dns: use dynamic buffers

9 years ago · d9b3ae6cd6
parent d2f77978ec
commit d9b3ae6cd6
7 changed files with 55 additions and 82 deletions
--- a/src/detect-dns-query.c
+++ b/src/detect-dns-query.c
@ -60,6 +60,7 @@

 static int DetectDnsQuerySetup (DetectEngineCtx *, Signature *, char *);
 static void DetectDnsQueryRegisterTests(void);
+static int g_dns_query_buffer_id = 0;

 /**
 * \brief Registration function for keyword: dns_query
@ -77,21 +78,30 @@ void DetectDnsQueryRegister (void)
    sigmatch_table[DETECT_AL_DNS_QUERY].flags |= SIGMATCH_NOOPT;
    sigmatch_table[DETECT_AL_DNS_QUERY].flags |= SIGMATCH_PAYLOAD;

-    DetectMpmAppLayerRegister("dns_query", SIG_FLAG_TOSERVER,
-            DETECT_SM_LIST_DNSQUERYNAME_MATCH, 2,
+    DetectAppLayerMpmRegister("dns_query", SIG_FLAG_TOSERVER, 2,
            PrefilterTxDnsQueryRegister);

-    DetectAppLayerInspectEngineRegister(ALPROTO_DNS, SIG_FLAG_TOSERVER,
-            DETECT_SM_LIST_DNSQUERYNAME_MATCH,
+    DetectAppLayerInspectEngineRegister2("dns_query",
+            ALPROTO_DNS, SIG_FLAG_TOSERVER,
            DetectEngineInspectDnsQueryName);

+    DetectBufferTypeSetDescriptionByName("dns_query",
+            "dns request query");
+
+    g_dns_query_buffer_id = DetectBufferTypeGetByName("dns_query");
+
    /* register these generic engines from here for now */
-    DetectAppLayerInspectEngineRegister(ALPROTO_DNS, SIG_FLAG_TOSERVER,
-            DETECT_SM_LIST_DNSREQUEST_MATCH,
+    DetectAppLayerInspectEngineRegister2("dns_request",
+            ALPROTO_DNS, SIG_FLAG_TOSERVER,
            DetectEngineInspectDnsRequest);
-    DetectAppLayerInspectEngineRegister(ALPROTO_DNS, SIG_FLAG_TOCLIENT,
-            DETECT_SM_LIST_DNSRESPONSE_MATCH,
+    DetectAppLayerInspectEngineRegister2("dns_response",
+            ALPROTO_DNS, SIG_FLAG_TOCLIENT,
            DetectEngineInspectDnsResponse);
+
+    DetectBufferTypeSetDescriptionByName("dns_request",
+            "dns requests");
+    DetectBufferTypeSetDescriptionByName("dns_response",
+            "dns responses");
 }


@ -108,12 +118,14 @@ void DetectDnsQueryRegister (void)

 static int DetectDnsQuerySetup(DetectEngineCtx *de_ctx, Signature *s, char *str)
 {
-    s->init_data->list = DETECT_SM_LIST_DNSQUERYNAME_MATCH;
+    s->init_data->list = g_dns_query_buffer_id;
    s->alproto = ALPROTO_DNS;
    return 0;
 }

 #ifdef UNITTESTS
+#include "detect-isdataat.h"
+
 /** \test simple google.com query matching */
 static int DetectDnsQueryTest01(void)
 {
@ -1159,6 +1171,31 @@ end:
    return result;
 }

+static int DetectDnsQueryIsdataatParseTest(void)
+{
+    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+    FAIL_IF_NULL(de_ctx);
+    de_ctx->flags |= DE_QUIET;
+
+    Signature *s = DetectEngineAppendSig(de_ctx,
+            "alert dns any any -> any any ("
+            "dns_query; content:\"one\"; "
+            "isdataat:!4,relative; sid:1;)");
+    FAIL_IF_NULL(s);
+
+    SigMatch *sm = s->init_data->smlists_tail[g_dns_query_buffer_id];
+    FAIL_IF_NULL(sm);
+    FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
+
+    DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
+    FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
+    FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
+    FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
+
+    DetectEngineCtxFree(de_ctx);
+    PASS;
+}
+
 #endif

