dns: add event for when memcap is reached

Raise event if state-memcap is reached for a flow.
11 years ago · 657b83d238
parent 9a21a2f64b
commit 657b83d238
3 changed files with 5 additions and 0 deletions
--- a/rules/dns-events.rules
+++ b/rules/dns-events.rules
@ -11,3 +11,5 @@ alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client;
 alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; sid:2240006; rev:1;)
 # Request Flood Detected
 alert dns any any -> any any (msg:"SURICATA DNS request flood detected"; flow:to_server; app-layer-event:dns.flooded; sid:2240007; rev:1;)
+# Per-flow (state) memcap reached. Relates to the app-layer.protocols.dns.state-memcap setting.
+alert dns any any -> any any (msg:"SURICATA DNS request flood detected"; flow:to_server; app-layer-event:dns.state_memcap_reached; sid:2240008; rev:1;)
--- a/src/app-layer-dns-common.c
+++ b/src/app-layer-dns-common.c
@ -83,6 +83,7 @@ int DNSCheckMemcap(uint32_t want, DNSState *state) {
    if (state != NULL) {
        if (state->memuse + want > dns_config.state_memcap) {
            SC_ATOMIC_ADD(dns_memcap_state, 1);
+            DNSSetEvent(state, DNS_DECODER_EVENT_STATE_MEMCAP_REACHED);
            return -1;
        }
    }
@ -110,6 +111,7 @@ SCEnumCharMap dns_decoder_event_table[ ] = {
    { "NOT_A_RESPONSE",             DNS_DECODER_EVENT_NOT_A_RESPONSE, },
    { "Z_FLAG_SET",                 DNS_DECODER_EVENT_Z_FLAG_SET, },
    { "FLOODED",                    DNS_DECODER_EVENT_FLOODED, },
+    { "STATE_MEMCAP_REACHED",       DNS_DECODER_EVENT_STATE_MEMCAP_REACHED, },

    { NULL,                         -1 },
 };
--- a/src/app-layer-dns-common.h
+++ b/src/app-layer-dns-common.h
@ -57,6 +57,7 @@ enum {
    DNS_DECODER_EVENT_NOT_A_RESPONSE,
    DNS_DECODER_EVENT_Z_FLAG_SET,
    DNS_DECODER_EVENT_FLOODED,
+    DNS_DECODER_EVENT_STATE_MEMCAP_REACHED,
 };

 /** \brief DNS packet header */