[Oisf-devel] RFC: DNS app layer and logging (WIP)

Victor Julien victor at inliniac.net
Fri Jun 28 14:53:57 UTC 2013 

On 06/28/2013 11:21 AM, Anoop Saldanha wrote:
> On Fri, Jun 28, 2013 at 2:41 PM, Victor Julien <victor at inliniac.net> wrote:
>> On 06/28/2013 11:08 AM, Peter Manev wrote:
>>> On Fri, Jun 28, 2013 at 11:01 AM, Victor Julien <victor at inliniac.net> wrote:
>>>> On 05/02/2013 05:40 PM, Peter Manev wrote:
>>>>>>> Updated branch:
>>>>>>> https://github.com/inliniac/suricata/tree/dev-dns-parser-v1.4
>>>>>>>
>>>>>>> https://github.com/inliniac/suricata/commit/3722631091883f7396a88cbdb8ef72dbaac164ff
>>>>>>> adds the core engine support for TX based decoder events.
>>>>>>>
>>>>>>
>>>>>> As a suggestion it would be better if we pushed dns out once we get
>>>>>> the tx fix work in.  Mainly for 2 reasons -
>>>>>>
>>>>>> 1. Much easier to rebase dns work over tx work, than the other way round.
>>>>>> 2. You can fine tune the dns parser + detection, keeping in mind the tx design.
>>>>>>
>>>>> Sounds reasonable to me.
>>>>> When do you gentlemen think (in general) that we could push out a
>>>>> stable dns parser ?
>>>>
>>>> The DNS parser and logger have now been pushed into master.
>>>>
>>>
>>> cool.
>>> I am going to deploy that (play around with it) over the weekend on
>>> our test box.
>>> @Victor - "alert dns any any ...." are there any other keywords available?
>>
>> From earlier post:
>>
>> "Added a detection engine and keyword:
>>
>> - content modifier "dns_query" that matches on the DNS query name
>> - added /F pcre option to match on the same"
>>
>> Thats it for now. Adding more will not be hard.
>>
> 
> Maybe it would have been nicer to go down the sticky buffer route.
> 

Good point. I've done that in this branch. It refactors rule setup,
getting rid of the s->init_flags for file_data and dce_stub_data.
Instead it uses an int s->list. If it's set to DETECT_SM_LIST_NOTSET
everything is normal. If it is set to a list (DETECT_SM_LIST_HSBD_MATCH,
DETECT_SM_LIST_DMATCH) this var is just used directly to handle the setup.

The 2nd commit moves over the dns_query keyword.

https://github.com/inliniac/suricata/tree/dev-detect-sticky

Looking forward to your comments.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list