[Oisf-devel] RFC: DNS app layer and logging (WIP)

Anoop Saldanha anoopsaldanha at gmail.com
Sat Jun 29 05:11:45 UTC 2013 

On Fri, Jun 28, 2013 at 8:23 PM, Victor Julien <victor at inliniac.net> wrote:
> On 06/28/2013 11:21 AM, Anoop Saldanha wrote:
>> On Fri, Jun 28, 2013 at 2:41 PM, Victor Julien <victor at inliniac.net> wrote:
>>> On 06/28/2013 11:08 AM, Peter Manev wrote:
>>>> On Fri, Jun 28, 2013 at 11:01 AM, Victor Julien <victor at inliniac.net> wrote:
>>>>> On 05/02/2013 05:40 PM, Peter Manev wrote:
>>>>>>>> Updated branch:
>>>>>>>> https://github.com/inliniac/suricata/tree/dev-dns-parser-v1.4
>>>>>>>>
>>>>>>>> https://github.com/inliniac/suricata/commit/3722631091883f7396a88cbdb8ef72dbaac164ff
>>>>>>>> adds the core engine support for TX based decoder events.
>>>>>>>>
>>>>>>>
>>>>>>> As a suggestion it would be better if we pushed dns out once we get
>>>>>>> the tx fix work in.  Mainly for 2 reasons -
>>>>>>>
>>>>>>> 1. Much easier to rebase dns work over tx work, than the other way round.
>>>>>>> 2. You can fine tune the dns parser + detection, keeping in mind the tx design.
>>>>>>>
>>>>>> Sounds reasonable to me.
>>>>>> When do you gentlemen think (in general) that we could push out a
>>>>>> stable dns parser ?
>>>>>
>>>>> The DNS parser and logger have now been pushed into master.
>>>>>
>>>>
>>>> cool.
>>>> I am going to deploy that (play around with it) over the weekend on
>>>> our test box.
>>>> @Victor - "alert dns any any ...." are there any other keywords available?
>>>
>>> From earlier post:
>>>
>>> "Added a detection engine and keyword:
>>>
>>> - content modifier "dns_query" that matches on the DNS query name
>>> - added /F pcre option to match on the same"
>>>
>>> Thats it for now. Adding more will not be hard.
>>>
>>
>> Maybe it would have been nicer to go down the sticky buffer route.
>>
>
> Good point. I've done that in this branch.

Nice thing on moving to sticky buffer.

> It refactors rule setup,
> getting rid of the s->init_flags for file_data and dce_stub_data.
> Instead it uses an int s->list. If it's set to DETECT_SM_LIST_NOTSET
> everything is normal. If it is set to a list (DETECT_SM_LIST_HSBD_MATCH,
> DETECT_SM_LIST_DMATCH) this var is just used directly to handle the setup.
>
> The 2nd commit moves over the dns_query keyword.
>
> https://github.com/inliniac/suricata/tree/dev-detect-sticky
>
> Looking forward to your comments.

-- 
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------

More information about the Oisf-devel mailing list