dns: add support for sshfp records

Update parser to process the records. Update json output to log it.
10 years ago · 1334859379
parent 1df5acb001
commit 1334859379
3 changed files with 43 additions and 1 deletions
--- a/src/app-layer-dns-common.c
+++ b/src/app-layer-dns-common.c
@ -1005,6 +1005,21 @@ const uint8_t *DNSReponseParse(DNSState *dns_state, const DNSHeader * const dns_
            data += ntohs(head->len);
            break;
        }
+        case DNS_RECORD_TYPE_SSHFP:
+        {
+            /* data here should be:
+             * [1 byte algo][1 byte type][var bytes fingerprint]
+             * As we currently can't store each of those in the state,
+             * we just store the raw data an let the output/detect
+             * code figure out what to do with it. */
+
+            DNSStoreAnswerInState(dns_state, list, fqdn, fqdn_len,
+                    ntohs(head->type), ntohs(head->class), ntohl(head->ttl),
+                    data, ntohs(head->len), ntohs(dns_header->tx_id));
+
+            data += ntohs(head->len);
+            break;
+        }
        default:    /* unsupported record */
        {
            DNSStoreAnswerInState(dns_state, list, NULL, 0,
--- a/src/app-layer-dns-common.h
+++ b/src/app-layer-dns-common.h
@ -92,7 +92,6 @@
 #define DNS_RECORD_TYPE_ANY         255
 #define DNS_RECORD_TYPE_URI         256

-
 #define DNS_RCODE_NOERROR       0
 #define DNS_RCODE_FORMERR       1
 #define DNS_RCODE_SERVFAIL      2
--- a/src/output-json-dns.c
+++ b/src/output-json-dns.c
@ -172,6 +172,34 @@ static void OutputAnswer(LogDnsLogThread *aft, json_t *djs, DNSTransaction *tx,
            } else {
                json_object_set_new(js, "rdata", json_string(""));
            }
+        } else if (entry->type == DNS_RECORD_TYPE_SSHFP) {
+            if (entry->data_len > 2) {
+                /* get algo and type */
+                uint8_t algo = *ptr;
+                uint8_t fptype = *(ptr+1);
+
+                /* turn fp raw buffer into a nice :-separate hex string */
+                uint16_t fp_len = (entry->data_len - 2);
+                uint8_t *dptr = ptr+2;
+                uint32_t output_len = fp_len * 2 + 1; // create c-string, so add space for 0.
+                char hexstring[output_len], *p = hexstring;
+                memset(hexstring, 0x00, output_len);
+
+                uint16_t x;
+                for (x = 0; x < fp_len; x++, p += 3) {
+                    snprintf(p, 4, x == fp_len - 1 ? "%02x" : "%02x:", dptr[x]);
+                }
+
+                /* wrap the whole thing in it's own structure */
+                json_t *hjs = json_object();
+                if (hjs != NULL) {
+                    json_object_set_new(hjs, "fingerprint", json_string(hexstring));
+                    json_object_set_new(hjs, "algo", json_integer(algo));
+                    json_object_set_new(hjs, "type", json_integer(fptype));
+
+                    json_object_set_new(js, "sshfp", hjs);
+                }
+            }
        }
    }