suricata
detect-dns-name.c
Go to the documentation of this file.
1 /* Copyright (C) 2025 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * Detect keyword for DNS rrnames:
22  * - dns.queries.rrname
23  * - dns.answers.rrname
24  * - dns.authorities.name
25  * - dns.additionals.name
26  */
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 #include "detect-engine.h"
31 #include "detect-engine-buffer.h"
32 #include "detect-engine-content-inspection.h"
33 #include "detect-engine-helper.h"
34 #include "detect-dns-name.h"
35 #include "rust.h"
36 
37 enum DnsSection {
38  DNS_QUERY = 0,
39  DNS_ANSWER,
40  DNS_AUTHORITY,
41  DNS_ADDITIONAL,
42 };
43 
44 static int query_buffer_id = 0;
45 static int answer_buffer_id = 0;
46 static int authority_buffer_id = 0;
47 static int additional_buffer_id = 0;
48 
49 static int mdns_query_buffer_id = 0;
50 static int mdns_answer_buffer_id = 0;
51 static int mdns_authority_buffer_id = 0;
52 static int mdns_additional_buffer_id = 0;
53 
54 static int DetectSetupDNS(DetectEngineCtx *de_ctx, Signature *s, const char *str, int id)
55 {
56  if (SCDetectBufferSetActiveList(de_ctx, s, id) < 0) {
57  return -1;
58  }
59  if (SCDetectSignatureSetAppProto(s, ALPROTO_DNS) < 0) {
60  return -1;
61  }
62 
63  return 0;
64 }
65 
66 static int DetectSetupMDNS(DetectEngineCtx *de_ctx, Signature *s, const char *str, int id)
67 {
68  if (SCDetectBufferSetActiveList(de_ctx, s, id) < 0) {
69  return -1;
70  }
71  if (SCDetectSignatureSetAppProto(s, ALPROTO_MDNS) < 0) {
72  return -1;
73  }
74 
75  return 0;
76 }
77 
78 static int SetupQueryBuffer(DetectEngineCtx *de_ctx, Signature *s, const char *str)
79 {
80  return DetectSetupDNS(de_ctx, s, str, query_buffer_id);
81 }
82 
83 static int SetupAnswerBuffer(DetectEngineCtx *de_ctx, Signature *s, const char *str)
84 {
85  return DetectSetupDNS(de_ctx, s, str, answer_buffer_id);
86 }
87 
88 static int SetupAdditionalsBuffer(DetectEngineCtx *de_ctx, Signature *s, const char *str)
89 {
90  return DetectSetupDNS(de_ctx, s, str, additional_buffer_id);
91 }
92 
93 static int SetupAuthoritiesBuffer(DetectEngineCtx *de_ctx, Signature *s, const char *str)
94 {
95  return DetectSetupDNS(de_ctx, s, str, authority_buffer_id);
96 }
97 
98 static int SetupQueryBufferMdns(DetectEngineCtx *de_ctx, Signature *s, const char *str)
99 {
100  return DetectSetupMDNS(de_ctx, s, str, mdns_query_buffer_id);
101 }
102 
103 static int SetupAnswerBufferMdns(DetectEngineCtx *de_ctx, Signature *s, const char *str)
104 {
105  return DetectSetupMDNS(de_ctx, s, str, mdns_answer_buffer_id);
106 }
107 
108 static int SetupAdditionalsBufferMdns(DetectEngineCtx *de_ctx, Signature *s, const char *str)
109 {
110  return DetectSetupMDNS(de_ctx, s, str, mdns_additional_buffer_id);
111 }
112 
113 static int SetupAuthoritiesBufferMdns(DetectEngineCtx *de_ctx, Signature *s, const char *str)
114 {
115  return DetectSetupMDNS(de_ctx, s, str, mdns_authority_buffer_id);
116 }
117 
118 static int Register(const char *keyword, const char *desc, const char *doc,
119  int (*Setup)(DetectEngineCtx *, Signature *, const char *),
120  InspectionMultiBufferGetDataPtr GetBufferFn, AppProto alproto)
121 {
122  int keyword_id = SCDetectHelperNewKeywordId();
123  sigmatch_table[keyword_id].name = keyword;
124  sigmatch_table[keyword_id].desc = desc;
125  sigmatch_table[keyword_id].url = doc;
126  sigmatch_table[keyword_id].Setup = Setup;
127  sigmatch_table[keyword_id].flags |= SIGMATCH_NOOPT;
128  sigmatch_table[keyword_id].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_INFO_MULTI_BUFFER;
129 
130  DetectAppLayerMultiRegister(keyword, alproto, SIG_FLAG_TOSERVER, 1, GetBufferFn, 2);
131  DetectAppLayerMultiRegister(keyword, alproto, SIG_FLAG_TOCLIENT, 1, GetBufferFn, 2);
132 
133  DetectBufferTypeSetDescriptionByName(keyword, keyword);
134  DetectBufferTypeSupportsMultiInstance(keyword);
135 
136  return DetectBufferTypeGetByName(keyword);
137 }
138 
139 void DetectDnsNameRegister(void)
140 {
141  query_buffer_id = Register("dns.queries.rrname", "DNS query rrname sticky buffer",
142  "/rules/dns-keywords.html#dns-queries-rrname", SetupQueryBuffer, SCDnsTxGetQueryName,
143  ALPROTO_DNS);
144  answer_buffer_id = Register("dns.answers.rrname", "DNS answer rrname sticky buffer",
