dns: new keywords: dns.answer.name, dns.query.name - v6 #9920
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The old DetectAppLayerMpmRegister has not been around since 4.1.x. Rename the v2 of this function to a versionless function as there is no documentation referring to what the 2 means.
Rename DetectAppLayerInspectEngineRegister2 to DetectAppLayerInspectEngineRegister as there is no other variant of this function, and the versioning with lack of supporting documentation can lead to confusion.
Version 1 of the API no longer exists.
DNS request and response messages follow the same format so there is no reason not to use the same data structure for each. While its unlikely to see fields like answers in a request, the message format does not disallow them, so it might be interesting data to have the ability to log.
This sticky buffer will allow content matching on the answer names. While ansers typically only occur in DNS responses, we allow the buffer to be used in request context as well as the request message format allows it. Feature: OISF#6496
This buffer is much like dns.query_name but allows for detection in both directions. Feature: OISF#6497
SCDnsTxGetQueryName was introduced to allow for getting the query name in responses as well as requests, so covers the functionality of rs_dns_tx_get_query_name.
With some other minor cleanups in the DNS keyword section.
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #9920 +/- ##
==========================================
- Coverage 82.35% 82.30% -0.05%
==========================================
Files 972 974 +2
Lines 273060 273121 +61
==========================================
- Hits 224870 224789 -81
- Misses 48190 48332 +142
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
WARNING:
Pipeline 16796 |
|
Ping @victorjulien, we need a good clean example/template for Outreachy. |
victorjulien
approved these changes
Dec 13, 2023
|
Doesn't compile after rebase. |
victorjulien
requested changes
Dec 13, 2023
|
Fixed: #10045 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previous PR: #9813
Changes from last PR:
Introduce two new DNS keywords, dns.query.name and dns.answer.name.
Tickets:
SV_BRANCH=OISF/suricata-verify#1464
While this introduces 2 new keywords, I'm also trying to create a good example
of a sticky buffer keyword, and then migrate that into the template, so please
consider the full structure of the files implementing the sticky buffers.
I probably should have left out the "cleanups", can do in a subsequent PR.