suricata
detect-dns-response.c
Go to the documentation of this file.
1 /* Copyright (C) 2025 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * Detect keyword for DNS response: dns.response.rrname
22  */
23 
24 #include "detect.h"
25 #include "detect-parse.h"
26 #include "detect-engine.h"
27 #include "detect-engine-buffer.h"
28 #include "detect-engine-mpm.h"
31 #include "detect-engine-helper.h"
32 #include "detect-dns-response.h"
33 #include "util-profiling.h"
34 #include "rust.h"
35 
36 static int detect_buffer_id = 0;
37 static int mdns_detect_buffer_id = 0;
38 
39 typedef struct PrefilterMpm {
40  int list_id;
41  const MpmCtx *mpm_ctx;
44 
50 
51  /* always last */
53 };
54 
56  enum DnsResponseSection response_section; /**< query, answer, authority, additional */
57  uint32_t response_id; /**< index into response resource records */
58  uint32_t local_id; /**< used as index into thread inspect array */
59 };
60 
61 static int DetectSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
62 {
63  if (SCDetectBufferSetActiveList(de_ctx, s, detect_buffer_id) < 0) {
64  return -1;
65  }
67  return -1;
68  }
69 
70  return 0;
71 }
72 
73 static int MdnsDetectSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
74 {
75  if (SCDetectBufferSetActiveList(de_ctx, s, mdns_detect_buffer_id) < 0) {
76  return -1;
77  }
79  return -1;
80  }
81 
82  return 0;
83 }
84 
85 static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx, uint8_t flags,
86  const DetectEngineTransforms *transforms, void *txv, struct DnsResponseGetDataArgs *cbdata,
87  int list_id, bool get_rdata)
88 {
89  InspectionBuffer *buffer =
90  InspectionBufferMultipleForListGet(det_ctx, list_id, cbdata->local_id);
91  if (buffer == NULL) {
92  return NULL;
93  }
94  if (buffer->initialized) {
95  return buffer;
96  }
97 
98  const uint8_t *data = NULL;
99  uint32_t data_len = 0;
100 
101  if (get_rdata) {
102  /* Get rdata values that are formatted as resource names. */
103  switch (cbdata->response_section) {
104  case DNS_RESPONSE_ANSWER:
105  if (!SCDnsTxGetAnswerRdata(txv, cbdata->response_id, &data, &data_len)) {
107  return NULL;
108  }
109  break;
111  if (!SCDnsTxGetAuthorityRdata(txv, cbdata->response_id, &data, &data_len)) {
113  return NULL;
114  }
115  break;
117  if (!SCDnsTxGetAdditionalRdata(txv, cbdata->response_id, &data, &data_len)) {
119  return NULL;
120  }
121  break;
122  default:
124  return NULL;
125  }
126  } else {
127  /* Get name values. */
128  switch (cbdata->response_section) {
129  case DNS_RESPONSE_QUERY:
130  if (!SCDnsTxGetQueryName(
131  det_ctx, txv, STREAM_TOCLIENT, cbdata->response_id, &data, &data_len)) {
133  return NULL;
134  }
135  break;
136  case DNS_RESPONSE_ANSWER:
137  if (!SCDnsTxGetAnswerName(
138  det_ctx, txv, STREAM_TOCLIENT, cbdata->response_id, &data, &data_len)) {
140  return NULL;
141  }
142  break;
144  if (!SCDnsTxGetAuthorityName(
145  det_ctx, txv, 0, cbdata->response_id, &data, &data_len)) {
147  return NULL;
148  }
149  break;
151  if (!SCDnsTxGetAdditionalName(
152  det_ctx, txv, 0, cbdata->response_id, &data, &data_len)) {
154  return NULL;
155  }
156  break;
157  default:
159  return NULL;
160  }
161  }
162 
163  InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len);
164  buffer->flags = DETECT_CI_FLAGS_SINGLE;
165  return buffer;
166 }
167 
168 static inline uint8_t CheckSectionRecords(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
169  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
170  uint8_t flags, void *txv, const DetectEngineTransforms *transforms, uint32_t *local_id,
171  enum DnsResponseSection section)
172 {
173  uint32_t response_id = 0;
174 
175  /* loop through each record in DNS response section inspecting "name" and "rdata" */
176  while (1) {
177  struct DnsResponseGetDataArgs cbdata = { section, response_id, *local_id };
178 
179  /* do inspection for resource record "name" */
180  InspectionBuffer *buffer =
