Skip to content

Commit

Permalink
dns: add dns.query.name sticky buffer
Browse files Browse the repository at this point in the history
This buffer is much like dns.query_name but allows for detection in both
directions.

Feature: OISF#6497
  • Loading branch information
jasonish committed Nov 15, 2023
1 parent 1d28c66 commit a16ca3e
Show file tree
Hide file tree
Showing 6 changed files with 235 additions and 0 deletions.
25 changes: 25 additions & 0 deletions rust/src/dns/dns.rs
Original file line number Diff line number Diff line change
Expand Up @@ -881,6 +881,31 @@ pub unsafe extern "C" fn rs_dns_tx_get_query_name(
return 0;
}

/// Get the DNS query name at index i.
#[no_mangle]
pub unsafe extern "C" fn SCDnsTxGetQueryName(
tx: &mut DNSTransaction, to_client: bool, i: u32, buf: *mut *const u8, len: *mut u32,
) -> bool {
let queries = if to_client {
tx.response.as_ref().map(|response| &response.queries)
} else {
tx.request.as_ref().map(|request| &request.queries)
};
let index = i as usize;

if let Some(queries) = queries {
if let Some(query) = queries.get(index) {
if !query.name.is_empty() {
*buf = query.name.as_ptr();
*len = query.name.len() as u32;
return true;
}
}
}

false
}

/// Get the DNS response answer name and index i.
#[no_mangle]
pub unsafe extern "C" fn SCDnsTxGetAnswerName(
Expand Down
2 changes: 2 additions & 0 deletions src/Makefile.am
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,7 @@ noinst_HEADERS = \
detect-dns-answer-name.h \
detect-dns-opcode.h \
detect-dns-query.h \
detect-dns-query-name.h \
detect-dsize.h \
detect-engine-address.h \
detect-engine-address-ipv4.h \
Expand Down Expand Up @@ -736,6 +737,7 @@ libsuricata_c_a_SOURCES = \
detect-dns-answer-name.c \
detect-dns-opcode.c \
detect-dns-query.c \
detect-dns-query-name.c \
detect-dsize.c \
detect-engine-address.c \
detect-engine-address-ipv4.c \
Expand Down
182 changes: 182 additions & 0 deletions src/detect-dns-query-name.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,182 @@
/* Copyright (C) 2023 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/

/**
* \file
*
* Detect keyword for DNS query names: dns.query.name
*/

#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-prefilter.h"
#include "detect-engine-content-inspection.h"
#include "detect-dns-query-name.h"
#include "util-profiling.h"
#include "rust.h"

static int DetectSetup(DetectEngineCtx *, Signature *, const char *);
static uint8_t DetectEngineInspectCb(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
static int PrefilterMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx,
const DetectBufferMpmRegistry *mpm_reg, int list_id);

static int detect_buffer_id = 0;

void DetectDnsQueryNameRegister(void)
{
static const char *keyword = "dns.query.name";
sigmatch_table[DETECT_AL_DNS_QUERY_NAME].name = keyword;
sigmatch_table[DETECT_AL_DNS_QUERY_NAME].desc = "DNS query name sticky buffer";
sigmatch_table[DETECT_AL_DNS_QUERY_NAME].url = "/rules/TODOTODOTODO";
sigmatch_table[DETECT_AL_DNS_QUERY_NAME].Setup = DetectSetup;
sigmatch_table[DETECT_AL_DNS_QUERY_NAME].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_DNS_QUERY_NAME].flags |= SIGMATCH_INFO_STICKY_BUFFER;

/* Register in both directions as the query is usually echoed back
in the response. */
DetectAppLayerInspectEngineRegister(
keyword, ALPROTO_DNS, SIG_FLAG_TOSERVER, 0, DetectEngineInspectCb, NULL);
DetectAppLayerMpmRegister(
keyword, SIG_FLAG_TOSERVER, 2, PrefilterMpmRegister, NULL, ALPROTO_DNS, 1);

DetectAppLayerInspectEngineRegister(
keyword, ALPROTO_DNS, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectCb, NULL);
DetectAppLayerMpmRegister(
keyword, SIG_FLAG_TOCLIENT, 2, PrefilterMpmRegister, NULL, ALPROTO_DNS, 1);

