wip: dns: dns.response.answer.name keyword

jasonish · Oct 25, 2023 · f44b5c3 · f44b5c3
1 parent 0e53b50
commit f44b5c3
Show file tree

Hide file tree

Showing 6 changed files with 161 additions and 0 deletions.
diff --git a/rust/src/dns/dns.rs b/rust/src/dns/dns.rs
@@ -881,6 +881,23 @@ pub unsafe extern "C" fn rs_dns_tx_get_query_name(
     return 0;
 }
 
+#[no_mangle]
+pub unsafe extern "C" fn SCDnsTxGetAnswerName(
+    tx: &mut DNSTransaction, i: u32, buf: *mut *const u8, len: *mut u32) -> bool {
+    let index = i as usize;
+    if let Some(response) = &tx.response {
+	if index < response.answers.len() {
+	    let answer = &response.answers[index];
+	    if !answer.name.is_empty() {
+		*buf = answer.name.as_ptr();
+		*len = answer.name.len() as u32;
+		return true;
+	    }
+	}
+    }
+    false
+}
+
 /// Get the DNS transaction ID of a transaction.
 //
 /// extern uint16_t rs_dns_tx_get_tx_id(RSDNSTransaction *);

diff --git a/src/Makefile.am b/src/Makefile.am
@@ -121,6 +121,7 @@ noinst_HEADERS = \
 	detect-detection-filter.h \
 	detect-distance.h \
 	detect-dnp3.h \
+	detect-dns-answer-name.h \
 	detect-dns-opcode.h \
 	detect-dns-query.h \
 	detect-dsize.h \
@@ -732,6 +733,7 @@ libsuricata_c_a_SOURCES = \
 	detect-detection-filter.c \
 	detect-distance.c \
 	detect-dnp3.c \
+	detect-dns-answer-name.c \
 	detect-dns-opcode.c \
 	detect-dns-query.c \
 	detect-dsize.c \

diff --git a/src/detect-dns-answer-name.c b/src/detect-dns-answer-name.c
@@ -0,0 +1,110 @@
+/* Copyright (C) 2023 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * Detect keyword for DNS answer rdata: dns.answer.rdata
+ */
+
+#include "suricata-common.h"
+#include "conf.h"
+#include "detect.h"
+#include "detect-parse.h"
+#include "detect-engine.h"
+#include "detect-engine-content-inspection.h"
+#include "detect-dns-answer-name.h"
+#include "app-layer-parser.h"
+#include "detect-engine-build.h"
+#include "rust.h"
+
+static int DetectDnsResponseAnswerNameSetup(DetectEngineCtx *, Signature *, const char *);
+static uint8_t DetectEngineInspectDnsResponseAnswerName(DetectEngineCtx *de_ctx,
+        DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine,
+        const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
+#ifdef UNITTESTS
+static void DetectDnsAnswerNameRegisterTests(void);
+#endif
+static int g_dns_response_answer_name_id = 0;
+
+void DetectDnsAnswerNameRegister(void)
+{
+    static const char *keyword = "dns.answer.name";
+    sigmatch_table[DETECT_AL_DNS_RESPONSE_ANSWER_NAME].name = keyword;
+    sigmatch_table[DETECT_AL_DNS_RESPONSE_ANSWER_NAME].desc = "DNS answer name sticky buffer";
+    sigmatch_table[DETECT_AL_DNS_RESPONSE_ANSWER_NAME].Setup = DetectDnsResponseAnswerNameSetup;
+#ifdef UNITTESTS
+    sigmatch_table[DETECT_AL_DNS_RESPONSE_ANSWER_NAME].RegisterTests = DetectDnsAnswerNameRegisterTests;
+#endif
+    sigmatch_table[DETECT_AL_DNS_RESPONSE_ANSWER_NAME].flags |= SIGMATCH_NOOPT;
+
+    /* register inspect engines */
+    DetectAppLayerInspectEngineRegister(
+            keyword, ALPROTO_DNS, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectDnsResponseAnswerName, NULL);
+
+    g_dns_response_answer_name_id = DetectBufferTypeGetByName(keyword);
+}
+
+static int DetectDnsResponseAnswerNameSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
+{
+    s->init_data->list = g_dns_response_answer_name_id;
+
+    if (DetectSignatureSetAppProto(s, ALPROTO_DNS) != 0)
+        return -1;
+
+    return 0;
+}
+
+static uint8_t DetectEngineInspectDnsResponseAnswerName(DetectEngineCtx *de_ctx,
+        DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine,
+        const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
+{
+    uint8_t ret = 0;
+    const uint8_t *data = NULL;
+    uint32_t data_len = 0;
+
+    for (uint32_t i = 0;; i++) {
+        if (!SCDnsTxGetAnswerName(txv, i, &data, &data_len)) {
+            break;
+        }
+        ret = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
+                (uint8_t *)data, data_len, 0, DETECT_CI_FLAGS_SINGLE,
+                DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
+    }
+
+    SCLogNotice("Returning %d.", ret);
+    return ret;
+}
+
+#ifdef UNITTESTS
+
+#include "util-unittest.h"
+#include "util-unittest-helper.h"
+#include "flow-util.h"
+#include "stream-tcp.h"
+#include "detect-engine-alert.h"
+
+static int DetectDnsResponseAnswerNameTest(void)
+{
+    PASS;
+}
+
+static void DetectDnsAnswerNameRegisterTests(void)
+{
+    UtRegisterTest("DetectDnsResponseAnswerNameTest", DetectDnsResponseAnswerNameTest);
+}
+#endif /* UNITTESTS */
diff --git a/src/detect-dns-answer-name.h b/src/detect-dns-answer-name.h
@@ -0,0 +1,29 @@
+/* Copyright (C) 2023 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author FirstName LastName <yourname@domain>
+ */
+
+#ifndef __DETECT_DNS_ANSWER_RDATA_H__
+#define __DETECT_DNS_ANSWER_RDATA_H__
+
+void DetectDnsAnswerNameRegister(void);
+
+#endif /* __DETECT_DNS_ANSWER_RDATA_H__ */
diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c
@@ -47,6 +47,7 @@
 #include "detect-engine-dcepayload.h"
 #include "detect-dns-opcode.h"
 #include "detect-dns-query.h"
+#include "detect-dns-answer-name.h"
 #include "detect-tls-sni.h"
 #include "detect-tls-certs.h"
 #include "detect-tls-cert-fingerprint.h"
@@ -511,6 +512,7 @@ void SigTableSetup(void)
 
     DetectDnsQueryRegister();
     DetectDnsOpcodeRegister();
+    DetectDnsAnswerNameRegister();
     DetectModbusRegister();
     DetectCipServiceRegister();
     DetectEnipCommandRegister();

diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h
@@ -223,6 +223,7 @@ enum DetectKeywordId {
 
     DETECT_AL_DNS_QUERY,
     DETECT_AL_DNS_OPCODE,
+    DETECT_AL_DNS_RESPONSE_ANSWER_NAME,
     DETECT_AL_TLS_SNI,
     DETECT_AL_TLS_CERTS,
     DETECT_AL_TLS_CERT_ISSUER,