From 657b83d23827725793d2e3af6f74655c928b016a Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Tue, 21 Jan 2014 14:51:56 +0100
Subject: [PATCH] dns: add event for when memcap is reached

Raise event if state-memcap is reached for a flow.
---
 rules/dns-events.rules     | 2 ++
 src/app-layer-dns-common.c | 2 ++
 src/app-layer-dns-common.h | 1 +
 3 files changed, 5 insertions(+)

diff --git a/rules/dns-events.rules b/rules/dns-events.rules
index a14a9030c3..95dee1d09b 100644
--- a/rules/dns-events.rules
+++ b/rules/dns-events.rules
@@ -11,3 +11,5 @@ alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client;
 alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; sid:2240006; rev:1;)
 # Request Flood Detected
 alert dns any any -> any any (msg:"SURICATA DNS request flood detected"; flow:to_server; app-layer-event:dns.flooded; sid:2240007; rev:1;)
+# Per-flow (state) memcap reached. Relates to the app-layer.protocols.dns.state-memcap setting.
+alert dns any any -> any any (msg:"SURICATA DNS request flood detected"; flow:to_server; app-layer-event:dns.state_memcap_reached; sid:2240008; rev:1;)
diff --git a/src/app-layer-dns-common.c b/src/app-layer-dns-common.c
index 976fa7b642..27e2846a95 100644
--- a/src/app-layer-dns-common.c
+++ b/src/app-layer-dns-common.c
@@ -83,6 +83,7 @@ int DNSCheckMemcap(uint32_t want, DNSState *state) {
     if (state != NULL) {
         if (state->memuse + want > dns_config.state_memcap) {
             SC_ATOMIC_ADD(dns_memcap_state, 1);
+            DNSSetEvent(state, DNS_DECODER_EVENT_STATE_MEMCAP_REACHED);
             return -1;
         }
     }
@@ -110,6 +111,7 @@ SCEnumCharMap dns_decoder_event_table[ ] = {
     { "NOT_A_RESPONSE",             DNS_DECODER_EVENT_NOT_A_RESPONSE, },
     { "Z_FLAG_SET",                 DNS_DECODER_EVENT_Z_FLAG_SET, },
     { "FLOODED",                    DNS_DECODER_EVENT_FLOODED, },
+    { "STATE_MEMCAP_REACHED",       DNS_DECODER_EVENT_STATE_MEMCAP_REACHED, },
 
     { NULL,                         -1 },
 };
diff --git a/src/app-layer-dns-common.h b/src/app-layer-dns-common.h
index 62532123f2..fe30fcf6e4 100644
--- a/src/app-layer-dns-common.h
+++ b/src/app-layer-dns-common.h
@@ -57,6 +57,7 @@ enum {
     DNS_DECODER_EVENT_NOT_A_RESPONSE,
     DNS_DECODER_EVENT_Z_FLAG_SET,
     DNS_DECODER_EVENT_FLOODED,
+    DNS_DECODER_EVENT_STATE_MEMCAP_REACHED,
 };
 
 /** \brief DNS packet header */