 static void DetectDnsQueryRegisterTests(void)
@ -1174,5 +1211,8 @@ static void DetectDnsQueryRegisterTests(void)
    UtRegisterTest("DetectDnsQueryTest06 -- pcre", DetectDnsQueryTest06);
    UtRegisterTest("DetectDnsQueryTest07 -- app layer event",
                   DetectDnsQueryTest07);
+
+    UtRegisterTest("DetectDnsQueryIsdataatParseTest",
+            DetectDnsQueryIsdataatParseTest);
 #endif
 }
--- a/src/detect-engine-analyzer.c
+++ b/src/detect-engine-analyzer.c
@ -446,8 +446,6 @@ static void EngineAnalysisRulesPrintFP(const Signature *s)
        fprintf(rule_engine_analysis_FD, "%s",
                payload ? (stream ? "payload and reassembled stream" : "payload") : "reassembled stream");
    }
-    else if (list_type == DETECT_SM_LIST_DNSQUERYNAME_MATCH)
-        fprintf(rule_engine_analysis_FD, "dns query name content");
    else if (list_type == DETECT_SM_LIST_TLSSNI_MATCH)
        fprintf(rule_engine_analysis_FD, "tls sni extension content");
    else if (list_type == DETECT_SM_LIST_TLSISSUER_MATCH)
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@ -2811,13 +2811,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
        case DETECT_SM_LIST_FILEMATCH:
            return "file";

-        case DETECT_SM_LIST_DNSQUERYNAME_MATCH:
-            return "dns query name";
-        case DETECT_SM_LIST_DNSREQUEST_MATCH:
-            return "dns request";
-        case DETECT_SM_LIST_DNSRESPONSE_MATCH:
-            return "dns response";
-
        case DETECT_SM_LIST_TLSSNI_MATCH:
            return "tls sni extension";
        case DETECT_SM_LIST_TLSISSUER_MATCH:
--- a/src/detect-isdataat.c
+++ b/src/detect-isdataat.c
@ -516,56 +516,6 @@ int DetectIsdataatTestParse06(void)
    return result;
 }

-/**
- *  \test dns_query with isdataat relative to it
- */
-static int DetectIsdataatTestParse16(void)
-{
-    DetectEngineCtx *de_ctx = NULL;
-    int result = 0;
-    Signature *s = NULL;
-    DetectIsdataatData *data = NULL;
-
-    de_ctx = DetectEngineCtxInit();
-    if (de_ctx == NULL)
-        goto end;
-
-    de_ctx->flags |= DE_QUIET;
-    de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
-                               "(msg:\"Testing dns_query and isdataat\"; "
-                               "dns_query; isdataat:!4,relative; sid:1;)");
-    if (de_ctx->sig_list == NULL) {
-        printf("sig parse: ");
-        goto end;
-    }
-
-    s = de_ctx->sig_list;
-    if (s->sm_lists_tail[DETECT_SM_LIST_DNSQUERYNAME_MATCH] == NULL) {
-        printf("dns_query list empty: ");
-        goto end;
-    }
-
-    if (s->sm_lists_tail[DETECT_SM_LIST_DNSQUERYNAME_MATCH]->type != DETECT_ISDATAAT) {
-        printf("last dns_query body sm not isdataat: ");
-        goto end;
-    }
-
-    data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_DNSQUERYNAME_MATCH]->ctx;
-    if ( !(data->flags & ISDATAAT_RELATIVE) ||
-         (data->flags & ISDATAAT_RAWBYTES) ||
-         !(data->flags & ISDATAAT_NEGATED) ) {
-        goto end;
-    }
-
-    result = 1;
- end:
-    SigGroupCleanup(de_ctx);
-    SigCleanSignatures(de_ctx);
-    DetectEngineCtxFree(de_ctx);
-
-    return result;
-}
-
 /**
 * \test DetectIsdataatTestPacket01 is a test to check matches of
 * isdataat, and isdataat relative
@ -684,7 +634,6 @@ void DetectIsdataatRegisterTests(void)
    UtRegisterTest("DetectIsdataatTestParse04", DetectIsdataatTestParse04);
    UtRegisterTest("DetectIsdataatTestParse05", DetectIsdataatTestParse05);
    UtRegisterTest("DetectIsdataatTestParse06", DetectIsdataatTestParse06);
-    UtRegisterTest("DetectIsdataatTestParse16", DetectIsdataatTestParse16);

