dns: add dns.rcode keyword v1 #10087
Conversation
hadiqaalamdar
requested review from
jasonish and
victorjulien
as code owners
| @@ -189,3 +263,43 @@ mod test { | |||
| )); | |||
| } | |||
| } | |||
|
|
|||
| #[cfg(test)] | |||
| mod test { | |||
There was a problem hiding this comment.
You can put your tests in the existing test block, in fact this will fail to compile. From the rust/ directory you can do cargo test or make check to run the tests before CI.
There was a problem hiding this comment.
And you will not need tests if you reuse DetectUintData<u16>
| let rcode = ((flags >> 11) & 0xf) as u16; | ||
| detect.rcode == rcode |
There was a problem hiding this comment.
This is looking at the opcode, not the rcode. As the rcode is the last 4 bits we can drop the shift and just mask off the first 12 bits to get our rcode. See pub fn rcode in dns.rs for an example.
There was a problem hiding this comment.
Is it 4 bites or a u16 cf https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6 ?
There was a problem hiding this comment.
Oh seeing the comment Support for OPT RR from RFC6891 will be needed to parse RCODE values over 15
There was a problem hiding this comment.
would it be better if I used something like this instead:
let rcode = (flags & 0x000f) as DetectUintData<u16>;
| &DetectDnsRcode { | ||
| rcode: 4, | ||
| }, | ||
| 0b0010_0000_0000_0000, |
There was a problem hiding this comment.
rcode still be the last 4 bits. So an rcode of 4 will be 0b0000_0000_0000_0100.
There was a problem hiding this comment.
I recommend a few small steps first.
- Fixup so the tests compile locally
- Update tests with the rcode in the correct place in the flags
- Fix the match
- Locally run
cargo clippy --all-featuresand fix any issues found by that
As a side note, all the DNS files are rustfmt clean (not true for all our rust code though), so you can run rustfmt on the DNS files or let your editor do it if you like. No need while in-progress, but will have you do it as it looks more ready to merge.
Thanks!
| @@ -25,6 +25,9 @@ pub struct DetectDnsOpcode { | |||
| negate: bool, | |||
| opcode: u8, | |||
| } | |||
| pub struct DetectDnsRcode { | |||
| rcode: u16, | |||
There was a problem hiding this comment.
You should reuse DetectUintData<u16>
| @@ -53,6 +56,23 @@ fn parse_opcode(opcode: &str) -> Result<DetectDnsOpcode, ()> { | |||
| Err(()) | |||
| } | |||
|
|
|||
| fn parse_rcode(rcode: &str) -> Result<DetectDnsRcode, ()> { | |||
There was a problem hiding this comment.
Reusing DetectUintData<u16> supplies you the parsing function rs_detect_u16_parse
There was a problem hiding this comment.
(and this allows more features, like negation, lesser or greater than, etc...)
There was a problem hiding this comment.
I was wondering if rcode can be negated? Should I add functions and tests to check that as well similar to opcode?
There was a problem hiding this comment.
I think it makes sense to have negation on the rcode. I might want to alert on all non-zero rcodes without listing them all for example.
| @@ -0,0 +1,86 @@ | |||
| /* Copyright (C) 2019 Open Information Security Foundation | |||
|
|
||
| if (SigMatchAppendSMToList( | ||
| de_ctx, s, DETECT_AL_DNS_RCODE, (SigMatchCtx *)detect, dns_rcode_list_id) == NULL) { | ||
| goto error; |
There was a problem hiding this comment.
do not need a label if only used once
| static int DetectDnsRcodeMatch(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state, | ||
| void *txv, const Signature *s, const SigMatchCtx *ctx) | ||
| { | ||
| return rs_dns_rcode_match(txv, (void *)ctx, flags); |
There was a problem hiding this comment.
Get the u16 value from the dns tx with a call to a new SCDnsTxGetRcode and then match it DetectU16Match
| void DetectDnsRcodeRegister(void) | ||
| { | ||
| sigmatch_table[DETECT_AL_DNS_RCODE].name = "dns.rcode"; | ||
| sigmatch_table[DETECT_AL_DNS_RCODE].desc = "Match the DNS header rcode flag."; |
There was a problem hiding this comment.
Missing a doc entry, and by the way documentation in doc/userguide/rules/dns-keywords.rst
There was a problem hiding this comment.
And related: the doc addition itself :P
|
Looking good overall. |
|
Is code really u16, or is it u8 ? |
according to this it's supposed to be u16: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6 |
We can safely use u8 here as we only deal with 4 bit rcodes currently. Note to self: do we have to worry about EDNS with extension options for more rcodes? I don't think this has ever come up. |
so should I use the |
I think the end-goal would be to get to |
|
Edited the PR description to remove space before SV PR link, to ensure that our CI would pick the right branch for the tests (cf https://github.com/OISF/suricata/actions/runs/7290609564/job/19867785013#step:9:38) |
| */ | ||
|
|
||
| #include "suricata-common.h" |
There was a problem hiding this comment.
You can also add your info as author, if you want :)
There was a problem hiding this comment.
Ooo that would be cool to see when my branch gets merged. Right now my code is all sorts of messed up lol. I'm relearning bitwise operations from back when I studied them at uni
There was a problem hiding this comment.
💪🏽
Happens a lot, for these things that we don't use much, after learning.
There was a problem hiding this comment.
Hey there, good progress!
In addition to the existing comments, when you're working on the next version of the work, do make sure to check if the errors shown in https://github.com/OISF/suricata/actions/runs/7290609583/job/19867784386?pr=10087#step:12:126 have been addressed :)
To keep track, Is there a ticket to handle more rcodes Jason ? |
I guess that would be EDNS, not specifically rcodes. Is it even a thing that saw use? |
https://redmine.openinfosecfoundation.org/issues/6650 @hadiqaalamdar Please don't concern yourself with these comments. They are way out of scope for the actual work required in this PR. |
|
New PR: #10097 |
Feature #6621
Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/6621
Describe changes:
SV_BRANCH=OISF/suricata-verify#1563