181  GetBuffer(det_ctx, flags, transforms, txv, &cbdata, engine->sm_list, false);
182  if (buffer == NULL || buffer->inspect == NULL) {
183  (*local_id)++;
184  break;
185  }
186 
187  if (DetectEngineContentInspectionBuffer(de_ctx, det_ctx, s, engine->smd, NULL, f, buffer,
190  }
191 
192  (*local_id)++;
193  if (section == DNS_RESPONSE_QUERY) {
194  /* no rdata to inspect for query section, move on to next record */
195  response_id++;
196  continue;
197  }
198 
199  /* do inspection for resource record "rdata" */
200  cbdata.local_id = *local_id;
201  buffer = GetBuffer(det_ctx, flags, transforms, txv, &cbdata, engine->sm_list, true);
202  if (buffer == NULL || buffer->inspect == NULL) {
203  (*local_id)++;
204  response_id++;
205  continue;
206  }
207 
208  if (DetectEngineContentInspectionBuffer(de_ctx, det_ctx, s, engine->smd, NULL, f, buffer,
211  }
212  (*local_id)++;
213  response_id++;
214  }
216 }
217 
218 static inline void CheckSectionRecordsPrefilter(DetectEngineThreadCtx *det_ctx, const void *pectx,
219  void *txv, const uint8_t flags, uint32_t *local_id, enum DnsResponseSection section)
220 {
221  const PrefilterMpm *ctx = (const PrefilterMpm *)pectx;
222  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
223  const int list_id = ctx->list_id;
224  uint32_t response_id = 0;
225 
226  while (1) {
227  struct DnsResponseGetDataArgs cbdata = { section, response_id, *local_id };
228 
229  /* extract resource record "name" */
230  InspectionBuffer *buffer =
231  GetBuffer(det_ctx, flags, ctx->transforms, txv, &cbdata, list_id, false);
232  if (buffer == NULL) {
233  (*local_id)++;
234  break;
235  }
236 
237  if (buffer->inspect_len >= mpm_ctx->minlen) {
238  (void)mpm_table[mpm_ctx->mpm_type].Search(
239  mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, buffer->inspect, buffer->inspect_len);
240  PREFILTER_PROFILING_ADD_BYTES(det_ctx, buffer->inspect_len);
241  }
242 
243  (*local_id)++;
244  if (section == DNS_RESPONSE_QUERY) {
245  /* no rdata to inspect for query section, move on to next name entry */
246  response_id++;
247  continue;
248  }
249 
250  /* extract resource record "rdata" */
251  cbdata.local_id = *local_id;
252  buffer = GetBuffer(det_ctx, flags, ctx->transforms, txv, &cbdata, list_id, true);
253  if (buffer == NULL) {
254  (*local_id)++;
255  response_id++;
256  continue;
257  }
258 
259  if (buffer->inspect_len >= mpm_ctx->minlen) {
260  (void)mpm_table[mpm_ctx->mpm_type].Search(
261  mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, buffer->inspect, buffer->inspect_len);
262  PREFILTER_PROFILING_ADD_BYTES(det_ctx, buffer->inspect_len);
263  }
264  (*local_id)++;
265  response_id++;
266  }
267 }
268 
269 static uint8_t DetectEngineInspectCb(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
270  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
271  uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
272 {
273  const DetectEngineTransforms *transforms = NULL;
274  if (!engine->mpm) {
275  transforms = engine->v2.transforms;
276  }
277 
278  uint32_t local_id = 0;
279  uint8_t ret_match = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
280 
281  /* loop through each possible DNS response section */
282  for (enum DnsResponseSection section = DNS_RESPONSE_QUERY;
283  section < DNS_RESPONSE_MAX && ret_match == DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
284  section++) {
285 
286  /* check each record in section inspecting "name" and "rdata" */
287  ret_match = CheckSectionRecords(
288  de_ctx, det_ctx, engine, s, f, flags, txv, transforms, &local_id, section);
289  }
290  return ret_match;
291 }
292 
293 static void DetectDnsResponsePrefilterTx(DetectEngineThreadCtx *det_ctx, const void *pectx,
294  Packet *p, Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *_txd,
295  const uint8_t flags)
296 {
297  SCEnter();
298 
299  uint32_t local_id = 0;
300  /* loop through each possible DNS response section */
