dns: add keywords for additionals and authorities rrnames

Add keywords dns.additionals.rrname and dns.authorities.rrname. Along the way, consolidate dns.query.name and dns.answer.name into a single file and register them altogether since there is a lot of common code.
10 months ago · 814e9ffb7a
parent c57e1425f5
commit 814e9ffb7a
9 changed files with 255 additions and 246 deletions
--- a/doc/userguide/rules/dns-keywords.rst
+++ b/doc/userguide/rules/dns-keywords.rst
@ -7,22 +7,6 @@ matching on specific fields in DNS messages.
 Note that sticky buffers are expected to be followed by one or more
 :doc:`payload-keywords`.
 dns.answer.name
 ---------------
 ``dns.answer.name`` is a sticky buffer that is used to look at the
 name field in DNS answer resource records.
 ``dns.answer.name`` will look at both requests and responses, so
 ``flow`` is recommended to confine to a specific direction.
 The buffer being matched on contains the complete re-assembled
 resource name, for example "www.suricata.io".
 ``dns.answer.name`` supports :doc:`multi-buffer-matching`.
 ``dns.answer.name`` was introduced in Suricata 8.0.0.
 dns.opcode
 ----------
@ -134,9 +118,9 @@ pkt_data is used or it reaches the end of the rule.
 .. note:: **dns.query** will only match on DNS request messages, to
          also match on DNS response message, see
-          `dns.query.name`_.
+          `dns.queries.rrname`_.
-``dns.query.name`` supports :doc:`multi-buffer-matching`.
+``dns.queries.rrname`` supports :doc:`multi-buffer-matching`.
 Normalized Buffer
 ~~~~~~~~~~~~~~~~~
@ -160,22 +144,71 @@ DNS query on the wire (snippet)::
    mail.google.com
-dns.query.name
+dns.queries.rrname
---------------
+------------------
 ``dns.queries.rrname`` is a sticky buffer that is used to look at the
 name field in DNS query (question) resource records. It is nearly
 identical to ``dns.query`` but supports both DNS requests and
 responses.
 ``dns.queries.rrname`` will look at both requests and responses, so
 ``flow`` is recommended to confine to a specific direction.
 The buffer being matched on contains the complete re-assembled
 resource name, for example "www.suricata.io".
 ``dns.queries.rrname`` supports :doc:`multi-buffer-matching`.
 ``dns.queries.rrname`` was introduced in Suricata 8.0.0.
-``dns.query.name`` is a sticky buffer that is used to look at the name
+dns.answers.rrname
-field in DNS query (question) resource records. It is nearly identical
+------------------
 to ``dns.query`` but supports both DNS requests and responses.
-``dns.query.name`` will look at both requests and responses, so
+``dns.answers.rrname`` is a sticky buffer that is used to look at the
 name field in DNS answer resource records.
 ``dns.answers.rrname`` will look at both requests and responses, so
 ``flow`` is recommended to confine to a specific direction.
 The buffer being matched on contains the complete re-assembled
 resource name, for example "www.suricata.io".
-``dns.query.name`` supports :doc:`multi-buffer-matching`.
+``dns.answers.rrname`` supports :doc:`multi-buffer-matching`.
 ``dns.answers.rrname`` was introduced in Suricata 8.0.0.
 dns.authorities.rrname
 ----------------------
 ``dns.authorities.rrname`` is a sticky buffer that is used to look at the
 rrname field in DNS authority resource records.
 ``dns.authorities.rrname`` will look at both requests and responses,
 so ``flow`` is recommended to confine to a specific direction.
 The buffer being matched on contains the complete re-assembled
 resource name, for example "www.suricata.io".
 ``dns.authorities.rrname`` supports :doc:`multi-buffer-matching`.
 ``dns.authorities.rrname`` was introduced in Suricata 8.0.0.
 dns.additionals.rrname
 ----------------------
 ``dns.additionals.rrname`` is a sticky buffer that is used to look at
 the rrname field in DNS additional resource records.
 ``dns.additionals.rrname`` will look at both requests and responses,
 so ``flow`` is recommended to confine to a specific direction.
 The buffer being matched on contains the complete re-assembled
 resource name, for example "www.suricata.io".
