Commit Graph

6 Commits (6f00ba06599f665c0693ca95e41a90bd3fb3e02a)

Author SHA1 Message Date
Andreas Herz 2aad2d605d rules: add missing classtypes for event.rules 9 years ago
Jason Ish b9ba792279 dns-events: fix direction of malformed events + typo 9 years ago
Victor Julien df10559d80 dns: fix message of decoder rule 2240008
The message now reflects that the rule matches on:
    app-layer-event:dns.state_memcap_reached;
12 years ago
Victor Julien 657b83d238 dns: add event for when memcap is reached
Raise event if state-memcap is reached for a flow.
12 years ago
Victor Julien 61cdd9be6b dns: detect case of request flooding
In the case where DNS requests are sent over the same flow w/o a
reply being received, we now set an event in the flow and refuse
to add more transactions to the state. This protects the DNS
handling from getting overloaded slowing down everything.

A new option to configure this behaviour was added:

app-layer:
  protocols:
    dnsudp:
       enabled: yes
       detection-ports:
         udp:
           toserver: 53
       request-flood: 750

The request-flood parameter can be 0 (disabling this feature) or a
positive integer. It defaults to 500.

This means that if 500 unreplied requests are seen in a row an event
is set. Rule 2240007 was added to dns-events.rules to match on this.
12 years ago
Victor Julien 6229bfab5e DNS: rename dns.rules to dns-events.rules, include it in yaml 12 years ago