145  "/rules/dns-keywords.html#dns-answers-rrname", SetupAnswerBuffer, SCDnsTxGetAnswerName,
146  ALPROTO_DNS);
147  additional_buffer_id =
148  Register("dns.additionals.rrname", "DNS additionals rrname sticky buffer",
149  "/rules/dns-keywords.html#dns-additionals-rrname", SetupAdditionalsBuffer,
150  SCDnsTxGetAdditionalName, ALPROTO_DNS);
151  authority_buffer_id = Register("dns.authorities.rrname", "DNS authorities rrname sticky buffer",
152  "/rules/dns-keywords.html#dns-authorities-rrname", SetupAuthoritiesBuffer,
153  SCDnsTxGetAuthorityName, ALPROTO_DNS);
154 
155  mdns_query_buffer_id = Register("mdns.queries.rrname", "mDNS query rrname sticky buffer",
156  "/rules/mdns-keywords.html#mdns-queries-rrname", SetupQueryBufferMdns,
157  SCDnsTxGetQueryName, ALPROTO_MDNS);
158  mdns_answer_buffer_id = Register("mdns.answers.rrname", "mDNS answer rrname sticky buffer",
159  "/rules/mdns-keywords.html#mdns-answers-rrname", SetupAnswerBufferMdns,
160  SCMdnsTxGetAnswerName, ALPROTO_MDNS);
161  mdns_additional_buffer_id =
162  Register("mdns.additionals.rrname", "mDNS additionals rrname sticky buffer",
163  "/rules/mdns-keywords.html#mdns-additionals-rrname", SetupAdditionalsBufferMdns,
164  SCDnsTxGetAdditionalName, ALPROTO_MDNS);
165  mdns_authority_buffer_id =
166  Register("mdns.authorities.rrname", "mDNS authorities rrname sticky buffer",
167  "/rules/mdns-keywords.html#mdns-authorities-rrname", SetupAuthoritiesBufferMdns,
168  SCDnsTxGetAuthorityName, ALPROTO_MDNS);
169 }
DNS_ANSWER
@ DNS_ANSWER
Definition: detect-dns-name.c:39
SigTableElmt_::url
const char * url
Definition: detect.h:1471
detect-engine.h
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect-engine-register.h:306
SigTableElmt_::desc
const char * desc
Definition: detect.h:1470
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
SCDetectHelperNewKeywordId
int SCDetectHelperNewKeywordId(void)
Definition: detect-engine-helper.c:125
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:47
SigTableElmt_::name
const char * name
Definition: detect.h:1468
SigTableElmt_::flags
uint32_t flags
Definition: detect.h:1459
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:86
DNS_AUTHORITY
@ DNS_AUTHORITY
Definition: detect-dns-name.c:40
DnsSection
DnsSection
Definition: detect-dns-name.c:37
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:937
DetectBufferTypeSupportsMultiInstance
void DetectBufferTypeSupportsMultiInstance(const char *name)
Definition: detect-engine.c:1228
rust.h
SCDetectBufferSetActiveList
int SCDetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition: detect-engine-buffer.c:29
detect-dns-name.h
SCDetectSignatureSetAppProto
int SCDetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:2234
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:271
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1450
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1278
SIGMATCH_INFO_MULTI_BUFFER
#define SIGMATCH_INFO_MULTI_BUFFER
Definition: detect-engine-register.h:338
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:270
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:19
detect.h
DetectDnsNameRegister
void DetectDnsNameRegister(void)
Definition: detect-dns-name.c:139
detect-engine-helper.h
InspectionMultiBufferGetDataPtr
bool(* InspectionMultiBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const void *txv, const uint8_t flow_flags, uint32_t local_id, const uint8_t **buf, uint32_t *buf_len)
Definition: detect-engine-helper.h:42
detect-engine-content-inspection.h
DNS_QUERY
@ DNS_QUERY
Definition: detect-dns-name.c:38
detect-engine-buffer.h
str
#define str(s)
Definition: suricata-common.h:308
ALPROTO_MDNS
@ ALPROTO_MDNS
Definition: app-layer-protos.h:72
detect-parse.h
Signature_
Signature container.
Definition: detect.h:672
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect-engine-register.h:328
DNS_ADDITIONAL
@ DNS_ADDITIONAL
Definition: detect-dns-name.c:41
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1375
DetectAppLayerMultiRegister
void DetectAppLayerMultiRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectionMultiBufferGetDataPtr GetData, int priority)
Definition: detect-engine.c:2099