 ``dns.additionals.rrname`` supports :doc:`multi-buffer-matching`.
-``dns.query.name`` was introduced in Suricata 8.0.0.
+``dns.additionals.rrname`` was introduced in Suricata 8.0.0.
 dns.response.rrname
 -------------------
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -112,13 +112,12 @@ noinst_HEADERS = \
 	detect-detection-filter.h \
 	detect-distance.h \
 	detect-dnp3.h \
-	detect-dns-answer-name.h \
+	detect-dns-name.h \
 	detect-dns-opcode.h \
 	detect-dns-rcode.h \
 	detect-dns-response.h \
 	detect-dns-rrtype.h \
 	detect-dns-query.h \
 	detect-dns-query-name.h \
 	detect-dsize.h \
 	detect-engine-address.h \
 	detect-engine-address-ipv4.h \
@ -689,13 +688,12 @@ libsuricata_c_a_SOURCES = \
 	detect-detection-filter.c \
 	detect-distance.c \
 	detect-dnp3.c \
-	detect-dns-answer-name.c \
+	detect-dns-name.c \
 	detect-dns-opcode.c \
 	detect-dns-rcode.c \
 	detect-dns-response.c \
 	detect-dns-rrtype.c \
 	detect-dns-query.c \
 	detect-dns-query-name.c \
 	detect-dsize.c \
 	detect-engine-address.c \
 	detect-engine-address-ipv4.c \
--- a/src/detect-dns-answer-name.c
+++ b/src/detect-dns-answer-name.c
@ -1,92 +0,0 @@
 /* Copyright (C) 2023 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */
 /**
 * \file
 *
 * Detect keyword for DNS answer name: dns.answer.name
 */
 #include "detect.h"
 #include "detect-parse.h"
 #include "detect-engine.h"
 #include "detect-engine-prefilter.h"
 #include "detect-engine-content-inspection.h"
 #include "detect-dns-answer-name.h"
 #include "util-profiling.h"
 #include "rust.h"
 static int detect_buffer_id = 0;
 static int DetectSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
 {
    if (DetectBufferSetActiveList(de_ctx, s, detect_buffer_id) < 0) {
        return -1;
    }
    if (DetectSignatureSetAppProto(s, ALPROTO_DNS) < 0) {
        return -1;
    }
    return 0;
 }
 static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *f, uint8_t flags, void *txv, int list_id,
        uint32_t index)
 {
    InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, index);
    if (buffer == NULL) {
        return NULL;
    }
    if (buffer->initialized) {
        return buffer;
    }
    bool to_client = (flags & STREAM_TOSERVER) == 0;
    const uint8_t *data = NULL;
    uint32_t data_len = 0;
    if (!SCDnsTxGetAnswerName(txv, to_client, index, &data, &data_len)) {
        InspectionBufferSetupMultiEmpty(buffer);
        return NULL;
    }
    InspectionBufferSetupMulti(buffer, transforms, data, data_len);
    buffer->flags = DETECT_CI_FLAGS_SINGLE;
    return buffer;
 }
 void DetectDnsAnswerNameRegister(void)
 {
    static const char *keyword = "dns.answer.name";
    sigmatch_table[DETECT_DNS_ANSWER_NAME].name = keyword;
    sigmatch_table[DETECT_DNS_ANSWER_NAME].desc = "DNS answer name sticky buffer";
    sigmatch_table[DETECT_DNS_ANSWER_NAME].url = "/rules/dns-keywords.html#dns-answer-name";
    sigmatch_table[DETECT_DNS_ANSWER_NAME].Setup = DetectSetup;
    sigmatch_table[DETECT_DNS_ANSWER_NAME].flags |= SIGMATCH_NOOPT;
    sigmatch_table[DETECT_DNS_ANSWER_NAME].flags |= SIGMATCH_INFO_STICKY_BUFFER;
    /* Register in the TO_SERVER direction, even though this is not
       normal, it could be provided as part of a request. */
    DetectAppLayerMultiRegister(keyword, ALPROTO_DNS, SIG_FLAG_TOSERVER, 0, GetBuffer, 2, 1);