301  for (enum DnsResponseSection section = DNS_RESPONSE_QUERY; section < DNS_RESPONSE_MAX;
302  section++) {
303  /* check each record in section inspecting "name" and "rdata" */
304  CheckSectionRecordsPrefilter(det_ctx, pectx, txv, flags, &local_id, section);
305  }
306 }
307 
308 static void DetectDnsResponsePrefilterMpmFree(void *ptr)
309 {
310  SCFree(ptr);
311 }
312 
313 static int DetectDnsResponsePrefilterMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
314  MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
315 {
316  PrefilterMpm *pectx = SCCalloc(1, sizeof(*pectx));
317  if (pectx == NULL) {
318  return -1;
319  }
320  pectx->list_id = list_id;
321  pectx->mpm_ctx = mpm_ctx;
322  pectx->transforms = &mpm_reg->transforms;
323 
324  return PrefilterAppendTxEngine(de_ctx, sgh, DetectDnsResponsePrefilterTx,
325  mpm_reg->app_v2.alproto, mpm_reg->app_v2.tx_min_progress, pectx,
326  DetectDnsResponsePrefilterMpmFree, mpm_reg->pname);
327 }
328 
329 static void SCDetectMdnsResponseRrnameRegister(void)
330 {
331  static const char *keyword = "mdns.response.rrname";
332  int keyword_id = SCDetectHelperNewKeywordId();
333  sigmatch_table[keyword_id].name = keyword;
334  sigmatch_table[keyword_id].desc = "mDNS response rrname buffer";
335  sigmatch_table[keyword_id].url = "/rules/mdns-keywords.html#mdns-response-rrname";
336  sigmatch_table[keyword_id].Setup = MdnsDetectSetup;
337  sigmatch_table[keyword_id].flags |= SIGMATCH_NOOPT;
339 
340  /* Register in the TO_SERVER direction, as all mDNS is toserver. */
342  keyword, ALPROTO_MDNS, SIG_FLAG_TOSERVER, 1, DetectEngineInspectCb, NULL);
343  DetectAppLayerMpmRegister(keyword, SIG_FLAG_TOSERVER, 2, DetectDnsResponsePrefilterMpmRegister,
344  NULL, ALPROTO_MDNS, 1);
345 
346  DetectBufferTypeSetDescriptionByName(keyword, "mdns response rdata");
348 
349  mdns_detect_buffer_id = DetectBufferTypeGetByName(keyword);
350 }
351 
353 {
354  static const char *keyword = "dns.response.rrname";
356  sigmatch_table[DETECT_DNS_RESPONSE].desc = "DNS response sticky buffer";
357  sigmatch_table[DETECT_DNS_RESPONSE].url = "/rules/dns-keywords.html#dns-response-rrname";
361 
362  /* Register in the TO_CLIENT direction. */
364  keyword, ALPROTO_DNS, SIG_FLAG_TOCLIENT, 1, DetectEngineInspectCb, NULL);
365  DetectAppLayerMpmRegister(keyword, SIG_FLAG_TOCLIENT, 2, DetectDnsResponsePrefilterMpmRegister,
366  NULL, ALPROTO_DNS, 1);
367 
368  DetectBufferTypeSetDescriptionByName(keyword, "dns response rrname");
370 
371  detect_buffer_id = DetectBufferTypeGetByName(keyword);
372 
373  SCDetectMdnsResponseRrnameRegister();
374 }
DetectEngineAppInspectionEngine_
Definition: detect.h:417
SigTableElmt_::url
const char * url
Definition: detect.h:1422
DnsResponseGetDataArgs::response_section
enum DnsResponseSection response_section
Definition: detect-dns-response.c:56
DNS_RESPONSE_MAX
@ DNS_RESPONSE_MAX
Definition: detect-dns-response.c:52
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:421
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:95
detect-engine.h
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1636
SigTableElmt_::desc
const char * desc
Definition: detect.h:1421
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
SCDetectHelperNewKeywordId
int SCDetectHelperNewKeywordId(void)
Definition: detect-engine-helper.c:86
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:47
SigTableElmt_::name
const char * name
Definition: detect.h:1419
InspectionBuffer::initialized
bool initialized
Definition: detect-engine-inspect-buffer.h:38
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1589
DnsResponseGetDataArgs::response_id
uint32_t response_id
Definition: detect-dns-response.c:57
DetectEngineTransforms
Definition: detect.h:392
PrefilterMpm::list_id
int list_id
Definition: detect-dns-response.c:40
InspectionBuffer
Definition: detect-engine-inspect-buffer.h:34
Flow_
Flow data structure.
