[Oisf-devel] RFC: DNS app layer and logging (WIP)

Anoop Saldanha anoopsaldanha at gmail.com
Thu May 2 11:27:43 UTC 2013 

On Thu, May 2, 2013 at 3:33 PM, Victor Julien <victor at inliniac.net> wrote:
> On 04/24/2013 05:33 PM, Anoop Saldanha wrote:
>> On Wed, Apr 24, 2013 at 8:42 PM, Victor Julien <victor at inliniac.net> wrote:
>>> On 04/24/2013 04:59 PM, Anoop Saldanha wrote:
>>>> On Wed, Apr 24, 2013 at 7:30 PM, Victor Julien <victor at inliniac.net> wrote:
>>>>> Updated version:
>>>>> https://github.com/inliniac/suricata/tree/dev-dns-parser-v1.3
>>>>>
>>>>> On 04/23/2013 06:03 PM, Victor Julien wrote:
>>>>>>>> - app layer events won't work correctly with UDP it seems. They alert,
>>>>>>>> but then keep on alerting in consecutive packets. Need to look into it.
>>>>>
>>>>> I added a fix for this, but we need to consider if this is right. The
>>>>> commit is here:
>>>>> https://github.com/inliniac/suricata/commit/cce88fade28f6bcf0c24e52be5db85ac929fcdfc
>>>>>
>>>>> It simply resets the app layer events once we switch to a new TX to inspect.
>>>>>
>>>>> Again, comments, review, etc welcome.
>>>>>
>>>>
>>>> It will work, but it's not right from where I see.  Events should be per tx.
>>>>
>>>
>>> Yeah, so we actually would need both. One per flow, for non-tx aware
>>> protocols and for events that are not TX related.
>>>
>>> And then the per TX one.
>>>
>>> Similar to how we now have a callback for getting the "files" from a
>>> alstate, we can probably also do a callback for events.
>>>
>>>     FileContainer *(*StateGetFiles)(void *, uint8_t);
>>>
>>> E.g.
>>>
>>>     AppLayerDecoderEvents *(StateGetEvents)(void *alstate, int tx_id);
>>>
>>> Make sense?
>>>
>>
>> Yeah.
>>
>
> Updated branch:
> https://github.com/inliniac/suricata/tree/dev-dns-parser-v1.4
>
> https://github.com/inliniac/suricata/commit/3722631091883f7396a88cbdb8ef72dbaac164ff
> adds the core engine support for TX based decoder events.
>

As a suggestion it would be better if we pushed dns out once we get
the tx fix work in.  Mainly for 2 reasons -

1. Much easier to rebase dns work over tx work, than the other way round.
2. You can fine tune the dns parser + detection, keeping in mind the tx design.



-- 
Anoop Saldanha

More information about the Oisf-devel mailing list