-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dns: new keywords: dns.answer.name, dns.query.name - v6 #9920
Conversation
The old DetectAppLayerMpmRegister has not been around since 4.1.x. Rename the v2 of this function to a versionless function as there is no documentation referring to what the 2 means.
Rename DetectAppLayerInspectEngineRegister2 to DetectAppLayerInspectEngineRegister as there is no other variant of this function, and the versioning with lack of supporting documentation can lead to confusion.
Version 1 of the API no longer exists.
DNS request and response messages follow the same format so there is no reason not to use the same data structure for each. While its unlikely to see fields like answers in a request, the message format does not disallow them, so it might be interesting data to have the ability to log.
This sticky buffer will allow content matching on the answer names. While ansers typically only occur in DNS responses, we allow the buffer to be used in request context as well as the request message format allows it. Feature: OISF#6496
This buffer is much like dns.query_name but allows for detection in both directions. Feature: OISF#6497
SCDnsTxGetQueryName was introduced to allow for getting the query name in responses as well as requests, so covers the functionality of rs_dns_tx_get_query_name.
With some other minor cleanups in the DNS keyword section.
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #9920 +/- ##
==========================================
- Coverage 82.35% 82.30% -0.05%
==========================================
Files 972 974 +2
Lines 273060 273121 +61
==========================================
- Hits 224870 224789 -81
- Misses 48190 48332 +142
Flags with carried forward coverage won't be shown. Click here to find out more. |
WARNING:
Pipeline 16796 |
Ping @victorjulien, we need a good clean example/template for Outreachy. |
Doesn't compile after rebase. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs to be updated to compile after rebase.
Fixed: #10045 |
Previous PR: #9813
Changes from last PR:
Introduce two new DNS keywords, dns.query.name and dns.answer.name.
Tickets:
SV_BRANCH=OISF/suricata-verify#1464
While this introduces 2 new keywords, I'm also trying to create a good example
of a sticky buffer keyword, and then migrate that into the template, so please
consider the full structure of the files implementing the sticky buffers.
I probably should have left out the "cleanups", can do in a subsequent PR.