Definition: flow.h:356
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1312
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1413
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:919
DnsResponseSection
DnsResponseSection
Definition: detect-dns-response.c:45
DetectBufferTypeSupportsMultiInstance
void DetectBufferTypeSupportsMultiInstance(const char *name)
Definition: detect-engine.c:1206
rust.h
DetectBufferMpmRegistry_
one time registration of keywords at start up
Definition: detect.h:751
InspectionBuffer::flags
uint8_t flags
Definition: detect-engine-inspect-buffer.h:39
SCDetectBufferSetActiveList
int SCDetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition: detect-engine-buffer.c:29
DetectBufferMpmRegistry_::app_v2
struct DetectBufferMpmRegistry_::@88::@90 app_v2
SCDetectSignatureSetAppProto
int SCDetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:2212
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:272
DNS_RESPONSE_AUTHORITY
@ DNS_RESPONSE_AUTHORITY
Definition: detect-dns-response.c:48
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1404
DetectBufferMpmRegistry_::transforms
DetectEngineTransforms transforms
Definition: detect.h:764
detect-engine-prefilter.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1256
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:425
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:271
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1211
DnsResponseGetDataArgs
Definition: detect-dns-response.c:55
SCEnter
#define SCEnter(...)
Definition: util-debug.h:272
detect-engine-mpm.h
detect.h
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:38
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:36
detect-engine-helper.h
DetectAppLayerMpmRegister
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register an app layer keyword for mpm
Definition: detect-engine-mpm.c:154
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:104
util-profiling.h
Packet_
Definition: decode.h:492
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@80 v2
DETECT_DNS_RESPONSE
@ DETECT_DNS_RESPONSE
Definition: detect-engine-register.h:246
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:177
DNS_RESPONSE_ANSWER
@ DNS_RESPONSE_ANSWER
Definition: detect-dns-response.c:47
DetectEngineThreadCtx_::mtc
MpmThreadCtx mtc
Definition: detect.h:1308
PrefilterMpm::transforms
const DetectEngineTransforms * transforms
Definition: detect-dns-response.c:42
detect-engine-content-inspection.h
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:440
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1485
PREFILTER_PROFILING_ADD_BYTES
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
Definition: util-profiling.h:286
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:49
flags
uint8_t flags
Definition: decode-gre.h:0
detect-engine-buffer.h
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterTxFn PrefilterTxFunc, AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:352
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:37
DnsResponseGetDataArgs::local_id
uint32_t local_id
Definition: detect-dns-response.c:58
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect-engine-inspect-buffer.h:37
PrefilterMpm::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-dns-response.c:41
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect-engine-inspect-buffer.h:35
str
#define str(s)
Definition: suricata-common.h:308
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ALPROTO_MDNS
@ ALPROTO_MDNS
Definition: app-layer-protos.h:72
detect-parse.h
Signature_
Signature container.
Definition: detect.h:657
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:437
DNS_RESPONSE_QUERY
@ DNS_RESPONSE_QUERY
Definition: detect-dns-response.c:46
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:47
InspectionBufferSetupMultiEmpty
void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer)
setup the buffer empty
Definition: detect-engine-inspect-buffer.c:144
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1611
detect-dns-response.h
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
Definition: detect-engine.c:249
DetectEngineContentInspectionBuffer
bool DetectEngineContentInspectionBuffer(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const InspectionBuffer *b, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
Definition: detect-engine-content-inspection.c:757
PrefilterMpm
struct PrefilterMpm PrefilterMpm
DetectDnsResponseRegister
void DetectDnsResponseRegister(void)
Definition: detect-dns-response.c:352
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1353
MpmCtx_
Definition: util-mpm.h:93
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
PrefilterMpm
Definition: detect-dns-response.c:39
DNS_RESPONSE_ADDITIONAL
@ DNS_RESPONSE_ADDITIONAL
Definition: detect-dns-response.c:49
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine-inspect-buffer.c:157
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine-inspect-buffer.c:76
DetectBufferMpmRegistry_::pname
char pname[32]
Definition: detect.h:753