DetectBufferTypeSetDescriptionByName(keyword, "dns query name");
DetectBufferTypeSupportsMultiInstance(keyword);

detect_buffer_id = DetectBufferTypeGetByName(keyword);
}

static int DetectSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
if (DetectBufferSetActiveList(de_ctx, s, detect_buffer_id) < 0) {
return -1;
}
if (DetectSignatureSetAppProto(s, ALPROTO_DNS) < 0) {
return -1;
}

return 0;
}

static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx, const uint8_t flags,
const DetectEngineTransforms *transforms, void *txv, uint32_t index, int list_id)
{
InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, index);
if (buffer == NULL) {
return NULL;
}
if (buffer->initialized) {
return buffer;
}

bool to_client = (flags & STREAM_TOSERVER) == 0;
const uint8_t *data = NULL;
uint32_t data_len = 0;

if (!SCDnsTxGetQueryName(txv, to_client, index, &data, &data_len)) {
InspectionBufferSetupMultiEmpty(buffer);
return NULL;
}
InspectionBufferSetupMulti(buffer, transforms, data, data_len);
return buffer;
}

static uint8_t DetectEngineInspectCb(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
{
const DetectEngineTransforms *transforms = NULL;
if (!engine->mpm) {
transforms = engine->v2.transforms;
}

for (uint32_t i = 0;; i++) {
InspectionBuffer *buffer = GetBuffer(det_ctx, flags, transforms, txv, i, engine->sm_list);
if (buffer == NULL || buffer->inspect == NULL) {
break;
}

det_ctx->buffer_offset = 0;
det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0;

const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
(uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset,
DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
if (match == 1) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
}
}

return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
}

typedef struct PrefilterMpm {
int list_id;
const MpmCtx *mpm_ctx;
const DetectEngineTransforms *transforms;
} PrefilterMpm;

static void PrefilterTx(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f,
void *txv, const uint64_t idx, const AppLayerTxData *_txd, const uint8_t flags)
{
SCEnter();

const PrefilterMpm *ctx = (const PrefilterMpm *)pectx;
const MpmCtx *mpm_ctx = ctx->mpm_ctx;
const int list_id = ctx->list_id;

for (uint32_t i = 0;; i++) {
InspectionBuffer *buffer = GetBuffer(det_ctx, flags, ctx->transforms, txv, i, list_id);
if (buffer == NULL) {
break;
}

if (buffer->inspect_len >= mpm_ctx->minlen) {
(void)mpm_table[mpm_ctx->mpm_type].Search(
mpm_ctx, &det_ctx->mtcu, &det_ctx->pmq, buffer->inspect, buffer->inspect_len);
PREFILTER_PROFILING_ADD_BYTES(det_ctx, buffer->inspect_len);
}
}
}

static void PrefilterMpmFree(void *ptr)
{
SCFree(ptr);
}

static int PrefilterMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx,
const DetectBufferMpmRegistry *mpm_reg, int list_id)
{
PrefilterMpm *pectx = SCCalloc(1, sizeof(*pectx));
if (pectx == NULL) {
return -1;
}
pectx->list_id = list_id;
pectx->mpm_ctx = mpm_ctx;
pectx->transforms = &mpm_reg->transforms;

return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTx, mpm_reg->app_v2.alproto,
mpm_reg->app_v2.tx_min_progress, pectx, PrefilterMpmFree, mpm_reg->pname);
}
23 changes: 23 additions & 0 deletions src/detect-dns-query-name.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
/* Copyright (C) 2023 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/

#ifndef __DETECT_DNS_QUERY_NAME_H__
#define __DETECT_DNS_QUERY_NAME_H__

void DetectDnsQueryNameRegister(void);

#endif /* __DETECT_DNS_QUERY_NAME_H__ */
2 changes: 2 additions & 0 deletions src/detect-engine-register.c
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@
#include "detect-dns-opcode.h"
#include "detect-dns-query.h"
#include "detect-dns-answer-name.h"
#include "detect-dns-query-name.h"
#include "detect-tls-sni.h"
#include "detect-tls-certs.h"
#include "detect-tls-cert-fingerprint.h"
Expand Down Expand Up @@ -513,6 +514,7 @@ void SigTableSetup(void)
DetectDnsQueryRegister();
DetectDnsOpcodeRegister();
DetectDnsAnswerNameRegister();
DetectDnsQueryNameRegister();
DetectModbusRegister();
DetectCipServiceRegister();
DetectEnipCommandRegister();
Expand Down
1 change: 1 addition & 0 deletions src/detect-engine-register.h
Original file line number Diff line number Diff line change
Expand Up @@ -224,6 +224,7 @@ enum DetectKeywordId {
DETECT_AL_DNS_QUERY,
DETECT_AL_DNS_OPCODE,
DETECT_AL_DNS_ANSWER_NAME,
DETECT_AL_DNS_QUERY_NAME,
DETECT_AL_TLS_SNI,
DETECT_AL_TLS_CERTS,
DETECT_AL_TLS_CERT_ISSUER,
Expand Down

0 comments on commit a16ca3e

Please sign in to comment.