dns: add dns.rcode keyword v3 #10126
Conversation
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #10126 +/- ##
==========================================
- Coverage 82.22% 82.16% -0.07%
==========================================
Files 974 975 +1
Lines 271925 272069 +144
==========================================
- Hits 223595 223539 -56
- Misses 48330 48530 +200
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
|
||
| if (SigMatchAppendSMToList( | ||
| de_ctx, s, DETECT_AL_DNS_RCODE, (SigMatchCtx *)detect, dns_rcode_list_id) == NULL) { | ||
| goto error; |
There was a problem hiding this comment.
minor: since we have only one error path after detect was allocated, we can call DetectDnsRcodeFree and return here, instead of using a goto.
| SCEnter(); | ||
|
|
||
| if (DetectSignatureSetAppProto(s, ALPROTO_DNS) != 0) { | ||
| return -1; |
There was a problem hiding this comment.
nit: SCReturnInt(-1);
currently use of the macro is inconsistent in this function
|
Looks like SV PR was not used by CI |
|
@jasonish the SV test shows that we need https://redmine.openinfosecfoundation.org/issues/6281 to be fixed ;-) |
| @@ -26,6 +26,12 @@ pub struct DetectDnsOpcode { | |||
| opcode: u8, | |||
| } | |||
|
|
|||
| #[derive(Debug, PartialEq, Eq)] | |||
| pub struct DetectDnsRcode { | |||
There was a problem hiding this comment.
We should reuse DetectUintData<u8> cf #10087 (comment)
There was a problem hiding this comment.
It was suggested here #10087 (comment) that I can use simple u8 till the code is in working condition. I can change it to DetectUintData<u8> in the next PR I create.
| sigmatch_table[DETECT_AL_DNS_RCODE].Match = NULL; | ||
| sigmatch_table[DETECT_AL_DNS_RCODE].AppLayerTxMatch = DetectDnsRcodeMatch; | ||
|
|
||
| DetectAppLayerInspectEngineRegister( |
There was a problem hiding this comment.
Should remove this line with SIG_FLAG_TOSERVER because dns.rcode is only to client
There was a problem hiding this comment.
will do, thanks!
There was a problem hiding this comment.
I'd keep it. While answers should only be seen in the to client direction as well, we do allow detection on them in the to server direction as they are allowed by the message format.
Likewise, the rcode field is also there in the to server direction, and at some point may be of interest to detect on in that direction.
There was a problem hiding this comment.
Likewise, the rcode field is also there in the to server direction
Wireshark does not show it :-/
There was a problem hiding this comment.
Not in the break down, no, but the bits are still there. I agree its somewhat non-sensical, but Suricata is here to find the non-sensical.
Note: The major DNS servers don't seem to care if an rcode is set on a request.
There was a problem hiding this comment.
Makes sense.
By the way, the pcap in SV test seems to have an extended rcode cf dns.resp.ext_rcode == 0x00 Wireshark filter
I don't think so. We should update the schema definition to match the real schema. Changing the output is a different task with possible breaking changes. Something simple like this should get us by for the scope of this PR? diff --git a/etc/schema.json b/etc/schema.json
index 0756acd008..f6321a1179 100644
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -1156,7 +1156,10 @@
"opcode": {
"description": "DNS opcode as an integer",
"type": "integer"
- }
+ },
+ "authorities": {
+ "type": "array"
+ }
},
"additionalProperties": false
}, |
|
New PR: #10150 |
Feature #6621
Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/6621
Previous PR: #10097
Describe changes:
SV_BRANCH=OISF/suricata-verify#1574