO_STICKY_BUFFER;
 
     /* register inspect engines */
     DetectAppLayerInspectEngineRegister(keyword, ALPROTO_DNS, SIG_FLAG_TOCLIENT, 0,
             DetectEngineInspectDnsResponseAnswerName, NULL);
 
+    DetectBufferTypeSetDescriptionByName(keyword, "dns response answer name");
+    DetectBufferTypeSupportsMultiInstance(keyword);
+
     g_dns_response_answer_name_id = DetectBufferTypeGetByName(keyword);
 }
 
@@ -70,25 +74,57 @@ static int DetectDnsResponseAnswerNameSetup(DetectEngineCtx *de_ctx, Signature *
     return 0;
 }
 
-static uint8_t DetectEngineInspectDnsResponseAnswerName(DetectEngineCtx *de_ctx,
-        DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine,
-        const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
+static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx,
+        const DetectEngineTransforms *transforms, void *txv, uint32_t index, int list_id)
 {
-    uint8_t ret = 0;
+    InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, index);
+    if (buffer == NULL) {
+        return NULL;
+    }
+    if (buffer->initialized) {
+        return buffer;
+    }
+
     const uint8_t *data = NULL;
     uint32_t data_len = 0;
 
+    if (!SCDnsTxGetAnswerName(txv, index, &data, &data_len)) {
+        InspectionBufferSetupMultiEmpty(buffer);
+        return NULL;
+    } else {
+        InspectionBufferSetupMulti(buffer, transforms, data, data_len);
+        return buffer;
+    }
+}
+
+static uint8_t DetectEngineInspectDnsResponseAnswerName(DetectEngineCtx *de_ctx,
+        DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine,
+        const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
+{
+    const DetectEngineTransforms *transforms = NULL;
+    if (!engine->mpm) {
+        transforms = engine->v2.transforms;
+    }
+
     for (uint32_t i = 0;; i++) {
-        if (!SCDnsTxGetAnswerName(txv, i, &data, &data_len)) {
+        InspectionBuffer *buffer = GetBuffer(det_ctx, transforms, txv, i, engine->sm_list);
+        if (buffer == NULL || buffer->inspect == NULL) {
             break;
         }
-        ret = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
-                (uint8_t *)data, data_len, 0, DETECT_CI_FLAGS_SINGLE,
-                DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
+
+        det_ctx->buffer_offset = 0;
+        det_ctx->discontinue_matching = 0;
+        det_ctx->inspection_recursion_counter = 0;
+
+        const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
+                (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset,
+                DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
+        if (match == 1) {
+            return DETECT_ENGINE_INSPECT_SIG_MATCH;
+        }
     }
 
-    SCLogNotice("Returning %d.", ret);
-    return ret;
+    return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
 }
 
 #ifdef UNITTESTS