[Oisf-devel] RFC: DNS app layer and logging (WIP)
Victor Julien
victor at inliniac.net
Thu Apr 4 11:46:28 UTC 2013
Funded by Emerging Threats, I've been working on DNS app layer parsing.
It's work in progress. Have a look at:
https://github.com/inliniac/suricata/tree/dev-dns-parser
It adds 2 app layer parsers: "dnsudp" and "dnstcp". It also adds a DNS
logging module.
Some noteworthy things:
- both only have a probing parser as I was unable to identify any fixed
strings to recognize the protocol on
- only port 53 is currently inspected
Some hacks/doubts:
- the logging output is quite verbose as each record (NS, A, SOA, etc)
is printed on a separate line
- to support "alert dns" I had to hard code some mappings between dns
and dnsudp/dnstcp [1], need a better solution that we can also apply to
DCERPC
- it seems that when we only use a probing parser, we're not registering
the protocol name [2]
- if we're alerting in UDP app layer, some output modules get confused
as StreamSegmentForEach is called, but thats meant for TCP. Hacked
around it, but need a better solution. Affected are unified2 and prelude
at least.
- app layer events won't work correctly with UDP it seems. They alert,
but then keep on alerting in consecutive packets. Need to look into it.
- memory management is suboptimal, alloc's are being done on a per
record basis and for TCP we alloc a 64k buffer to "reassemble" the full
record before parsing. Probably need pools here.
So... work in progress, but comments are welcome. Also in github
per-line review style.
Cheers,
Victor
1:
https://github.com/inliniac/suricata/commit/2618acdae532d6e65f7cd6c5b5f919eab209a48b#L3R776
2:
https://github.com/inliniac/suricata/commit/2618acdae532d6e65f7cd6c5b5f919eab209a48b#L1R613
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list