    /* Register in the TO_CLIENT direction. */
    DetectAppLayerMultiRegister(keyword, ALPROTO_DNS, SIG_FLAG_TOCLIENT, 0, GetBuffer, 2, 1);
    DetectBufferTypeSetDescriptionByName(keyword, "dns answer name");
    DetectBufferTypeSupportsMultiInstance(keyword);
    detect_buffer_id = DetectBufferTypeGetByName(keyword);
 }
--- a/src/detect-dns-answer-name.h
+++ b/src/detect-dns-answer-name.h
@ -1,23 +0,0 @@
 /* Copyright (C) 2023 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */
 #ifndef SURICATA_DETECT_DNS_ANSWER_NAME_H
 #define SURICATA_DETECT_DNS_ANSWER_NAME_H
 void DetectDnsAnswerNameRegister(void);
 #endif /* SURICATA_DETECT_DNS_ANSWER_NAME_H */
--- a/src/detect-dns-name.c
+++ b/src/detect-dns-name.c
@ -0,0 +1,188 @@
 /* Copyright (C) 2025 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */
 /**
 * \file
 *
 * Detect keyword for DNS rrnames:
 * - dns.queries.rrname
 * - dns.answers.rrname
 * - dns.authorities.name
 * - dns.additionals.name
 */
 #include "detect.h"
 #include "detect-parse.h"
 #include "detect-engine.h"
 #include "detect-engine-content-inspection.h"
 #include "detect-engine-helper.h"
 #include "detect-dns-name.h"
 #include "rust.h"
 enum DnsSection {
    DNS_QUERY = 0,
    DNS_ANSWER,
    DNS_AUTHORITY,
    DNS_ADDITIONAL,
 };
 static int query_buffer_id = 0;
 static int answer_buffer_id = 0;
 static int authority_buffer_id = 0;
 static int additional_buffer_id = 0;
 static int DetectSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str, int id)
 {
    if (DetectBufferSetActiveList(de_ctx, s, id) < 0) {
        return -1;
    }
    if (DetectSignatureSetAppProto(s, ALPROTO_DNS) < 0) {
        return -1;
    }
    return 0;
 }
 static int SetupQueryBuffer(DetectEngineCtx *de_ctx, Signature *s, const char *str)
 {
    return DetectSetup(de_ctx, s, str, query_buffer_id);
 }
 static int SetupAnswerBuffer(DetectEngineCtx *de_ctx, Signature *s, const char *str)
 {
    return DetectSetup(de_ctx, s, str, answer_buffer_id);
 }
 static int SetupAdditionalsBuffer(DetectEngineCtx *de_ctx, Signature *s, const char *str)
 {
    return DetectSetup(de_ctx, s, str, additional_buffer_id);
 }
 static int SetupAuthoritiesBuffer(DetectEngineCtx *de_ctx, Signature *s, const char *str)
 {
    return DetectSetup(de_ctx, s, str, authority_buffer_id);
 }
 static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *f, uint8_t flags, void *txv, int list_id,
        uint32_t index, enum DnsSection what)
 {
    InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, index);
    if (buffer == NULL) {
        return NULL;
    }
    if (buffer->initialized) {
        return buffer;
    }
    bool to_client = (flags & STREAM_TOSERVER) == 0;
    const uint8_t *data = NULL;
    uint32_t data_len = 0;
    bool ok = false;
    switch (what) {
        case DNS_QUERY:
            ok = SCDnsTxGetQueryName(txv, to_client, index, &data, &data_len);
            break;
        case DNS_ANSWER:
            ok = SCDnsTxGetAnswerName(txv, to_client, index, &data, &data_len);
            break;
        case DNS_AUTHORITY:
            ok = SCDnsTxGetAuthorityName(txv, index, &data, &data_len);
            break;
        case DNS_ADDITIONAL:
            ok = SCDnsTxGetAdditionalName(txv, index, &data, &data_len);
            break;
