[Oisf-devel] RFC: DNS app layer and logging (WIP)
Anoop Saldanha
anoopsaldanha at gmail.com
Fri Jun 28 09:21:28 UTC 2013
On Fri, Jun 28, 2013 at 2:41 PM, Victor Julien <victor at inliniac.net> wrote:
> On 06/28/2013 11:08 AM, Peter Manev wrote:
>> On Fri, Jun 28, 2013 at 11:01 AM, Victor Julien <victor at inliniac.net> wrote:
>>> On 05/02/2013 05:40 PM, Peter Manev wrote:
>>>>>> Updated branch:
>>>>>> https://github.com/inliniac/suricata/tree/dev-dns-parser-v1.4
>>>>>>
>>>>>> https://github.com/inliniac/suricata/commit/3722631091883f7396a88cbdb8ef72dbaac164ff
>>>>>> adds the core engine support for TX based decoder events.
>>>>>>
>>>>>
>>>>> As a suggestion it would be better if we pushed dns out once we get
>>>>> the tx fix work in. Mainly for 2 reasons -
>>>>>
>>>>> 1. Much easier to rebase dns work over tx work, than the other way round.
>>>>> 2. You can fine tune the dns parser + detection, keeping in mind the tx design.
>>>>>
>>>> Sounds reasonable to me.
>>>> When do you gentlemen think (in general) that we could push out a
>>>> stable dns parser ?
>>>
>>> The DNS parser and logger have now been pushed into master.
>>>
>>
>> cool.
>> I am going to deploy that (play around with it) over the weekend on
>> our test box.
>> @Victor - "alert dns any any ...." are there any other keywords available?
>
> From earlier post:
>
> "Added a detection engine and keyword:
>
> - content modifier "dns_query" that matches on the DNS query name
> - added /F pcre option to match on the same"
>
> Thats it for now. Adding more will not be hard.
>
Maybe it would have been nicer to go down the sticky buffer route.
--
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------
More information about the Oisf-devel
mailing list