detect/dns: fix misdetection on dns_query on udp

If 'raw' content patterns were used in a dns_query rule, the raw patterns would only be evaluated for TCP, but not for UDP. This patch adds the inspection for UDP as well. Bug #2263.
OISF · Nov 8, 2017 · 664f826 · 664f826
1 parent 7d032e2
commit 664f826
Showing 1 changed file with 49 additions and 2 deletions.
diff --git a/src/detect-engine-payload.c b/src/detect-engine-payload.c
@@ -177,6 +177,48 @@ int DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx,
     SCReturnInt(0);
 }
 
+/**
+ *  \brief Do the content inspection & validation for a sigmatch list
+ *
+ *  \param de_ctx Detection engine context
+ *  \param det_ctx Detection engine thread context
+ *  \param s Signature to inspect
+ *  \param smd array of matches to eval
+ *  \param f flow (for pcre flowvar storage)
+ *  \param p Packet
+ *
+ *  \retval 0 no match
+ *  \retval 1 match
+ */
+static int DetectEngineInspectStreamUDPPayload(DetectEngineCtx *de_ctx,
+        DetectEngineThreadCtx *det_ctx,
+        const Signature *s, const SigMatchData *smd,
+        Flow *f, Packet *p)
+{
+    SCEnter();
+    int r = 0;
+
+    if (smd == NULL) {
+        SCReturnInt(0);
+    }
+#ifdef DEBUG
+    det_ctx->payload_persig_cnt++;
+    det_ctx->payload_persig_size += p->payload_len;
+#endif
+    det_ctx->buffer_offset = 0;
+    det_ctx->discontinue_matching = 0;
+    det_ctx->inspection_recursion_counter = 0;
+    det_ctx->replist = NULL;
+
+    r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd,
+            f, p->payload, p->payload_len, 0,
+            DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD, p);
+    if (r == 1) {
+        SCReturnInt(1);
+    }
+    SCReturnInt(0);
+}
+
 struct StreamContentInspectData {
     DetectEngineCtx *de_ctx;
     DetectEngineThreadCtx *det_ctx;
@@ -282,9 +324,14 @@ int DetectEngineInspectStream(ThreadVars *tv,
     Packet *p = det_ctx->p; /* TODO: get rid of this HACK */
 
     /* in certain sigs, e.g. 'alert dns', which apply to both tcp and udp
-     * we can get called for UDP. */
-    if (p->proto != IPPROTO_TCP)
+     * we can get called for UDP. Then we simply inspect the packet payload */
+    if (p->proto == IPPROTO_UDP) {
+        return DetectEngineInspectStreamUDPPayload(de_ctx,
+                det_ctx, s, smd, f, p);
+    /* for other non-TCP protocols we assume match */
+    } else if (p->proto != IPPROTO_TCP)
         return DETECT_ENGINE_INSPECT_SIG_MATCH;
+
     TcpSession *ssn = f->protoctx;
     if (ssn == NULL)
         return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;