    UtRegisterTest("DetectIsdataatTestPacket01", DetectIsdataatTestPacket01);
    UtRegisterTest("DetectIsdataatTestPacket02", DetectIsdataatTestPacket02);
--- a/src/detect-lua.c
+++ b/src/detect-lua.c
@ -1023,11 +1023,14 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
        }
    } else if (lua->alproto == ALPROTO_DNS) {
        if (lua->flags & DATATYPE_DNS_RRNAME) {
-            SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DNSQUERYNAME_MATCH);
+            int list = DetectBufferTypeGetByName("dns_query");
+            SigMatchAppendSMToList(s, sm, list);
        } else if (lua->flags & DATATYPE_DNS_REQUEST) {
-            SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DNSREQUEST_MATCH);
+            int list = DetectBufferTypeGetByName("dns_request");
+            SigMatchAppendSMToList(s, sm, list);
        } else if (lua->flags & DATATYPE_DNS_RESPONSE) {
-            SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DNSRESPONSE_MATCH);
+            int list = DetectBufferTypeGetByName("dns_response");
+            SigMatchAppendSMToList(s, sm, list);
        }
    } else if (lua->alproto == ALPROTO_TLS) {
        SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@ -146,9 +146,6 @@ const char *DetectListToHumanString(int list)
        CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc");
        CASE_CODE_STRING(DETECT_SM_LIST_TMATCH, "tag");
        CASE_CODE_STRING(DETECT_SM_LIST_FILEMATCH, "file");
-        CASE_CODE_STRING(DETECT_SM_LIST_DNSREQUEST_MATCH, "dns_request");
-        CASE_CODE_STRING(DETECT_SM_LIST_DNSRESPONSE_MATCH, "dns_response");
-        CASE_CODE_STRING(DETECT_SM_LIST_DNSQUERYNAME_MATCH, "dns_query");
        CASE_CODE_STRING(DETECT_SM_LIST_TLSSNI_MATCH, "tls_sni");
        CASE_CODE_STRING(DETECT_SM_LIST_TLSISSUER_MATCH, "tls_cert_issuer");
        CASE_CODE_STRING(DETECT_SM_LIST_TLSSUBJECT_MATCH, "tls_cert_subject");
@ -176,9 +173,6 @@ const char *DetectListToString(int list)
        CASE_CODE(DETECT_SM_LIST_DMATCH);
        CASE_CODE(DETECT_SM_LIST_TMATCH);
        CASE_CODE(DETECT_SM_LIST_FILEMATCH);
-        CASE_CODE(DETECT_SM_LIST_DNSREQUEST_MATCH);
-        CASE_CODE(DETECT_SM_LIST_DNSRESPONSE_MATCH);
-        CASE_CODE(DETECT_SM_LIST_DNSQUERYNAME_MATCH);
        CASE_CODE(DETECT_SM_LIST_TLSSNI_MATCH);
        CASE_CODE(DETECT_SM_LIST_TLSISSUER_MATCH);
        CASE_CODE(DETECT_SM_LIST_TLSSUBJECT_MATCH);
--- a/src/detect.h
+++ b/src/detect.h
@ -120,10 +120,6 @@ enum DetectSigmatchListEnum {

    DETECT_SM_LIST_FILEMATCH,

-    DETECT_SM_LIST_DNSREQUEST_MATCH,    /**< per DNS query tx match list */
-    DETECT_SM_LIST_DNSRESPONSE_MATCH,   /**< per DNS response tx match list */
-    DETECT_SM_LIST_DNSQUERYNAME_MATCH,  /**< per query in a tx list */
-
    DETECT_SM_LIST_TLSSNI_MATCH,
    DETECT_SM_LIST_TLSISSUER_MATCH,
    DETECT_SM_LIST_TLSSUBJECT_MATCH,