dns: new keywords: dns.answer.name, dns.query.name - v5 #9813
Conversation
The old DetectAppLayerMpmRegister has not been around since 4.1.x. Rename the v2 of this function to a versionless function as there is no documentation referring to what the 2 means.
…ngine Rename DetectAppLayerInspectEngine2 to DetectAppLayerInspectEngine as there is no other variant of this function, and the versioning with lack of supporting documentation can lead to confusion.
Version 1 of the API no longer exists.
DNS request and response messages follow the same format so there is no reason not to use the same data structure for each. While its unlikely to see fields like answers in a request, the message format does not disallow them, so it might be interesting data to have the ability to log.
This sticky buffer will allow content matching on the answer names. While ansers typically only occur in DNS responses, we allow the buffer to be used in request context as well as the request message format allows it. Feature: OISF#6496
This buffer is much like dns.query_name but allows for detection in both directions. Feature: OISF#6497
SCDnsTxGetQueryName was introduced to allow for getting the query name in responses as well as requests, so covers the functionality of rs_dns_tx_get_query_name.
With some other minor cleanups in the DNS keyword section.
|
Open question: Should |
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #9813 +/- ##
=======================================
Coverage 82.37% 82.37%
=======================================
Files 968 970 +2
Lines 273866 273927 +61
=======================================
+ Hits 225585 225640 +55
- Misses 48281 48287 +6
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Information: QA ran without warnings. Pipeline 16565 |
|
Why did you put the doc in a separate commit ? |
See also #9871 especially commit detect: helper to have pure rust keywords |
| return DETECT_ENGINE_INSPECT_SIG_NO_MATCH; | ||
| } | ||
|
|
||
| typedef struct PrefilterMpm { |
There was a problem hiding this comment.
This generic struct is already defined somewhere, is it not ?
There was a problem hiding this comment.
In many detect, but no where for generic re-use that I can see? Might be good to make it more formal in your helpers?
There was a problem hiding this comment.
Will you this as part of this PR ?
Otherwise, I can take care of it
There was a problem hiding this comment.
I think its out of scope for this PR. Make sense in the helper work you are doing tho.
There was a problem hiding this comment.
This is the same buffer, but different directions, right ? (we have http.request_header and http.response_header as something to compare with) |
Its our standard practice, or at least once was to not mix code and docs commits. |
Yeah, I'm actually waiting on that before I re-work the templates. |
I guess I'd asky why? When |
I did not know it and I squashed them together... |
For HTTP headers, it makes sense for bidirectional rules, you will want to match certain headers in the request part, and some others in the response. Not sure if it would make sense for DNS queries... |
Here we go: Point 5 at https://docs.suricata.io/en/latest/devguide/codebase/contributing/code-submission-process.html |
I don't think it makes sense for DNS as it does for HTTP. DNS has one transaction for the request and one for the response. So you don't have the ability to look at the request and the response in one TX. |
|
Continued at #9920. |
Introduce two new DNS keywords, dns.query.name and dns.answer.name.
Tickets:
SV_BRANCH=OISF/suricata-verify#1464
While this introduces 2 new keywords, I'm also trying to create a good example
of a sticky buffer keyword, and then migrate that into the template, so please
consider the full structure of the files implementing the sticky buffers.
I probably should have left out the "cleanups", can do in a subsequent PR.
Previous PR: #9795
Changes from last PR: