dns: inspect dns.answer.name in the to server direction

While unlikely to occur, there is no reason a DNS request could not contain answers, at least when it comes to the message format.
jasonish · Nov 15, 2023 · 25e5348 · 25e5348
1 parent c6a9865
commit 25e5348
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 13 deletions.
diff --git a/rust/src/dns/dns.rs b/rust/src/dns/dns.rs
@@ -881,18 +881,25 @@ pub unsafe extern "C" fn SCDnsTxGetQueryName(
 /// Get the DNS response answer name and index i.
 #[no_mangle]
 pub unsafe extern "C" fn SCDnsTxGetAnswerName(
-    tx: &mut DNSTransaction, i: u32, buf: *mut *const u8, len: *mut u32,
+    tx: &mut DNSTransaction, to_client: bool, i: u32, buf: *mut *const u8, len: *mut u32,
 ) -> bool {
+    let answers = if to_client {
+        tx.response.as_ref().map(|response| &response.answers)
+    } else {
+        tx.request.as_ref().map(|request| &request.answers)
+    };
     let index = i as usize;
-    if let Some(response) = &tx.response {
-        if let Some(name) = response.answers.get(index).map(|answer| &answer.name) {
-            if !name.is_empty() {
-                *buf = name.as_ptr();
-                *len = name.len() as u32;
-                return true;
-            }
-        }
+
+    if let Some(answers) = answers {
+	if let Some(answer) = answers.get(index) {
+	    if !answer.name.is_empty() {
+		*buf = answer.name.as_ptr();
+		*len = answer.name.len() as u32;
+		return true;
+	    }
+	}
     }
+
     false
 }
 

diff --git a/src/detect-dns-answer-name.c b/src/detect-dns-answer-name.c
@@ -80,7 +80,7 @@ static int DetectSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
     return 0;
 }
 
-static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx,
+static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx, uint8_t flags,
         const DetectEngineTransforms *transforms, void *txv, uint32_t index, int list_id)
 {
     InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, index);
@@ -91,10 +91,11 @@ static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx,
         return buffer;
     }
 
+    bool to_client = (flags & STREAM_TOSERVER) == 0;
     const uint8_t *data = NULL;
     uint32_t data_len = 0;
 
-    if (!SCDnsTxGetAnswerName(txv, index, &data, &data_len)) {
+    if (!SCDnsTxGetAnswerName(txv, to_client, index, &data, &data_len)) {
         InspectionBufferSetupMultiEmpty(buffer);
         return NULL;
     }
@@ -112,7 +113,7 @@ static uint8_t DetectEngineInspectCb(DetectEngineCtx *de_ctx, DetectEngineThread
     }
 
     for (uint32_t i = 0;; i++) {
-        InspectionBuffer *buffer = GetBuffer(det_ctx, transforms, txv, i, engine->sm_list);
+        InspectionBuffer *buffer = GetBuffer(det_ctx, flags, transforms, txv, i, engine->sm_list);
         if (buffer == NULL || buffer->inspect == NULL) {
             break;
         }
@@ -148,7 +149,7 @@ static void PrefilterTx(DetectEngineThreadCtx *det_ctx, const void *pectx, Packe
     const int list_id = ctx->list_id;
 
     for (uint32_t i = 0;; i++) {
-        InspectionBuffer *buffer = GetBuffer(det_ctx, ctx->transforms, txv, i, list_id);
+        InspectionBuffer *buffer = GetBuffer(det_ctx, flags, ctx->transforms, txv, i, list_id);
         if (buffer == NULL) {
             break;
         }