        default:
            DEBUG_VALIDATE_BUG_ON("unhandled dns rrname type");
            InspectionBufferSetupMultiEmpty(buffer);
            return NULL;
    }
    if (ok) {
        InspectionBufferSetupMulti(buffer, transforms, data, data_len);
        buffer->flags = DETECT_CI_FLAGS_SINGLE;
        return buffer;
    }
    InspectionBufferSetupMultiEmpty(buffer);
    return NULL;
 }
 static InspectionBuffer *GetQueryBuffer(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *f, uint8_t flags, void *txv, int list_id,
        uint32_t index)
 {
    return GetBuffer(det_ctx, transforms, f, flags, txv, list_id, index, DNS_QUERY);
 }
 static InspectionBuffer *GetAnswerBuffer(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *f, uint8_t flags, void *txv, int list_id,
        uint32_t index)
 {
    return GetBuffer(det_ctx, transforms, f, flags, txv, list_id, index, DNS_ANSWER);
 }
 static InspectionBuffer *GetAuthorityBuffer(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *f, uint8_t flags, void *txv, int list_id,
        uint32_t index)
 {
    return GetBuffer(det_ctx, transforms, f, flags, txv, list_id, index, DNS_AUTHORITY);
 }
 static InspectionBuffer *GetAdditionalBuffer(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *f, uint8_t flags, void *txv, int list_id,
        uint32_t index)
 {
    return GetBuffer(det_ctx, transforms, f, flags, txv, list_id, index, DNS_ADDITIONAL);
 }
 static int Register(const char *keyword, const char *desc, const char *doc,
        int (*Setup)(DetectEngineCtx *, Signature *, const char *),
        InspectionMultiBufferGetDataPtr GetBufferFn)
 {
    int keyword_id = SCDetectHelperNewKeywordId();
    sigmatch_table[keyword_id].name = keyword;
    sigmatch_table[keyword_id].desc = desc;
    sigmatch_table[keyword_id].url = doc;
    sigmatch_table[keyword_id].Setup = Setup;
    sigmatch_table[keyword_id].flags |= SIGMATCH_NOOPT;
    sigmatch_table[keyword_id].flags |= SIGMATCH_INFO_STICKY_BUFFER;
    DetectAppLayerMultiRegister(keyword, ALPROTO_DNS, SIG_FLAG_TOSERVER, 0, GetBufferFn, 2, 1);
    DetectAppLayerMultiRegister(keyword, ALPROTO_DNS, SIG_FLAG_TOCLIENT, 0, GetBufferFn, 2, 1);
    DetectBufferTypeSetDescriptionByName(keyword, keyword);
    DetectBufferTypeSupportsMultiInstance(keyword);
    return DetectBufferTypeGetByName(keyword);
 }
 void DetectDnsNameRegister(void)
 {
    query_buffer_id = Register("dns.queries.rrname", "DNS query rrname sticky buffer",
            "/rules/dns-keywords.html#dns.queries.rrname", SetupQueryBuffer, GetQueryBuffer);
    answer_buffer_id = Register("dns.answers.rrname", "DNS answer rrname sticky buffer",
            "/rules/dns-keywords.html#dns.answers.rrname", SetupAnswerBuffer, GetAnswerBuffer);
    additional_buffer_id =
            Register("dns.additionals.rrname", "DNS additionals rrname sticky buffer",
                    "/rules/dns-keywords.html#dns-additionals-rrname", SetupAdditionalsBuffer,
                    GetAdditionalBuffer);
    authority_buffer_id = Register("dns.authorities.rrname", "DNS authorities rrname sticky buffer",
            "/rules/dns-keywords.html#dns-authorities-rrname", SetupAuthoritiesBuffer,
            GetAuthorityBuffer);
 }
--- a/src/detect-dns-query-name.h
+++ b/src/detect-dns-query-name.h
@ -15,9 +15,9 @@
 * 02110-1301, USA.
