[Oisf-devel] RFC: DNS app layer and logging (WIP)
Victor Julien
victor at inliniac.net
Mon Apr 22 09:49:30 UTC 2013
Updated version:
https://github.com/inliniac/suricata/tree/dev-dns-parser-v1.1
On 04/04/2013 01:46 PM, Victor Julien wrote:
> Funded by Emerging Threats, I've been working on DNS app layer parsing.
> It's work in progress. Have a look at:
> https://github.com/inliniac/suricata/tree/dev-dns-parser
>
> It adds 2 app layer parsers: "dnsudp" and "dnstcp". It also adds a DNS
> logging module.
>
>
> Some noteworthy things:
>
> - both only have a probing parser as I was unable to identify any fixed
> strings to recognize the protocol on
>
> - only port 53 is currently inspected
>
>
> Some hacks/doubts:
>
> - the logging output is quite verbose as each record (NS, A, SOA, etc)
> is printed on a separate line
>
> - to support "alert dns" I had to hard code some mappings between dns
> and dnsudp/dnstcp [1], need a better solution that we can also apply to
> DCERPC
>
> - it seems that when we only use a probing parser, we're not registering
> the protocol name [2]
>
> - if we're alerting in UDP app layer, some output modules get confused
> as StreamSegmentForEach is called, but thats meant for TCP. Hacked
> around it, but need a better solution. Affected are unified2 and prelude
> at least.
Fixed this in master.
> - app layer events won't work correctly with UDP it seems. They alert,
> but then keep on alerting in consecutive packets. Need to look into it.
>
> - memory management is suboptimal, alloc's are being done on a per
> record basis and for TCP we alloc a 64k buffer to "reassemble" the full
> record before parsing. Probably need pools here.
>
>
> So... work in progress, but comments are welcome. Also in github
> per-line review style.
Added a detection engine and keyword:
- content modifier "dns_query" that matches on the DNS query name
- added /F pcre option to match on the same
MPM/fast_pattern support still missing at this point.
Again, comments, review, etc welcome.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list