 */
-#ifndef SURICATA_DETECT_DNS_QUERY_NAME_H
+#ifndef SURICATA_DETECT_DNS_NAME_H
-#define SURICATA_DETECT_DNS_QUERY_NAME_H
+#define SURICATA_DETECT_DNS_NAME_H
-void DetectDnsQueryNameRegister(void);
+void DetectDnsNameRegister(void);
-#endif /* SURICATA_DETECT_DNS_QUERY_NAME_H */
+#endif /* SURICATA_DETECT_DNS_NAME_H */
--- a/src/detect-dns-query-name.c
+++ b/src/detect-dns-query-name.c
@ -1,91 +0,0 @@
 /* Copyright (C) 2023 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */
 /**
 * \file
 *
 * Detect keyword for DNS query names: dns.query.name
 */
 #include "detect.h"
 #include "detect-parse.h"
 #include "detect-engine.h"
 #include "detect-engine-prefilter.h"
 #include "detect-engine-content-inspection.h"
 #include "detect-dns-query-name.h"
 #include "util-profiling.h"
 #include "rust.h"
 static int detect_buffer_id = 0;
 static int DetectSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
 {
    if (DetectBufferSetActiveList(de_ctx, s, detect_buffer_id) < 0) {
        return -1;
    }
    if (DetectSignatureSetAppProto(s, ALPROTO_DNS) < 0) {
        return -1;
    }
    return 0;
 }
 static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms, Flow *f, const uint8_t flags, void *txv,
        int list_id, uint32_t index)
 {
    InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, index);
    if (buffer == NULL) {
        return NULL;
    }
    if (buffer->initialized) {
        return buffer;
    }
    bool to_client = (flags & STREAM_TOSERVER) == 0;
    const uint8_t *data = NULL;
    uint32_t data_len = 0;
    if (!SCDnsTxGetQueryName(txv, to_client, index, &data, &data_len)) {
        InspectionBufferSetupMultiEmpty(buffer);
        return NULL;
    }
    InspectionBufferSetupMulti(buffer, transforms, data, data_len);
    buffer->flags = DETECT_CI_FLAGS_SINGLE;
    return buffer;
 }
 void DetectDnsQueryNameRegister(void)
 {
    static const char *keyword = "dns.query.name";
    sigmatch_table[DETECT_DNS_QUERY_NAME].name = keyword;
    sigmatch_table[DETECT_DNS_QUERY_NAME].desc = "DNS query name sticky buffer";
    sigmatch_table[DETECT_DNS_QUERY_NAME].url = "/rules/dns-keywords.html#dns-query-name";
    sigmatch_table[DETECT_DNS_QUERY_NAME].Setup = DetectSetup;
    sigmatch_table[DETECT_DNS_QUERY_NAME].flags |= SIGMATCH_NOOPT;
    sigmatch_table[DETECT_DNS_QUERY_NAME].flags |= SIGMATCH_INFO_STICKY_BUFFER;
    /* Register in both directions as the query is usually echoed back
       in the response. */
    DetectAppLayerMultiRegister(keyword, ALPROTO_DNS, SIG_FLAG_TOSERVER, 0, GetBuffer, 2, 1);
    DetectAppLayerMultiRegister(keyword, ALPROTO_DNS, SIG_FLAG_TOCLIENT, 0, GetBuffer, 2, 1);
    DetectBufferTypeSetDescriptionByName(keyword, "dns query name");
    DetectBufferTypeSupportsMultiInstance(keyword);
    detect_buffer_id = DetectBufferTypeGetByName(keyword);
 }
--- a/src/detect-engine-register.c
+++ b/src/detect-engine-register.c
@ -51,8 +51,7 @@
 #include "detect-dns-rcode.h"
 #include "detect-dns-rrtype.h"
 #include "detect-dns-query.h"
-#include "detect-dns-answer-name.h"
+#include "detect-dns-name.h"
 #include "detect-dns-query-name.h"
 #include "detect-dns-response.h"
 #include "detect-tls-sni.h"
 #include "detect-tls-certs.h"
@ -558,8 +557,7 @@ void SigTableSetup(void)
    DetectDnsOpcodeRegister();
    DetectDnsRcodeRegister();
    DetectDnsRrtypeRegister();
-    DetectDnsAnswerNameRegister();
+    DetectDnsNameRegister();
    DetectDnsQueryNameRegister();
    DetectDnsResponseRegister();
    DetectModbusRegister();
    DetectDNP3Register();
--- a/src/detect-engine-register.h
+++ b/src/detect-engine-register.h
@ -248,8 +248,6 @@ enum DetectKeywordId {
    DETECT_DNS_RCODE,
    DETECT_DNS_RESPONSE,
    DETECT_DNS_RRTYPE,
    DETECT_DNS_ANSWER_NAME,
    DETECT_DNS_QUERY_NAME,
    DETECT_TLS_SNI,
    DETECT_TLS_CERTS,
    DETECT_TLS_CERT_ISSUER,